Assessing Risks of Policies to Patch Software Vulnerabilities

摘要

The number of security vulnerabilities, breaches and digital disaster increases over time. One important source of weaknesses in computer networks is the ubiquitous flaws ('bugs') in the software, which are exploitable by malicious agents. Consequently, "patching" the software to correct known bugs is becoming more important, especially for network-based systems. However, decision makers often view this issue differently, due to the presumption that security measures are time consuming and an interruption to the primary business activities. In addition, it is considered too costly to invest in the prevention of something that might not happen. Patching often requires extensive testing and that computer networks be taken down. This work is a preliminary effort to develop a system dynamics model for showing the tradeoffs and the risks of different patching policies.