Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows

Ercan Erkalkan

doi:10.35377/saucis...1846583

Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows

Abstract

Patch hygiene remains uneven across small and medium-sized enterprises (SMEs) due to constrained staffing and tooling. At the same time, device heterogeneity spans information technology (IT), operational technology (OT), and consumer IoT estates. An interpretable triage-and-scheduling mechanism is presented for patch planning in heterogeneous IoT fleets under limited maintenance windows and limited parallel capacity. A Risk--Duration (RD) score ranks candidate patch actions by combining device criticality, exposure, and vulnerability age, optionally enriched with exploitation-aware signals (e.g., KEV membership and EPSS-like likelihood proxies), and normalizing by expected maintenance duration. The ranked backlog is executed under a window-gated scheduling discipline that enforces maintenance-window admissibility and per-window capacity limits, mitigates end-of-window surges, and bounds starvation for repeatedly examined but deferred items via deferral-count promotion. A discrete-event simulation (DES) is used to evaluate time-to-start tails, backlog-age tails, and per-window utilization under mixed-criticality workloads; window-adherence and end-of-window spike indicators are tracked for completeness. In a 56-day DES with 30 replications, the proposed RD+WGPS reduces the High-bucket KM P90 time-to-start tail from 305.2~h (FIFO) to 84.3~h and reduces $\overline{B95}$ from 6.14 to 1.42~days (S1); under low-capacity/high-heterogeneity conditions, it increases the High start rate to 0.69 (S3). The approach is compatible with mainstream change-management platforms and security governance frameworks, and can be implemented with minimal operational metadata.

Keywords

References

Verizon. 2025 data breach investigations report (DBIR) executive summary. Technical report, Verizon, 2025. Accessed: 2026-02-03.
Murugiah Souppaya and Karen Scarfone. Guide to enterprise patch management planning: Preventive maintenance for technology. NIST Special Publication 800-40 Rev. 4, National Institute of Standards and Technology, 2022.
Keith Stouffer, Michael Pease, CheeYee Tang, Timothy Zimmerman, Victoria Pillitteri, Suzanne Lightman, Adam Hahn, Stephanie Saravia, Aslam Sherule, and Michael Thompson. Guide to operational technology (OT) security. NIST Special Publication 800-82 Rev. 3, National Institute of Standards and Technology, 2023.
National Institute of Standards and Technology. The NIST cybersecurity framework (CSF) 2.0. NIST Cybersecurity White Paper NIST CSWP 29, National Institute of Standards and Technology, 2024.
Cybersecurity and Infrastructure Security Agency. Known exploited vulnerabilities (KEV) catalog, 2025. Online; accessed 2025-10-18.
FIRST.org. Common vulnerability scoring system (CVSS) v4.0 specification, 2023. Specification.
FIRST.org. Exploit prediction scoring system (EPSS), 2025. EPSS Version 4 released 2025-03-17; Online; accessed 2025-10-18.
Jonathan M. Spring, Allen D. Householder, Eric Hatleback, Art Manion, Madison Oliver, Vijay S. Sarvepalli, Laurie Tyzenhaus, and Charles G. Yarbrough. Prioritizing vulnerability response: A stakeholder-specific vulnerability categorization (version 2.0). Technical report, Carnegie Mellon University, Software Engineering Institute, 2021.

