Information security trade-offs and optimal patching policies

Christos Ioannidis, David Pym, Julian Williams

Research output: Contribution to journalArticlepeer-review


We develop and simulate a basic mathematical model of the costly deployment of software patches in the presence of trade-offs between confidentiality and availability. The model incorporates representations of the key aspects of the system architecture, the managers’ preferences, and the stochastic nature of the threat environment. Using the model, we compute the optimal frequencies for regular and irregular patching, for both networks and clients, for two example types of organization, military and financial. Such examples are characterized by their constellations of parameters. Military organizations, being relatively less cost-sensitive, tend to apply network patches upon their arrival. The relatively high cost of applying irregular client patches leads both types of organization to avoid deployment upon arrival.
Original languageEnglish
Pages (from-to)434-444
Number of pages11
JournalEuropean Journal of Operational Research
Issue number2
Early online date20 Jun 2011
Publication statusPublished - 16 Jan 2012

Bibliographical note

© 2012, Elsevier. Licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International


  • information security
  • optimal policy
  • risk reduction
  • stochastic processes


Dive into the research topics of 'Information security trade-offs and optimal patching policies'. Together they form a unique fingerprint.

Cite this