Regulation and Governance of Patching Security in Organizations

Project: Research project

Project Details


To patch or not to patch? Where this has long been a question on the minds of enterprises, the reality is that striking a balance in patching timelines is often too tricky to get right. Patch too soon and risk potential failures or downtime of software, or patch too late and be subject to cyber-attacks. Consequently, patching is too often left by the wayside and organizations fail to address critical security vulnerabilities. In a time where it takes a mere few breadcrumbs for cyber attackers to exploit gaps in cyber security practices, yet the cost of breaches continues to rise, a radical shift in our approach to the risk governing of patching is essential.

Lisa’s PhD research is part of the ‘THESEUS: Make Patching Happen’ project, which combines interdisciplinary perspectives with the aim of tackling exactly this problem. The THESEUS project is a collaboration between the VU, TU Delft and Tilburg University, and is partnered with multiple high-level stakeholders such as Philips, KPN and KLM-Air France. The THESEUS team consists of a diverse pool of knowledge tackling three interdependent levels of patching practices:

Systems: Reduce risks of patching by introducing new techniques to automatically detect vulnerabilities, as well as creating automatic patching mechanisms to tackle critical availability risks.
Enterprise: Quantify the risks of patching through an assessment of aggregated results of patch triaging to form a coherent picture that considers different attacker models and real-world impact.
Governance: Effectively managing risks of patching by introducing incentive mechanisms, sector-wide benchmarks, and potentially legal instruments. Lisa will be conducting research on this strand of THESEUS while collaborating with researchers from all three tracks.

As part of her research into governance, Lisa will investigate existing legal frameworks and regulatory governance mechanisms on cyber security and data breach liability. Additionally, she will analyse the role of cyber insurance in current patching risk assessments and vulnerability response practices. These factors will then be considered alongside academic perspectives in order to determine what types of regulatory intervention are desirable and at what level of governance, to ultimately facilitate essential improvements to patching practices and prevent third-party damages. These findings will then be utilized to deliver recommendations to stakeholders and legislators to improve and incentivize patching, rather than regulating liability once damages occur, both at a national and EU level.
Effective start/end date1/09/2231/08/26


  • cybersecurity
  • law
  • Data protection
  • governance


Explore the research topics touched on by this project. These labels are generated based on the underlying awards/grants. Together they form a unique fingerprint.