Soft Systems are Ubiquitous-Defenses are Rare: A Case for Contingent Outsourcing of Patch Management

Computer attacks on vulnerable software are ubiquitous. Today's attacks on client PCs can be used to create armies of zombie computers that are capable of wide reach attacks on high profile businesses and governments. The simple act of patching software vulnerabilities will certainly mitigate this problem, but patching has its own set of problems. Further, it is frequently the case that patches which are available to mitigate vulnerabilities are not being made on a timely basis and sometimes are not being made at all. One solution to the patch management dilemma is outsourcing. This paper notes that outsourcing is not a carte blanche decision that can be made based on dollars, but rather that a contingency decision matrix can provide guidance on outsourcing solutions for patch management and other security components as well. The matrix recognizes that IS staff expertise and employee security awareness are two important factors in the outsourcing decision.