Oracle on the psychology of patching

Oracle has a belated reply to a survey a few weeks back on how database administrators have never installed one of the company's critical patch updates.

In a blog post Oracle's Eric Maurice faults the survey for relying on a small sample size--not that it stopped us from reporting it. But Maurice then takes an interesting detour to the psychology of patching. In short, patching stinks, but it may not be nearly as bad as you think.

The problem is that there are unintended consequences to patching. The biggest fallout can be a bunch of broken applications. That risk is weighed against being vulnerable to attackers. Maurice writes:

It is generally in human nature to find known and immediate difficulties more daunting than those that are uncertain and more remote, though the uncertain ones might have much more critical and threatening impact.  Can the decision not to patch be likened to the decision by careless drivers to run yellow or red lights to avoid being delayed for three or four minutes, while consciously ignoring the potential price of such action (possible death or injury) if collisions were to occur?

That's an interesting point. Maurice's fix is even more interesting:

The only solutions for removing the psychological objections to patching are mandating the application of security patches as a part of the normal maintenance of production systems or providing objective measures to determine whether patching is required on certain systems at a certain point in time.

In a nutshell, the choices outlined by Maurice are force feeding vs. ROI metrics of patching. Obviously most of us would opt for the metrics, but as Maurice notes there aren't any actuarial tables for patch procedures.

Nevertheless, I'm sure the industry could agree on some standard way to measure the ROI involved with patching. More likely though is that patching will be increasingly be mandated along with maintenance. What do you think? Should patching be mandatory?