Impact of Software Vulnerability Announcements on the Market Value of Software Vendors
Full Title of Reference
Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - An Empirical Investigation
Full Citation
Rahul Telang, Sunil Wattal, Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - An Empirical Investigation, 33 IEEE Transactions on Software Engineering 8 (2007). Web
Categorization
Key Words
Computer Emergency Response Team, Disclosure Policy, Hacker, Software Vulnerability, Transparency
Synopsis
Researchers in the area of information security have mainly been concerned with tools, techniques and policies that firms can use to protect themselves against security breaches. However, information security is as much about security software as it is about secure software. Software is not secure when it has defects or flaws which can be exploited by hackers to cause attacks such as unauthorized intrusion or denial of service attacks. Any public announcement about a software defect is termed as ‘vulnerability disclosure’. In this paper, the authors use the event study methodology to examine the role that financial markets play in determining the impact of vulnerability disclosures on software vendors. They collect data from leading national newspapers and industry sources by searching for reports on published software vulnerabilities.
Financial Effects of Disclosure
Their main result is that vulnerability disclosures do lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6 % value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement. To provide further insight, the authors use the information content of the disclosure announcement to classify vulnerabilities into various types.
Incentives and Disincentives for Disclosure
The authors conclude that that vendors are not necessarily better off disclosing information themselves. Generally, an argument could be made that vendors should release the information themselves, for if not, someone else will and it will lead to worse consequences. However, they do not find any evidence of this. In their sample, none of the vulnerabilities was discovered by hackers. Hackers however exploit vulnerabilities once they are made public by searching for un-patched systems. Vendors are probably better off keeping quiet and integrate their fixes as either service packs (which do not give micro-details on what it fixes) or newer versions and announce the patch only if someone else has disclosed it.
Limitations of the Study and Further Research
According to the authors, one limitation of their study is that most of the data points in our sample are announcements regarding off-the-shelf software products. Their analysis does not cover software development projects where a security flaw can cause millions of dollars worth of damage. The main reason for excluding them was the lack of availability of data on software failures in such cases. They stress that further analysis in terms of software quality, market share or profitability is needed to fully understand how vulnerability disclosure signals poorer quality and how it affects the vendors’ incentives to provide better quality software.
Additional Notes and Highlights
Expertise Required: Economics - Moderate
Outline:
1. Introduction
2. Hypotheses
3. Data Description & Methodology
3.1 Vulnerability Disclosure Process
3.2 Data
3.3 Methodology
The Market Model
The Market Adjusted Model
Results
Market Capitalization
4. Effect of Vulnerability Characteristics
Ongoing Research
5. Conclusions and Discussion
Comparison with prior event studies
Implications for Software Quality and Disclosure Policy