Effect of vulnerability disclosures on market value of software vendors an empirical analysis l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on
  • Presentation posted in: General

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis. Sunil Wattal Rahul Telang Carnegie Mellon University WEIS 2005. Introduction. Definition Vendor Incentives Pressure for early release ‘5000 year error’ – Adams 1980 Quality Vs Security.

Download Presentation

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Effect of vulnerability disclosures on market value of software vendors an empirical analysis l.jpg

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis

Sunil Wattal

Rahul Telang

Carnegie Mellon University

WEIS 2005


Introduction l.jpg

Introduction

  • Definition

  • Vendor Incentives

    • Pressure for early release

    • ‘5000 year error’ – Adams 1980

  • Quality Vs Security


Motivation l.jpg

Motivation

  • Increased media attention (security breaches)

    • Successful Exploitation of Software Vulnerabilities

      • Melissa - $1.9 bn damages

      • Code Red - $2.1 bn damages

  • Anecdotal Evidence - Internet Explorer

    • Losing market share

    • 8m people downloaded Mozilla in 2-3 months

  • Strategic Vulnerability Disclosures

    • Checkpoint

      • Rivals Disclosed Vulnerabilities ahead of Investor Conference

    • Microsoft

      • $200mn campaign for .NET marred by vulnerability disclosures


Impact on vendors l.jpg

Impact on Vendors

  • Product defects in other industries

    • Vendors lose market value

      • Jarrell & Peltzman (1985)

      • Davidson & Worrell (1992)

  • Characteristics of Software Industry

    • EULA / Click Wrap Agreements

    • Frequent Vulnerability Announcements

    • Popularity of Products


Literature review l.jpg

Literature Review

  • Information Security

    • Information Sharing & Investments

      • Gordon et al (2002), Gal-Or & Ghose (2003), Gordon & Loeb (2002)

    • Vulnerability disclosure

      • Arora, Telang and Xu (2004), Kannan and Telang (2004)


Slide6 l.jpg

Software Vulnerability,

Flaw or Bug

Firms (Clients)

Software Vendors

Our Research

  • Cavusoglu et al (2002)

  • Campbell et al (2003)

  • Hovav & D’Arcy (2003)

  • Develop Patch

  • Increased Product Cost

  • Can get hacked

  • Downtime / Disruptions

  • Sensitive Information Compromised


Research questions l.jpg

Research Questions

  • How does market value of a software vendor change if a vulnerability is reported for its product?

  • How is this change in market value linked to the characteristics of the vulnerability?


Slide8 l.jpg

Data

  • Popular Press

    • Newspapers: WSJ, NY Times, Washington Post, LA Times (Source: Proquest Newspapers)

    • Newswires: Business wire, PR News wire (Source: Lexis Nexis Database)

  • Industry Sources

    • CERT

    • News.com: Owned by CNET, ZDNET; round the clock technology news


Slide9 l.jpg

Data

  • Search Terms

    • Vulnerability & disclosure

    • Software & Vulnerability

    • Vulnerability & patch

    • Software & flaw

    • Security & flaw

    • Software & breach


Slide10 l.jpg

Data

  • Exclusions

    • Non-daily publications e.g. Computerworld

    • Duplications : earliest date

    • Confounding Events – mergers, stock splits

    • Vulnerability due to protocol flaw

    • Non-publicly traded firms

    • Non-security related flaws


Examples of vulnerability announcements l.jpg

Examples of Vulnerability Announcements

  • News.com(04/25/2000) “A computer security firm has discovered a serious vulnerability in Red Hat’s newest version of Linux that could let attackers destroy or deface a Web site - ……..”

  • WSJ(02/11/2004) “Microsoft Corp. warned customers about serious security problems with its Windows software that let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information……..- or possibly even take over the machine itself”


Classification of vulnerabilities l.jpg

Classification of Vulnerabilities

  • Patch Vs No-Patch

  • Severe Vs. Non-Severe

  • Confidential Vs. Non-Confidential

  • Publicly Circulating ‘Exploit’

  • Vendor Discovered Vs Third Party Discovered


Hypothesis l.jpg

Hypothesis

  • H1 : A software vendor suffers a loss in market value when a security related vulnerability is announced in its products.

