ABSTRACT
Data breach reports suggest that managing patches is hard: too many major incidents are caused by well-known software vulnerabilities with available fixes. Legal sanctions – from mandates to liability – apparently have limited effect. This paper discusses how an effective vulnerability response process can help software users allocate their remediation effort to minimise overall risk and disruption. We analyse laws and regulations on liability, product quality and patching mandates to see why they fail to promote good practice. Recent cases under privacy laws highlight features that make risk-based patching a better basis for system managers, executives and regulators to agree a common approach to effective vulnerability response.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 Carphone Warehouse (n 102) [15].
2 Carphone Warehouse (n 102) [22(2)].
3 Cathay Pacific (n 103) [24(8)].
4 DSG Retail appeal (n 101) [114].
5 DSG Retail Limited v Information Commissioner.
6 DSG Retail Limited v Information Commissioner.
7 DSG Retail Limited v Information Commissioner.
8 DSG Retail Limited v Information Commissioner.
9 DSG Retail Limited v Information Commissioner.
Additional information
Notes on contributors
Andrew Cormack
Andrew Cormack was the chief regulatory adviser at JISC, and a long time liaison of FIRST (Forum of Incident Response and Security Teams). As well as his prodigious security, data protection, and legal knowledge, his acknowledged mastery of the interplay between legal and engineering concerns made him one of the most respected experts in the global cyber security and policy communities. Andrew graduated in Mathematics from Cambridge University in 1984. As a life-long distance learner, he has also obtained degrees in law and humanities from the Open University and a Masters in Computer and Communications Law from Queen Mary, University of London (2015). He worked for Plessey Telecommunications, the Natural Environment Research Council’s Research Vessel Services, and Cardiff University, before being appointed head of Janet-CERT in 1999. He was a member of the Permanent Stakeholders’ Group of ENISA for ten years, and chair of the Funding Council of the Internet Watch Foundation from 2009 to 2013.
Éireann Leverett
Eireann Leverett is a technologist and entreprenuer, with a focus primarily on incdient response and cyber crime. He initially studied psychology and philosophy at Antioch College. He graduated with a BEng from Edinburgh University in 2005 in AI and Software engineering, and a Masters in Advanced Computer Science from Cambridge in 2011. He is particularly motivated by quantifying risks in digital domains. He has spent time in recent years doing data science around vulnerabilities, and sees a great leap forward in the predictive and legal understanding of vulnerability and exploit risk. He and Andrew shared many walks and a more than few jokes of life in Scotland, Wales, Cambridge, and technology policy.