Patch Priortisation - Defeating the curse of Sisyphus
FAIR Institute Sydney Chapter hybrid meeting August 2023
This is a hybrid meeting with the option for in-person participation at IBM Sydney, Melbourne and online (WebEx). We are pleased to announce an in-person participation opportunity for Melbourne-based members thanks to the sponsorship of IBM.
Date: Thursday, 17th August 2023
Time: 12noon – 1pm
Sydney: IBM Australia, Lvl 17, 259 George Street, Sydney 2000
Melbourne: IBM Australia, Lvl 18, 60 City Rd, Southbank VIC 3006
WebEx: <Login link will be emailed to registrants>
Please register for this free event:
This event will be recorded. Please register (in-person or WebEx) to receive the replay link.
The Sisyphus lifestyle
Cyber defenders could be forgiven for feeling sentenced to a life sentence of relentless patching like the curse of Sisyphus. The ever-increasing avalanche of disclosed vulnerabilities and ever-increasing pool of available patches, including Microsoft Patch Tuesday, Oracle Monthly Patch etc., is like Sisyphus' beloved rock. Patching is akin to rolling the senseless rock up the hill of vulnerability management policy with a short reprieve at the hilltop (beating the deadline for the monthly board report) before starting the cycle all over again. Patching appears to be an important but ultimately futile effort. Working smarter rather than harder would appear to be just what the doctors ordered., the maintainer of the Common Vulnerability Scoring System (CVSS), established the Exploit Prediction Scoring System (EPSS) Special Interest Group[1] several years ago to tackle this challenge. Patch prioritisation was also the theme of the Sydney chapter meeting in May 2021 meeting, “To remediate, or not to remediate, that is the question”[2].
Empire Strikes Back
While Syphus was condemned to roll a huge boulder endlessly up a steep hill in Tartarus eternally, cyber defenders have a choice in their career. Those who stay to fight the good fight are striking back with a smart prioritisation strategy. Young Skywalker beat his old man and saved his skin by turning off the autopilot in his Starfighter. Cyber Defenders also do not believe in the auto-pilot of applying patches informed only by CVSS rating. Empire Strike Back has started!
Could patch prioritisation policy be used by defenders to defend themselves against the claim of negligence ... a reliable “Get out of Jail” card?
The prioritisation strategy recognises that patching is an arms race between cyber defenders and attackers. While well-resourced and persistent attackers are likely to defeat any form of reasonable defence, patch prioritisation will inform the targeting of limited patch resources against opportunistic attacks that rely on published exploit code as their starting point. Blunting these unsophisticated attacks is expected to provide a good return on the effort of the defenders. But is this hypothesis really true? Is this the lightning bolt Sisyphus has been waiting for?
Could patch prioritisation policy be used by defenders to defend themselves against the claim of negligence and incompetence in the aftermath of a cyber incident? Is it a reliable “Get out of Jail” card? How to explain the sufficiency of the prioritisation policy to the board, regulators, customers and insurers? Could they be convinced to approve a deviation from the current unsustained patch management policy instrumental on a CVSS rating threshold?
Join our expert panel to learn and debate:
Panel Moderator
Denny Wan (
Denny Wan is the chair of the FAIR-CAM Workgroup and founder of the Sydney Chapter of the FAIR Institute. He is a recognised global thought leader in applying the FAIR Cyber Risk Quantification framework to enable the management of cyber risks as financial risks. His post “Targeting cyber security investment – the FAIR approach” ( lays the foundations for this cyber risk management paradigm. The FAIR-CAM model is a structured approach to operationalise the above investment approach by selecting the most appropriate controls based on their cost-effectiveness. Denny’s expertise in FAIR-CAM enables the diagnosis of the root cause of variance, which results in reducing the effectiveness of the target controls and decision gaps. These variances are sometimes mislabeled as Procrastination which is unfortunate and unfairly tarnishes the reputation of the owner of the controls. FAIR-CAM helps to expose the root cause of variance and enables proactive and coordinated efforts to improve the cost-effectiveness of these controls and lift overall cyber resilience.
Panellists (in alphabetical order):
?An exciting panel composition is being finalised. Please register early to secure your spot.