Michael Fagan, Katerina Megas, Karen Scarfone, and Matthew Smith. IoT device cybersecurity capability core baseline. NIST Interagency Report 8259A, National Institute of Standards and Technology, 2020.
European Telecommunications Standards Institute (ETSI). Cyber security for consumer internet of things: Baseline requirements (EN 303 645 V3.1.3), 2024. ETSI Standard.
European Union Agency for Cybersecurity (ENISA). Good practices for security of IoT – secure software development lifecycle, 2019. Online.
International Electrotechnical Commission (IEC). Security for industrial automation and control systems – part 2-3: Patch management in the IACS environment (IEC TR 62443-2-3:2015), 2015. Technical Report.
Center for Internet Security. CIS Critical Security Controls (Version 8.1), 2024. Online; accessed 2025-10-18.
OASIS. Common Security Advisory Framework (CSAF) Version 2.0, 2022. OASIS Standard.
Cybersecurity and Infrastructure Security Agency. Minimum requirements for vulnerability exploitability exchange (VEX), 2023. Online; accessed 2025-10-18.
Yuhao Wu, Jinwen Wang, Yujie Wang, Shixuan Zhai, Zihan Li, Yi He, Kun Sun, Qi Li, and Ning Zhang. Your firmware has arrived: A study of firmware update vulnerabilities. In Proceedings of the 33rd USENIX Security Symposium (USENIX Security 24), pages 5627–5644. USENIX Association, 2024.
Taimur Bakhshi, Bogdan Ghita, and Ievgeniia Kuzminykh. A review of IoT firmware vulnerabilities and auditing techniques. Sensors, 24(2):708, 2024.
Weihao Chen, Yansong Gao, Boyu Kuang, Jin B. Hong, Yuqing Zhang, and Anmin Fu. Empowering IoT firmware secure update with customization rights, 2025.
Rianna Parla. Efficacy of EPSS in high severity CVEs found in KEV, 2024.
Onno J. Boxma, J. Bruin, and Brian H. Fralix. Sojourn times in polling systems with various service disciplines. Performance Evaluation, 66(11):621–639, 2009.
Marko A. A. Boon and Ivo J. B. F. Adan. Mixed gated/exhaustive service in a polling model with priorities. Queueing Systems, 63:383–399, 2009.
Jerry Banks, John S. Carson, Barry L. Nelson, and David M. Nicol. Discrete-Event System Simulation. Pearson, 5 edition, 2010.
Averill M. Law. Simulation Modeling and Analysis. McGraw–Hill, 5 edition, 2015.
E. L. Kaplan and Paul Meier. Nonparametric estimation from incomplete observations. Journal of the American Statistical Association, 53(282):457–481, 1958.
Amazon Web Services. AWS Systems Manager Maintenance Windows, 2025. Online; accessed 2025-10-18.
ServiceNow. Create blackout and maintenance schedules in change management, 2026. Online; accessed 2026-05-24.

Details

Primary Language

English

Subjects

Cybersecurity and Privacy (Other)

Journal Section

Research Article

Authors

Ercan Erkalkan ^*
0000-0001-9259-7112
Türkiye

Early Pub Date

June 19, 2026

Publication Date

-

Submission Date

December 21, 2025

Acceptance Date

February 12, 2026

Published in Issue

Year 2026 Number: Advanced Online Publication

DOI

https://doi.org/10.35377/saucis...1846583

IZ

https://izlik.org/JA54YK37PU

Cite

RIS / Bibtex

APA

Erkalkan, E. (2026). Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows. Sakarya University Journal of Computer and Information Sciences, Advanced Online Publication, 739-753. https://doi.org/10.35377/saucis...1846583

AMA

1.Erkalkan E. Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows. SAUCIS. 2026;(Advanced Online Publication):739-753. doi:10.35377/saucis.1846583

Chicago

Erkalkan, Ercan. 2026. “Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows”. Sakarya University Journal of Computer and Information Sciences, no. Advanced Online Publication: 739-53. https://doi.org/10.35377/saucis. 1846583.

EndNote

Erkalkan E (June 1, 2026) Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows. Sakarya University Journal of Computer and Information Sciences Advanced Online Publication 739–753.

IEEE

[1]E. Erkalkan, “Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows”, SAUCIS, no. Advanced Online Publication, pp. 739–753, June 2026, doi: 10.35377/saucis...1846583.

ISNAD

Erkalkan, Ercan. “Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows”. Sakarya University Journal of Computer and Information Sciences. Advanced Online Publication (June 1, 2026): 739-753. https://doi.org/10.35377/saucis. 1846583.

JAMA

1.Erkalkan E. Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows. SAUCIS. 2026;:739–753.

MLA

Erkalkan, Ercan. “Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows”. Sakarya University Journal of Computer and Information Sciences, no. Advanced Online Publication, June 2026, pp. 739-53, doi:10.35377/saucis. 1846583.

Vancouver

1.Ercan Erkalkan. Queueing Analysis by Simulation of Risk Duration Prioritized Patch Scheduling Under Gated Windows. SAUCIS. 2026 Jun. 1;(Advanced Online Publication):739-53. doi:10.35377/saucis. 1846583