On GameSpot: Courtney Love to sue over Guitar Hero 5
BNET Business Network:
BNET
TechRepublic
ZDNet

January 31st, 2008

Oracle on the psychology of patching

Posted by Larry Dignan @ 6:48 pm

Categories: Oracle, Patch Watch, Vulnerability research

Tags: Psychology, Oracle Corp., Problem, ROI, Eric Maurice, Roi/Tco, Marketing Research, Security, Finance, Managerial Accounting

Oracle has a belated reply to a survey a few weeks back on how database administrators have never installed one of the company’s critical patch updates.

In a blog post Oracle’s Eric Maurice faults the survey for relying on a small sample size–not that it stopped us from reporting it. But Maurice then takes an interesting detour to the psychology of patching. In short, patching stinks, but it may not be nearly as bad as you think.

The problem is that there are unintended consequences to patching. The biggest fallout can be a bunch of broken applications. That risk is weighed against being vulnerable to attackers. Maurice writes:

It is generally in human nature to find known and immediate difficulties more daunting than those that are uncertain and more remote, though the uncertain ones might have much more critical and threatening impact.  Can the decision not to patch be likened to the decision by careless drivers to run yellow or red lights to avoid being delayed for three or four minutes, while consciously ignoring the potential price of such action (possible death or injury) if collisions were to occur?

That’s an interesting point. Maurice’s fix is even more interesting:

The only solutions for removing the psychological objections to patching are mandating the application of security patches as a part of the normal maintenance of production systems or providing objective measures to determine whether patching is required on certain systems at a certain point in time.

In a nutshell, the choices outlined by Maurice are force feeding vs. ROI metrics of patching. Obviously most of us would opt for the metrics, but as Maurice notes there aren’t any actuarial tables for patch procedures.

Nevertheless, I’m sure the industry could agree on some standard way to measure the ROI involved with patching. More likely though is that patching will be increasingly be mandated along with maintenance. What do you think? Should patching be mandatory?

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 8 Talkback(s)
When you buy Oracle, you need to budget for your DBA(s)
Oracle recent (last 2 years) SME campaign falls down in one major point. You need at lease one professional DBA to manage your databases. CPUs are just one reason.

When a new CPU is released y... (Read the rest)
Posted by: Steve__ Posted on: 02/03/08 You are currently: a Guest | | Terms of Use
Patching is absolutely mandatory  dbkeenan | 02/01/08
The Sample Size Was Fine  twhitman@... | 02/01/08
RE: Oracle on the psychology of patching  davidl@... | 02/01/08
DB Patches is a sore subject for IT  dsides@... | 02/01/08
Oracle patches are hell  mxyzplk | 02/01/08
RE: Oracle on the psychology of patching  UJ63366 | 02/02/08
Is Oracle going to guarantee patch reliability?  3dguru | 02/02/08
When you buy Oracle, you need to budget for your DBA(s)  Steve__ | 02/03/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline