A Comprehensive Framework for Patching and Vulnerability Management in Enterprises
Abstract
As patching and vulnerability management have become a larger part of an organization's routine, its need for proper integration and complexity toward systems has increased. Threat actors continuously seek to develop and perform attacks exploiting vulnerabilities within systems, meaning organizations face the challenge of timely implementing patches to protect their assets. The master's thesis aims at gathering extensive information regarding patching and vulnerability management by integrating a semi-systematic literature review (SSLR), a semi-structured qualitative interview process, and our sense-making. These research methods collect insights from the existing theory and professionals' opinions. The SSLR allowed for gathering relevant studies and sense-making, which were subsequently utilized in developing a conceptual model depicting the vital processes and procedures of patching and vulnerability management based on the theory. As such, the conceptual model was showcased within the semi-structured qualitative interviews, which allowed for unbounded discussions regarding the practices, implementations, and expert input toward the conceptual framework and its improvement areas. The interviews and selection of interviewees allowed for several viewpoints and a wide perspective. Subsequently, after synthesizing the findings from the interviews and additionally gathered theory, the comprehensive framework, which aims to refine and extend the conceptual framework, was developed. The comprehensive framework aims at depicting the enterprises' collective patching and vulnerability management process, along with the intersection of the existing theory. Correspondingly, the framework could be utilized by enterprises to either improve their processes or for enterprises to implement absent processes. The findings highlight a major diversity in the implementation and execution of patching and vulnerability management. Larger companies tend to have more mature processes and employ more automation within their collection of vulnerability information and deployment of patches. Conversely, smaller companies lack the resources allocated to perform needed tasks, which results in a less organized and effective process. The research findings subsidize the existing research gap related to a lack of frameworks depicting the interrelation between patching and vulnerability management and how enterprises currently perform these processes. Additionally, it provides a substantially valuable resource for practitioners, researchers, and enterprises wishing to improve their processes based on an exploratory study assessing the existing literature, experts' opinions, and the design of the conceptual and comprehensive framework. As the comprehensive framework aims to provide a generalized approach and implementation, it can be employed by different-sized businesses while tailored to their needs.