Patch Management

Updating software is one of the most effective methods of protecting computers from security vulnerabilities, yet many people and organisations choose to not install them. In this project we endevor to understand the attitudes of people making update decisions and the barriers they face that can impact their willingness and ability to keep their software up to date.

Updating software means changing it. Ideally those changes are for the better such as improved security, better features, fixed bugs, and additional functionality. However, they can also lead to worse outcomes such as slower software, new problems, changes to frequently used functionality, and new security vulnerabilities. According to our research, many of the issues around software updating are actually issues around balancing risks and benefits when neither of these are fully known. For example, the update that protected against the WannaCry ransomeware attack was made available a month before the attack happened, those that installed it were therefore protected and not impacted by the attack. But it would have been impossible for a system administrator to know at the time of update release that a devistating world wide ransomware attack was comming. Incidents like WannaCry suggest that installing patches quickly is a good idea, which is true, but it should also be understood that installing patches quickly also carries risks. For example, Microsoft released a Windows 10 update which then started deleting all the files on the desktop. They acknowledged the issue and offered a work around, but the issue was terrifying and highly disruptive for users, particularly those who installed updates quickly.