Security Patch Management - An Overview of the Patching Process and its Challenges in Norwegian Businesses

Cyber-attacks are growing more frequent and sophisticated, and they are impacting businesses of all sizes. This encourages businesses to utilize safe, flaw-free systems, making them less susceptible to cyber-attacks. The issue is that no system is flawless, and a substantial number of security flaws are discovered regularly. To ensure the system's security, patches are distributed and implemented. Patches can be complicated and implementing them in systems can be difficult. This thesis seeks to identify the challenges that make the patching process challenging and to propose potential solutions. This thesis was conducted utilizing a qualitative research strategy and methods such as a systematic literature review, to identify existing patching challenges identified by previous research. We conducted interviews with business professionals who were familiar with the patching procedure and had understanding of cybersecurity. The majority of our interviewees were managers with additional expertise leading patching teams. Prior study indicated various challenges in the field of patching and urged further investigation into the issue of patching. Our findings correlated with the current challenges identified by prior research, and we uncovered important new challenges, such as the fact that patches for major vulnerabilities have a tendency to be released just before a holiday, and that legacy systems are notoriously difficult to patch and are sometimes not patched at all. The significance of planning, organization, and communication in the patching process posed additional challenges. The contribution of this thesis to the patching topic is that we have identified "Planned patch delay" as a patch policy that contributes to a high security posture, provides time for patch planning, and mitigates a number of the challenges that might arise during the patching process. Keywords: Patch, Security patching, Patch challenges, Patch legacy, Patch meetings, Patch policy, Patch prioritization, Patch proces

Security Patch Management - An Overview of the Patching Process and its Challenges in Norwegian Businesses

Cyber-attacks are growing more frequent and sophisticated, and they are impacting businesses of all sizes. This encourages businesses to utilize safe, flaw-free systems, making them less susceptible to cyber-attacks. The issue is that no system is flawless, and a substantial number of security flaws are discovered regularly. To ensure the system's security, patches are distributed and implemented. Patches can be complicated and implementing them in systems can be difficult. This thesis seeks to identify the challenges that make the patching process challenging and to propose potential solutions. This thesis was conducted utilizing a qualitative research strategy and methods such as a systematic literature review, to identify existing patching challenges identified by previous research. We conducted interviews with business professionals who were familiar with the patching procedure and had understanding of cybersecurity. The majority of our interviewees were managers with additional expertise leading patching teams. Prior study indicated various challenges in the field of patching and urged further investigation into the issue of patching. Our findings correlated with the current challenges identified by prior research, and we uncovered important new challenges, such as the fact that patches for major vulnerabilities have a tendency to be released just before a holiday, and that legacy systems are notoriously difficult to patch and are sometimes not patched at all. The significance of planning, organization, and communication in the patching process posed additional challenges. The contribution of this thesis to the patching topic is that we have identified "Planned patch delay" as a patch policy that contributes to a high security posture, provides time for patch planning, and mitigates a number of the challenges that might arise during the patching process. Keywords: Patch, Security patching, Patch challenges, Patch legacy, Patch meetings, Patch policy, Patch prioritization, Patch proces

A Comprehensive Framework for Patching and Vulnerability Management in Enterprises

As patching and vulnerability management have become a larger part of an organization's routine, its need for proper integration and complexity toward systems has increased. Threat actors continuously seek to develop and perform attacks exploiting vulnerabilities within systems, meaning organizations face the challenge of timely implementing patches to protect their assets. The master's thesis aims at gathering extensive information regarding patching and vulnerability management by integrating a semi-systematic literature review (SSLR), a semi-structured qualitative interview process, and our sense-making. These research methods collect insights from the existing theory and professionals' opinions. The SSLR allowed for gathering relevant studies and sense-making, which were subsequently utilized in developing a conceptual model depicting the vital processes and procedures of patching and vulnerability management based on the theory. As such, the conceptual model was showcased within the semi-structured qualitative interviews, which allowed for unbounded discussions regarding the practices, implementations, and expert input toward the conceptual framework and its improvement areas. The interviews and selection of interviewees allowed for several viewpoints and a wide perspective. Subsequently, after synthesizing the findings from the interviews and additionally gathered theory, the comprehensive framework, which aims to refine and extend the conceptual framework, was developed. The comprehensive framework aims at depicting the enterprises' collective patching and vulnerability management process, along with the intersection of the existing theory. Correspondingly, the framework could be utilized by enterprises to either improve their processes or for enterprises to implement absent processes. The findings highlight a major diversity in the implementation and execution of patching and vulnerability management. Larger companies tend to have more mature processes and employ more automation within their collection of vulnerability information and deployment of patches. Conversely, smaller companies lack the resources allocated to perform needed tasks, which results in a less organized and effective process. The research findings subsidize the existing research gap related to a lack of frameworks depicting the interrelation between patching and vulnerability management and how enterprises currently perform these processes. Additionally, it provides a substantially valuable resource for practitioners, researchers, and enterprises wishing to improve their processes based on an exploratory study assessing the existing literature, experts' opinions, and the design of the conceptual and comprehensive framework. As the comprehensive framework aims to provide a generalized approach and implementation, it can be employed by different-sized businesses while tailored to their needs

A Comprehensive Framework for Patching and Vulnerability Management in Enterprises

As patching and vulnerability management have become a larger part of an organization's routine, its need for proper integration and complexity toward systems has increased. Threat actors continuously seek to develop and perform attacks exploiting vulnerabilities within systems, meaning organizations face the challenge of timely implementing patches to protect their assets. The master's thesis aims at gathering extensive information regarding patching and vulnerability management by integrating a semi-systematic literature review (SSLR), a semi-structured qualitative interview process, and our sense-making. These research methods collect insights from the existing theory and professionals' opinions. The SSLR allowed for gathering relevant studies and sense-making, which were subsequently utilized in developing a conceptual model depicting the vital processes and procedures of patching and vulnerability management based on the theory. As such, the conceptual model was showcased within the semi-structured qualitative interviews, which allowed for unbounded discussions regarding the practices, implementations, and expert input toward the conceptual framework and its improvement areas. The interviews and selection of interviewees allowed for several viewpoints and a wide perspective. Subsequently, after synthesizing the findings from the interviews and additionally gathered theory, the comprehensive framework, which aims to refine and extend the conceptual framework, was developed. The comprehensive framework aims at depicting the enterprises' collective patching and vulnerability management process, along with the intersection of the existing theory. Correspondingly, the framework could be utilized by enterprises to either improve their processes or for enterprises to implement absent processes. The findings highlight a major diversity in the implementation and execution of patching and vulnerability management. Larger companies tend to have more mature processes and employ more automation within their collection of vulnerability information and deployment of patches. Conversely, smaller companies lack the resources allocated to perform needed tasks, which results in a less organized and effective process. The research findings subsidize the existing research gap related to a lack of frameworks depicting the interrelation between patching and vulnerability management and how enterprises currently perform these processes. Additionally, it provides a substantially valuable resource for practitioners, researchers, and enterprises wishing to improve their processes based on an exploratory study assessing the existing literature, experts' opinions, and the design of the conceptual and comprehensive framework. As the comprehensive framework aims to provide a generalized approach and implementation, it can be employed by different-sized businesses while tailored to their needs