Oracle on the psychology of patching

Summary:Oracle has a belated reply to a survey a few weeks back on how database administrators have never installed one of the company's critical patch updates.In a blog post Oracle's Eric Maurice faults the survey for relying on a small sample size--not that it stopped us from reporting it.

Oracle has a belated reply to a survey a few weeks back on how database administrators have never installed one of the company's critical patch updates.

In a blog post Oracle's Eric Maurice faults the survey for relying on a small sample size--not that it stopped us from reporting it. But Maurice then takes an interesting detour to the psychology of patching. In short, patching stinks, but it may not be nearly as bad as you think.

The problem is that there are unintended consequences to patching. The biggest fallout can be a bunch of broken applications. That risk is weighed against being vulnerable to attackers. Maurice writes:

It is generally in human nature to find known and immediate difficulties more daunting than those that are uncertain and more remote, though the uncertain ones might have much more critical and threatening impact.  Can the decision not to patch be likened to the decision by careless drivers to run yellow or red lights to avoid being delayed for three or four minutes, while consciously ignoring the potential price of such action (possible death or injury) if collisions were to occur?

That's an interesting point. Maurice's fix is even more interesting:

The only solutions for removing the psychological objections to patching are mandating the application of security patches as a part of the normal maintenance of production systems or providing objective measures to determine whether patching is required on certain systems at a certain point in time.

In a nutshell, the choices outlined by Maurice are force feeding vs. ROI metrics of patching. Obviously most of us would opt for the metrics, but as Maurice notes there aren't any actuarial tables for patch procedures.

Nevertheless, I'm sure the industry could agree on some standard way to measure the ROI involved with patching. More likely though is that patching will be increasingly be mandated along with maintenance. What do you think? Should patching be mandatory?

Topics: Security, Banking, Oracle

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.