The number of security vulnerabilities, breaches and digital disaster increases over time. One important source of weaknesses of computer networks are the ubiquitous flaws (‘bugs’) in the software, and most such bugs are exploitable by malicious agents. Consequently, “patching” the software to correct known bugs is becoming more important, especially for network-based system companies. However, this issue is often seen by decision-makers differently, due to the presumption that security measures are time consuming and a disturbance for the primary business activities. In addition, it is considered too costly to invest in prevention of something that might not happen. Patching often requires extensive testing and that computer networks be taken down. This work is a preliminary effort to build a system dynamics model for studying the trade offs and the risks of different patching policies.