ECONOMICS OF SECURITY PATCH MANAGEMENT
Huseyin Cavusoglu†* Hasan Cavusoglu‡ Jun Zhang†
†A.B. Freeman School of Business, Tulane University
7 McAlister Drive, New Orleans, LA 70118, USA
‡Sauder School of Business, The University of British Columbia
2053 Main Mall, Vancouver, BC V6T1Z2, CANADA
huseyin@tulane.edu, cavusoglu@sauder.ubc.ca, jzhang4@tulane.edu
Abstract
Patch management is a crucial component of IT security programs. An important problem within this
context is to determine how often to update the systems with necessary patches. Keeping the systems
patched with more frequent patch updates increases operational costs while reducing security risks. On
the other hand, leaving the systems unpatched with less frequent patch updates decreases operational
costs while increasing security risks. In this paper we develop a game theoretic model to derive the
optimal frequency of patch updates to balance the operational costs and damage costs associated with
security vulnerabilities. We first analyze a centralized system in a benchmark case to find the socially
optimal patch management policy and associated patch release cycle of the vendor and patch update
cycle of the firm. Then we consider a noncentralized system in which the vendor determines its patch
release policy and the firm selects its patch update policy in a Stackelberg framework. Given the results
in centralized and noncentralized patch management, we next address how we can coordinate the patch
release policy of the vendor and the patch update policy of the firm using cost sharing and/or liability to
achieve the socially optimal patch management in a noncentralized setting.
Keywords: Patch management, patch update cycle, patch release cycle, nested policies, coordination,
cost sharing, liability
1. Introduction
Today most security incidents are caused by flaws in software, called vulnerabilities. It is estimated that
there are as many as 20 flaws per thousand lines of software code (Dacey, 2003). Computer Emerge