[Humor] SPPD - the Security Patch Procrastination Disorder [Humor]

[Disclaimer: this is a work of fiction meant to be humorous and not a true medical, IT, or InfoSec condition]

SPPD - Security Patch Procrastination Disorder
--- Symptoms and treatment options ---

Note: only an experienced Information Security Professional can make an actual SPPD diagnosis.

The Security Patch Procrastination Disorder is characterized by a general complacency towards the deployment of security patches. In its most extreme form, it is often accompanied by delusions that patching is simply not required for secure IT operations. When this behavior continues during widespread reports of critical patches, it is referred to as Acute Security Patch Procrastination Disorder or ASPPD for short.

SPPD often starts as a benign case of FSOS, or False Sense Of Security, often resulting from unprotected and unmitigated contact with vendor-based security marketers. If left untreated, FSOF eventually erupts into full-blown SPPD (see list of symptoms below). If diagnosed early by an Information Security Professional, SPPD can be treated with simple, but regularly scheduled applications of COTS patches, also known as Commercial-Off-The-Shelf patches.

SPPD diagnosis requires the presence of at least two of the following symptoms, observed for at least one month:
  • Disorganized patching behavior (infrequent patching habits and other incoherent statements like "we apply critical security patches when we see a need")
  • Delusions about the state of software or hardware security (i.e. "what's the worst a software bug can do?")
  • Hallucinations about vendor fairies protecting the data (i.e. "but we're running appliance X from SuperDuperVendor and they used certified pixie dust.")
If after appropriate information security evaluation and reassurance the condition persists, the entity is likely to suffer debilitating cases of JBH, or Just Been Hacked, often accompanied with MSG$, Must Spend Gazillion Dollars.

No comments: