Effect of vulnerability disclosures on market value of software vendors an empirical analysis
Download
1 / 32

Effect of Vulnerability Disclosures on Market Value of Software Vendors An Empirical Analysis - PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis. Sunil Wattal Rahul Telang Carnegie Mellon University WEIS 2005. Introduction. Definition Vendor Incentives Pressure for early release ‘5000 year error’ – Adams 1980 Quality Vs Security.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Effect of Vulnerability Disclosures on Market Value of Software Vendors An Empirical Analysis' - mickey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Effect of vulnerability disclosures on market value of software vendors an empirical analysis l.jpg

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis

Sunil Wattal

Rahul Telang

Carnegie Mellon University

WEIS 2005


Introduction l.jpg
Introduction Software Vendors

  • Definition

  • Vendor Incentives

    • Pressure for early release

    • ‘5000 year error’ – Adams 1980

  • Quality Vs Security


Motivation l.jpg
Motivation Software Vendors

  • Increased media attention (security breaches)

    • Successful Exploitation of Software Vulnerabilities

      • Melissa - $1.9 bn damages

      • Code Red - $2.1 bn damages

  • Anecdotal Evidence - Internet Explorer

    • Losing market share

    • 8m people downloaded Mozilla in 2-3 months

  • Strategic Vulnerability Disclosures

    • Checkpoint

      • Rivals Disclosed Vulnerabilities ahead of Investor Conference

    • Microsoft

      • $200mn campaign for .NET marred by vulnerability disclosures


Impact on vendors l.jpg
Impact on Vendors Software Vendors

  • Product defects in other industries

    • Vendors lose market value

      • Jarrell & Peltzman (1985)

      • Davidson & Worrell (1992)

  • Characteristics of Software Industry

    • EULA / Click Wrap Agreements

    • Frequent Vulnerability Announcements

    • Popularity of Products


Literature review l.jpg
Literature Review Software Vendors

  • Information Security

    • Information Sharing & Investments

      • Gordon et al (2002), Gal-Or & Ghose (2003), Gordon & Loeb (2002)

    • Vulnerability disclosure

      • Arora, Telang and Xu (2004), Kannan and Telang (2004)


Slide6 l.jpg

Software Vulnerability, Software Vendors

Flaw or Bug

Firms (Clients)

Software Vendors

Our Research

  • Cavusoglu et al (2002)

  • Campbell et al (2003)

  • Hovav & D’Arcy (2003)

  • Develop Patch

  • Increased Product Cost

  • Can get hacked

  • Downtime / Disruptions

  • Sensitive Information Compromised


Research questions l.jpg
Research Questions Software Vendors

  • How does market value of a software vendor change if a vulnerability is reported for its product?

  • How is this change in market value linked to the characteristics of the vulnerability?


Slide8 l.jpg
Data Software Vendors

  • Popular Press

    • Newspapers: WSJ, NY Times, Washington Post, LA Times (Source: Proquest Newspapers)

    • Newswires: Business wire, PR News wire (Source: Lexis Nexis Database)

  • Industry Sources

    • CERT

    • News.com: Owned by CNET, ZDNET; round the clock technology news


Slide9 l.jpg
Data Software Vendors

  • Search Terms

    • Vulnerability & disclosure

    • Software & Vulnerability

    • Vulnerability & patch

    • Software & flaw

    • Security & flaw

    • Software & breach


Slide10 l.jpg
Data Software Vendors

  • Exclusions

    • Non-daily publications e.g. Computerworld

    • Duplications : earliest date

    • Confounding Events – mergers, stock splits

    • Vulnerability due to protocol flaw

    • Non-publicly traded firms

    • Non-security related flaws


Examples of vulnerability announcements l.jpg
Examples of Vulnerability Announcements Software Vendors

  • News.com(04/25/2000) “A computer security firm has discovered a serious vulnerability in Red Hat’s newest version of Linux that could let attackers destroy or deface a Web site - ……..”

