Optimal Policies for Security Patch Management

References

• Anderson RJ (2001) Why information security is hard—An economic perspective. Proc. 17th Comput. Security Appl. Conf. (IEEE Computer Society, Washington, DC), 358–365.Crossref, Google Scholar
• Andress M (2003) Windows patch management tools. NetworkWorld (March 3). Accessed August 17, 2013, http://www.networkworld.com/reviews/2003/0303patchrev.html.Google Scholar
• Arora A, Caulkins JP, Telang R (2006) Sell first, fix later: Impact of patching on software quality. Management Sci. 52(3):465–471.Link, Google Scholar
• Arora A, Telang R, Xu H (2008) Optimal policy for software vulnerability disclosure. Management Sci. 54(4):642–656.Link, Google Scholar
• Arora A, Krishnan R, Telang R, Yang Y (2010) An empirical analysis of software vendors’ patch release behavior: Impact of vulnerability disclosure. Inform. Systems Res. 21(1):115–132.Link, Google Scholar
• August T, Tunca TI (2011) Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Sci. 57(5):934–959.Link, Google Scholar
• August T, Niculescu MF, Shin H (2014) Cloud implications on software network structure and security risks. Inform. Systems Res. 25(3):489–510.Link, Google Scholar
• Beattie S, Arnold S, Cowan C, Wagle P, Wright C (2002) Timing the application of security patches for optimal uptime. Proc. LISA’02: 16th System Admin. Conf., Philadelphia, 233–242.Google Scholar
• Beres Y, Griffin J (2012) Optimizing network patching policy decisions. Gritzalis D, Furnell S, Theoharidou M, eds. Information Security and Privacy Research (Springer, New York), 424–442.Crossref, Google Scholar
• Brandon J (2005) Intuitive and flexible patch management. Processor 27(24):17.Google Scholar
• Braverman M (2005) Win32/Blaster: A case study from Microsoft’s perspective. Virus Bulletin Conf. Accessed Spetember 28, 2008, http://www.virusbtn.com/conference/vb2005/abstracts/Matthew_BravermanCorpFri1440.xml .Google Scholar
• Cavusoglu H, Cavusoglu H, Zhang J (2008) Security patch management: Share the burden or share the damage? Management Sci. 54(4):657–670.Link, Google Scholar
• Chan J (2004) Essentials of patch management policy and practice. Accessed March 6, 2010, http://www.patchmanagement.org/pmessentials.asp.Google Scholar
• Dalal SR, Mallows CL (1988) When should one stop testing software? J. Amer. Statist. Assoc. 83(403):872–879.Crossref, Google Scholar
• Dey D, Zhang Z, De P (2006) Optimal synchronization policies for data warehouses. INFORMS J. Comput. 18(2):229–242.Link, Google Scholar
• Gross D, Harris CM (1998) Fundamentals of Queueing Theory (John Wiley & Sons, New York).Google Scholar
• Ioannidis C, Pym DJ, Williams J (2012) Information security trade-offs and optimal patching policies. Eur. J. Oper. Res. 216(2): 434–444.Crossref, Google Scholar
• Karmarkar US (1987) Lot sizes, lead times and in-process inventories. Management Sci. 33(3):409–418.Link, Google Scholar
• Kim BC, Chen P-Y, Mukhopadhyay T (2010) An economic analysis of the software market with a risk-sharing mechanism. Internat. J. Electronic Commerce 14(2):7–39.Crossref, Google Scholar
• Mastroleon L, Miura-Ko RA, Bambos N (2006) Patching rate management for controlled service-disruption in data centers. Global Telecommunications Conf., (GLOBECOM’06) (IEEE, Piscataway, NJ), 1–5.Crossref, Google Scholar
• Mell P, Scarfone K, Romanosky S (2007) A complete guide to the common vulnerability scoring system: Version 2.0. Accessed August 17, 2013, http://www.first.org/cvss/cvss-guide.pdf.Google Scholar
• Microsoft (2012) Security bulletin severity rating system. Security TechCenter Bulletin. Accessed June 7, 2013, http://technet.microsoft.com/en-us/security/gg309177.aspx.Google Scholar
• Oracle (2010) Recommendations for leveraging the critical patch update and maintaining a proper security posture. White Paper. Accessed June 7, 2013, http://www.oracle.com/us/support/assurance/leveraging-cpu-wp-164638.pdf.Google Scholar
• Page L (2009) MoD networks still malware-plagued after two weeks. The Register. Accessed June 6, 2013, http://www.theregister.co.uk/2009/01/20/mod_malware_still_going_strong.Google Scholar
• PCI (2010) Payment Card Industry (PCI) Data Security Standard. Summary of changes from PCI DSS version 1.2.1 to 2.0. Accessed June 6, 2013, https://www.pcisecuritystandards.org/documents/pci_dss_v2_summary_of_changes.pdf.Google Scholar
• Rescorla E (2005) Is finding security holes a good idea? IEEE Security Privacy 3(1):14–19.Crossref, Google Scholar
• Souppaya M, Scarfone K (2013) Guide to enterprise patch management technologies. NIST Special Publication 800-40 Revision 3 (National Institute of Standards and Technology, Gaithersburg, MD).Crossref, Google Scholar
• Willsher K (2009) French fighter planes grounded by computer virus. Telegraph (February 7). Accessed July 11, 2013, http://www.telegraph.co.uk/news/worldnews/europe/france/4547649/French-fighter-planes-grounded-by-computer-virus.html.Google Scholar