Understanding Socio-Technical Aspects of Software Security Patch Management

Abstract

Several security attacks that resulted in catastrophic outcomes including system downtime, data breaches, financial losses, reputational damage, and in some cases, loss of life, can be traced back to a delay in applying a security patch. The most effective remediation of this problem is to apply security patches on time to the identified vulnerabilities through a process called software security patch management. Despite the criticality of timely software security patch management, it is one of the most challenging endeavours due to the inherent technical and socio-technical interdependencies involved in the process. While there have been significant research efforts on the technical aspects of security patch management, little is known about the sociotechnical aspects of patch management that may cause delays in applying security patches. It is an important limitation as the software security patch management process is inherently a socio-technical endeavour where human, organisational and technological interactions are tightly coupled. This thesis aims to fill this gap by contributing to the body of knowledge providing an in-depth evidence-based understanding of the socio-technical aspects of software security patch management. We first systematise the current state of research on socio-technical aspects of software security patch management to identify the challenges, solutions, best practices, and open research challenges. Based on a longitudinal field study involving patch meeting observations, artefacts analysis, semi-structured interviews and discussions with practitioners from 10 teams between three organisations in the healthcare domain, we then conduct in-depth empirical investigations to identify, understand and address the role and impact of socio-technical aspects on software security patch management delays in practice. The empirical findings contribute to (1) providing an evidence-based understanding of the reasons and mitigation strategies for delays in software security patch management; (2) presenting a grounded theory of the role of coordination in software security patch management explaining how (in)effective coordination contributes to a majority of the delays in the process; and (3) providing an understanding of the role of automation in software security patch management detailing insights into the as-is state of automation in practice, the limitations of current automation, how automation support can be enhanced to effectively meet practitioners’ needs and the role of the human in an automated process, and proposing a set of recommendations to guide future tool development to address the identified limitations and needs, and reduce patching delays. The evidence-based knowledge and insights reported in this thesis will provide a useful resource and guideline for practitioners and researchers to identify, understand and address the socio-technical concerns leading to delays in software security patch management.