THESEUS: Make patching happen

The challenge

We are in an age of vulnerabilities in IT organization being exploited, for theft of customer data or injection of malware and ransomware. The costs seem to be rising, yet organizations still do not appear to be patching their IT systems and keeping software up-to-date. The reality is that organizations face a painful dilemma: patch too soon and incur potential downtime and failures; patch too late and get compromised by attacks. As a result, organizations take a long time to patch even critical security vulnerabilities. The way to get out of this catch-22 is to radically change the risk governance of patching.

The project 

The goal of the THESEUS project is to empower organizations to patch security vulnerabilities much faster, more efficiently and with less risk. The project brings advances from the lab to real-world settings by working with a consortium of both academic and societal partners that contribute people, data, and pilots to the project. The research will be carried out from 2021 to 2027.

The research is aimed at three different levels: 

• Systems: reducing risk of patching via new techniques in automatic vulnerability and patch triaging, as well as automatic patch generation with live update for cases where critical patches pose unacceptable availability risks. 
• Enterprises: better quantifying risk of patching by assessing and aggregating the results of the patch triaging, as a way to estimate exploit likelihood in a coherent picture that accounts for different attacker models and functional impact. 
• Governance: more effectively managing risks of patching by introducing incentive mechanisms via notifications and information sharing, sector-wide benchmarks of patching speed, and potentially legal instruments.

The Governance track

TILT researchers are participating in the Governance track together with researchers from TU Delft and VU Amsterdam to deliver concrete recommendations to legislators, both at the national and European level. They work closely with researchers from technological and enterprise disciplines in reviewing governance of patching practices of companies, which will culminate in an overall portfolio of governance options.

The investigations focus on:

• existing legal frameworks and governance mechanisms regulating cyber security,
• handling potential liability to third parties from security incidents resulting from unpatched systems, and
• the role of cyber insurance in patching and vulnerability response.

The aim is to decide at which level and what type(s) of regulatory intervention can be deployed to improve patching practices of companies preventing such potential third party damages rather than regulating liability after the fact.

The consortium

The THESEUS Project brings together an interdisciplinary team of over 20 scientists from different disciplines, countries, and backgrounds. Real-world partner organizations include KLM-AirFrance, Philips, Rijkswaterstaat, City of Amsterdam, City of The Hague, KPN, CyberSprint, and the National Cyber Security Center. This offers the unique opportunity to work closely with security managers and IT management teams of these entities as well as with leading solutions providers who are developing policies and practices for organizations.

Newsletter: insights into legal changes in cybersecurity

TILT Researchers also produce a monthly THESEUS newsletter which provides insights into new and evolving legal changes in the field of cybersecurity. You can sign up here.

More information

THESEUS website