Understanding Socio-Technical Aspects of Software Security Patch Management
Date
2023
Authors
Munasinghe, Nishadi Nesara
Editors
Advisors
Babar, Muhammad Ali
Jayatilaka, Asangi
Zahedi, Mansooreh (University of Melbourne)
Jayatilaka, Asangi
Zahedi, Mansooreh (University of Melbourne)
Journal Title
Journal ISSN
Volume Title
Type:
Thesis
Citation
Statement of Responsibility
Conference Name
Abstract
Several security attacks that resulted in catastrophic outcomes including system
downtime, data breaches, financial losses, reputational damage, and in some cases,
loss of life, can be traced back to a delay in applying a security patch. The most effective
remediation of this problem is to apply security patches on time to the identified
vulnerabilities through a process called software security patch management. Despite
the criticality of timely software security patch management, it is one of the most
challenging endeavours due to the inherent technical and socio-technical interdependencies
involved in the process. While there have been significant research efforts on
the technical aspects of security patch management, little is known about the sociotechnical
aspects of patch management that may cause delays in applying security
patches. It is an important limitation as the software security patch management
process is inherently a socio-technical endeavour where human, organisational and
technological interactions are tightly coupled.
This thesis aims to fill this gap by contributing to the body of knowledge providing
an in-depth evidence-based understanding of the socio-technical aspects of software
security patch management. We first systematise the current state of research on
socio-technical aspects of software security patch management to identify the challenges,
solutions, best practices, and open research challenges. Based on a longitudinal
field study involving patch meeting observations, artefacts analysis, semi-structured
interviews and discussions with practitioners from 10 teams between three organisations
in the healthcare domain, we then conduct in-depth empirical investigations
to identify, understand and address the role and impact of socio-technical aspects
on software security patch management delays in practice. The empirical findings
contribute to (1) providing an evidence-based understanding of the reasons and mitigation
strategies for delays in software security patch management; (2) presenting a
grounded theory of the role of coordination in software security patch management
explaining how (in)effective coordination contributes to a majority of the delays in
the process; and (3) providing an understanding of the role of automation in software
security patch management detailing insights into the as-is state of automation
in practice, the limitations of current automation, how automation support can be
enhanced to effectively meet practitioners’ needs and the role of the human in an
automated process, and proposing a set of recommendations to guide future tool development
to address the identified limitations and needs, and reduce patching delays.
The evidence-based knowledge and insights reported in this thesis will provide a useful
resource and guideline for practitioners and researchers to identify, understand
and address the socio-technical concerns leading to delays in software security patch
management.
School/Discipline
Centre for Research on Engineering Software Technologies (CREST)
Dissertation Note
Thesis (Ph.D.) -- University of Adelaide, Centre for Research on Engineering Software Technologies (CREST), 2023
Provenance
This electronic version is made publicly available by the University of Adelaide in accordance with its open access policy for student theses. Copyright in this thesis remains with the author. This thesis may incorporate third party material which has been used by the author pursuant to Fair Dealing exceptions. If you are the owner of any included third party copyright material you wish to be removed from this electronic version, please complete the take down form located at: http://www.adelaide.edu.au/legals