Several disastrous security attacks can be attributed to delays in patching software vulnerabilities. While researchers and practitioners have paid significant attention to automate vulnerabilities identification and patch development activities of software security patch management, there has been relatively little effort dedicated to gain an in-depth understanding of the socio-technical aspects, e.g., coordination of interdependent activities of the patching process and patching decisions, that may cause delays in applying security patches. We report on a Grounded Theory study of the role of coordination in security patch management. The reported theory consists of four inter-related dimensions, i.e., causes, breakdowns, constraints, and mechanisms. The theory explains the causes that define the need for coordination among interdependent software and hardware components and multiple stakeholders' decisions, the constraints that can negatively impact coordination, the breakdowns in coordination, and the potential corrective measures. This study provides potentially useful insights for researchers and practitioners who can carefully consider the needs of and devise suitable solutions for supporting the coordination of interdependencies involved in security patch management.

中文翻译：

---

协调在软件安全补丁管理中的作用的扎根理论

一些灾难性的安全攻击可归因于修补软件漏洞的延迟。虽然研究人员和从业人员非常关注软件安全补丁管理的漏洞识别和补丁开发活动的自动化，但相对较少的努力致力于深入了解社会技术方面，例如，相互依赖的活动的协调。补丁过程和补丁决策，这可能会导致应用安全补丁的延迟。我们报告了关于协调在安全补丁管理中的作用的扎根理论研究。报告的理论由四个相互关联的维度组成，即原因、故障、约束和机制。该理论解释了定义相互依赖的软件和硬件组件以及多个利益相关者的决策之间需要协调的原因、可能对协调产生负面影响的约束、协调中的故障以及潜在的纠正措施。这项研究为研究人员和从业人员提供了潜在有用的见解，他们可以仔细考虑安全补丁管理中涉及的相互依赖性的协调需求并设计合适的解决方案。