Microsoft on Wednesday plans to launch a new research effort to determine the total cost of the patch-management cycle, from testing and distributing a fix to user deployment of the patch. The end result of the project, which will be completely open and transparent to outsiders, will be a full metrics model that the company plans to make freely available.

The metrics project will be handled by the analyst firm Securosis, which will do surveys and interviews with end users and will be responsible for building out the model. Rich Mogull, the firm’s founder, said when Microsoft contacted him about the project he was encouraged by the open, product-neutral way in which the company wanted to approach it.

“This is not a vendor tool. It’s not product-focused at all,” Mogull said. “It’s focused on the organizations and the end users. We’re looking at the patch management cycle. What are the total costs for the total cycle, from monitoring what you need to patch all the way to getting the patch out.”

As part of the process, Securosis will be posting all of the correspondence between the firm and Microsoft about the project, inviting other vendors to participate and make suggestions and encouraging users to comment on the project as it progresses. Mogull said he hopes to have the first version of the model finished by the end of June.

The project is beng driven on Microsoft’s end by Jeff Jones, a strategy director in the company’s Security Technology Unit. Mogull said that he and Jones have talked at length about the transparency and objectivity requirements around the metrics model.

“Our research model is radically transparent and that’s how this is going to be too,” Mogull said. “Everything will be out in the open. I wouldn’t do something like this if it wasn’t. The goal for the project is to produce an objective, independent model, irrespective of Microsoft.”

Mogull has created a separate Web page to discuss the project, which is where the materials related to the effort will be available once it gets underway. He lists the goals and deliverables of the effort, which he’s calling Project Quant for now, and emphasizes the open and transparent nature of the project.

“All materials will be made publicly available throughout the project, including internal communications (the Totally Transparent Research process). The model will be developed through a combination of primary research, surveys, focused interviews, and public/community participation,” Mogull writes.

*Composite header image via Robert Scoble‘s Flickr photostream

Categories: Vulnerabilities