In partnership with security analyst Rich Mogull (right), Microsoft is set to roll out a new research project to help businesses compute the total cost of the patch-management cycle, from testing and distributing a fix to user deployment of the patch.
According to this Dennis Fisher report on Threatpost, the initiative is called Project Quant and is aimed at providing a full metrics model that Microsoft will make freely available to end users.
The metrics project will be handled Mogull's Securosis, an analyst firm that will do surveys and interviews with end users and will be responsible for building out the model. Securosis recently worked on a security metrics project for Mozilla.
Mogull, a former Gartner analyst will team up with Microsoft's Jeff Jones on the new initiative.
Here's the skinny on Project Quant:
- Objective: The objective of Project Quant is to develop a cost model for patch management response that accurately reflects the financial and resource costs associated with the process of evaluating and deploying software updates (patch management).
- Additional Detail: As part of maintaining their technology infrastructure, all organizations of all sizes deploy software updates and patches. The goal of this project is to provide a framework for evaluating the costs of patch management, while providing information to help optimize the associated processes. The model should apply to organizations of different sizes, circumstances, and industries. Since patch management processes vary throughout the industry, Project Quant will develop a generalized model that reflects best practices and can be adapted to different circumstances. The model will encompass the process from monitoring for updates, to confirming complete rollout of the software updates, and should apply to both workstations and servers. The model should be unbiased and vendor-neutral.
- Deliverables: The end deliverable will include a written report and a spreadsheet-based model. Additional written material and presentations may be developed to support the project goals.
A big part of Project Quant is the drive for transparency, Mogull says. All material related to the creation of the model will be publicly released alongside any related data.