    • Banker and Slaughter (1998)

    • Jarrell and Peltzman (1985)

    • Davidson and Worrell (1992)


Slide14 l.jpg

Impact on Market Value

Severity

Patch Non- Availability

Confidentiality Related

Source of Discovery

‘Exploit Availability’

  • Davidson & Worrell (1992)

-ve

-ve

-ve

-ve

-ve

  • Campbell et al (2003)

  • Hovav and D’Arcy (2003)


Descriptive statistics l.jpg

Descriptive Statistics


Event study l.jpg

Event Study

  • Steps

    • Abnormal Returns

      • Actual Returns – Predicted Returns

    • Event Window – Actual Announcement

    • Estimation Window

t-160

t

t+n

Estimation Window

Event Window


Abnormal returns l.jpg

Abnormal Returns

  • Market Method

  • Market Adjusted Method

  • Mean Adjusted Method


Statistical test l.jpg

Statistical Test

  • Abnormal Return

  • Statistical Test

  • SA is the S.D. of Abnormal Returns in Estimation Period

  • Null Hypothesis : Abnormal Returns are not significantly different from zero.

  • Advantage of this test: (Brown & Warner 1985)

    • Allows for event day clustering and cross sectional dependence


Effect of vulnerability characteristics l.jpg

Effect of Vulnerability Characteristics

  • Fixed Effects Regression

    • To account for firm specific heterogeneity

    • i – Firm specific dummy variable

    • Xit – vulnerability characteristics


Independent variables l.jpg

Independent Variables

  • Binary Independent Variables (0 or 1)

  • SEVR: whether the vulnerability has been classified as severe

  • PATCH: Whether a patch is available at the time of the vulnerability disclosure.

  • DISC: Whether the vulnerability was discovered by the vendor itself.

  • EXPLOIT: If an exploit is publicly available at the time of the vulnerability announcement, thenEXPLOIT = 1; otherwise it is zero

  • CERT: If the vulnerability was first reported in CERT.

  • PRESS: If the vulnerability was first reported in popular press.

  • DOS: If the vulnerability can potentially lead to a denial of service type attack.

  • EXECUTE_CODE: If the vulnerability can potentially lead to a hacker executing malicious code, then EXECUTE_CODE = 1.


Results l.jpg

Results

  • Median Abnormal Return

    • Wilcoxon Signed Rank Test

  • Percent Less than Zero

    • Sign Test

    • Non Parametric Tests


Robustness check l.jpg

Robustness Check

  • Outlier Effect :

    • Remove Top 10 and Bottom 10 Percentile

    • Abnormal Returns (-0.53 against -0.63)

      • Significant at 5% level

  • Market Momentum Effects

    • day -10 to day -1 CAR and day 0 CAR (correlation: -0.05, p-value 0.5)

    • day -1 CAR and day 0 CAR (correlation: 0.03, p-value 0.67)


Results23 l.jpg

Results

  • Abnormal Returns Negative and Significant

    • Mean Range (0.5 – 0.67%)

  • Confirms loss in market value for software vendors

  • Median and Percent Zero values also negative and significant

  • Market Capitalization

    • Average change - $ 0.86bn per vulnerability


Different event windows l.jpg

Different Event Windows


Fixed effects regression r 2 17 3 f value 2 77 significant at the 1 level l.jpg

Fixed Effects RegressionR2 = 17.3%F-value = 2.77 – significant at the 1% level


Interpretation l.jpg

Interpretation

  • Coefficient on non-availability of patch significant and positive

    • Software vendors lose 0.83% more in market value.

    • Intuitive: possible loss in consumer goodwill and future cash flows

    • Incentive for vendors to push for limited disclosure


Interpretation27 l.jpg

Interpretation

  • Coefficient on DoS significant and positive

    • Software vendors lose 0.76% less in market value

    • Campbell et al (2003)

    • Implications for quality investments


Interpretation28 l.jpg

Interpretation

  • Coefficient on SEVR significant and negative

    • Software vendors lose 0.6% more in market value.

    • Davidson & Worrell (1992)


Interpretation29 l.jpg

Interpretation

  • Coefficient on Source of Discovery not significant

    • Markets do not penalize firms for failing to find flaws in own products.


Other event study results l.jpg

Other Event Study Results


Conclusions l.jpg

Conclusions

  • Significant Loss to Software Vendors

  • Loss is Greater for

    • No Patch

    • Confidentiality Related

    • More Severe

  • Limited Disclosure may lead to sub-optimal investments

    • Impact on consumer welfare??


Slide32 l.jpg

  • Questions!!!


  • Login