2 months ago at RSA 2009, Rich Mogull from Securosis mentioned an interesting project that they are working on: Project Quant. The project focuses on measuring the patch management process in all stages involved, from monitoring for new threats and patches, to evaluation and testing, through deployment and verification. Now that they have refined this lifecycle, they need input from you – real life production users that can tell how much time is spent on each of these activities. He has published an online survey, which is the first step of gathering production data.
This is an exciting project and the results will be made publicly available. I expect them to provide high quality insight into the cost of patching. Recommended.
PS: The full scope and intentions of the project are outlined in the initial post