Optimizing Network Patching Policy Decisions

  • Yolanta Beres
  • Jonathan Griffin
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 376)


Patch management of networks is essential to mitigate the risks from the exploitation of vulnerabilities through malware and other attacks, but by setting too rigorous a patching policy for network devices the IT security team can also create burdens for IT operations or disruptions to the business.  Different patch deployment timelines could be adopted with the aim of reducing this operational cost, but care must be taken not to substantially increase the risk of emergency disruption from potential exploits and attacks.  In this paper we explore how the IT security policy choices regarding patching timelines can be made in terms of economically-based decisions, in which the aim is to minimize the expected overall costs to the organization from patching-related activity.  We introduce a simple cost function that takes into account costs incurred from disruption caused by planned patching and from expected disruption caused by emergency patching.  To explore the outcomes under different patching policies we apply a systems modelling approach and Monte Carlo style simulations.  The results from the simulations show disruptions caused for a range of patch deployment timelines.  These results together with the cost function are then used to identify the optimal patching timelines under different threat environment conditions and taking into account the organization’s risk tolerance. 


Threat Environment Network Device Disruption Cost Network Equipment Patch Application 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Arbaugh, W.A., Fithem, W.L., McHugh, J.: Windows of Vulnerability: A Case Study Analysis. IEEE Computer (2000)Google Scholar
  2. 2.
    Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., Shostack, A.: Timing the Application of Security Patches for Optimal Uptime. In: Proc of LISA 2002: 16th System Administration Conference (2002)Google Scholar
  3. 3.
    Beres, Y., Griffin, J., Heitman, M., Markle, D., Ventura, P.: Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Windows. In: Proc. of 2008 ACSAC (December 2008)Google Scholar
  4. 4.
    Cisco Security Advisories and Notices, The publication schedule for Cisco Internetwork Operating System (IOS) Security Advisories (March 2006)Google Scholar
  5. 5.
    Felix “FX” Lindner, “Cisco Vulnerabilities”, BlackHat Federal (2003)Google Scholar
  6. 6.
    Felix “FX” Lindner, “Development in Cisco IOS Forensics”, Defcon 11 (2003)Google Scholar
  7. 7.
    Technical interview, “Exploiting Cisco with FX” (2005),
  8. 8.
    Felix “FX” Lindner, Cisco IOS-Attack and Defense: State of the Art. In: 25th Chaos Communication Congress (December 2008) Google Scholar
  9. 9.
    Lynn, M.: The Holy Grail: Cisco IOS shellcode and exploitation techniques, Black Hat USA (July 2005)Google Scholar
  10. 10.
    Pym, D., Monahan, B.: A Structural and Stochastic Modelling Philosophy for Systems Integrity. HP Labs Technical Report (2006)Google Scholar
  11. 11.
    Radianti, J.: Assessing Risks of Policies to Patch Software Vulnerabilities. In: Proc. Of International System Dynamics Conference (July 2006)Google Scholar
  12. 12.
    Schneier, B.: Managed Security Monitoring: Closing the Window of Exposure, Counterpane Google Scholar
  13. 13.
    Symantec Global Internet Security Threat Report: Trends for July–December 2007, vol. XII (April 2008) Google Scholar
  14. 14.
    Zhang, G., Tan, Y., Dey, D.: Optimal Policies for Security Patch Management, under reviewGoogle Scholar
  15. 15.
    Secunia Advisories by Vendor,
  16. 16.
    InfoWorld News, Cisco warns of new hacking toolkit (March 2004)Google Scholar
  17. 17.
    NetworkWorld News, Can anyone stop the Cisco exploit? (November 2006) Google Scholar
  18. 18.
    Cavusoglu, H., Cavusoglu, H., Zhang, J.: Economics of Security Patch Management. In: Workshop on Economics of Information Security (WEIS) (June 2006)Google Scholar
  19. 19.
    Cavusoglu, H., Cavusoglu, H., Zhang, J.: Security Patch Management—Share the Burden or Share the Damage? Management Science 54(1) (April 2008)Google Scholar
  20. 20.
    Patterson, D.: A simple model of the cost of downtime. In: Proceedings of Large Installation System Administration Conference (LISA 2002), USENIX Assoc. (2002)Google Scholar
  21. 21.
    Couch, A.L., Wu, N., Susanto, H.: Toward a Cost Model for System Administration. In: Proceedings of Large Installation System Administration Conference (LISA 2005). USENIX Assoc. (2005)Google Scholar
  22. 22.
    Verizon 2009 Data Breach Investigations Report (2009) Google Scholar
  23. 23.
    ’FX’ Lindner, F.: Cisco IOS Router Exploitation. Blackhat (2009) Google Scholar
  24. 24.
    ’topo’ Muñiz, S.: Killing the myth of Cisco IOS rootkits (May 2008),
  25. 25.
    Collinson, M., Monahan, B., Pym, D.: A Discipline of Mathematical Systems Modelling. HP and College Publications (2012)Google Scholar
  26. 26.
    The Cloud Stewardship Economics Project, IISP,

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Yolanta Beres
    • 1
  • Jonathan Griffin
    • 1
  1. 1.HP LabsBristolUK

Personalised recommendations