  • WSJ(02/11/2004) “Microsoft Corp. warned customers about serious security problems with its Windows software that let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information……..- or possibly even take over the machine itself”


Classification of vulnerabilities l.jpg
Classification of Vulnerabilities Software Vendors

  • Patch Vs No-Patch

  • Severe Vs. Non-Severe

  • Confidential Vs. Non-Confidential

  • Publicly Circulating ‘Exploit’

  • Vendor Discovered Vs Third Party Discovered


Hypothesis l.jpg
Hypothesis Software Vendors

  • H1 : A software vendor suffers a loss in market value when a security related vulnerability is announced in its products.

    • Banker and Slaughter (1998)

    • Jarrell and Peltzman (1985)

    • Davidson and Worrell (1992)


Slide14 l.jpg

Impact on Market Value Software Vendors

Severity

Patch Non- Availability

Confidentiality Related

Source of Discovery

‘Exploit Availability’

  • Davidson & Worrell (1992)

-ve

-ve

-ve

-ve

-ve

  • Campbell et al (2003)

  • Hovav and D’Arcy (2003)


Descriptive statistics l.jpg
Descriptive Statistics Software Vendors


Event study l.jpg
Event Study Software Vendors

  • Steps

    • Abnormal Returns

      • Actual Returns – Predicted Returns

    • Event Window – Actual Announcement

    • Estimation Window

t-160

t

t+n

Estimation Window

Event Window


Abnormal returns l.jpg
Abnormal Returns Software Vendors

  • Market Method

  • Market Adjusted Method

  • Mean Adjusted Method


Statistical test l.jpg
Statistical Test Software Vendors

  • Abnormal Return

  • Statistical Test

  • SA is the S.D. of Abnormal Returns in Estimation Period

  • Null Hypothesis : Abnormal Returns are not significantly different from zero.

  • Advantage of this test: (Brown & Warner 1985)

    • Allows for event day clustering and cross sectional dependence


Effect of vulnerability characteristics l.jpg
Effect of Vulnerability Characteristics Software Vendors

  • Fixed Effects Regression

    • To account for firm specific heterogeneity

    • i – Firm specific dummy variable

    • Xit – vulnerability characteristics


Independent variables l.jpg
Independent Variables Software Vendors

  • Binary Independent Variables (0 or 1)

  • SEVR: whether the vulnerability has been classified as severe

  • PATCH: Whether a patch is available at the time of the vulnerability disclosure.

  • DISC: Whether the vulnerability was discovered by the vendor itself.

  • EXPLOIT: If an exploit is publicly available at the time of the vulnerability announcement, thenEXPLOIT = 1; otherwise it is zero

  • CERT: If the vulnerability was first reported in CERT.

  • PRESS: If the vulnerability was first reported in popular press.

  • DOS: If the vulnerability can potentially lead to a denial of service type attack.

  • EXECUTE_CODE: If the vulnerability can potentially lead to a hacker executing malicious code, then EXECUTE_CODE = 1.


Results l.jpg
Results Software Vendors

  • Median Abnormal Return

    • Wilcoxon Signed Rank Test

  • Percent Less than Zero

    • Sign Test

    • Non Parametric Tests


Robustness check l.jpg
Robustness Check Software Vendors

  • Outlier Effect :

    • Remove Top 10 and Bottom 10 Percentile

    • Abnormal Returns (-0.53 against -0.63)

      • Significant at 5% level

  • Market Momentum Effects

    • day -10 to day -1 CAR and day 0 CAR (correlation: -0.05, p-value 0.5)

    • day -1 CAR and day 0 CAR (correlation: 0.03, p-value 0.67)


Results23 l.jpg
Results Software Vendors

  • Abnormal Returns Negative and Significant

    • Mean Range (0.5 – 0.67%)

  • Confirms loss in market value for software vendors

  • Median and Percent Zero values also negative and significant

  • Market Capitalization

    • Average change - $ 0.86bn per vulnerability


Different event windows l.jpg
Different Event Windows Software Vendors


Fixed effects regression r 2 17 3 f value 2 77 significant at the 1 level l.jpg
Fixed Effects Regression Software VendorsR2 = 17.3%F-value = 2.77 – significant at the 1% level


Interpretation l.jpg
Interpretation Software Vendors

  • Coefficient on non-availability of patch significant and positive

    • Software vendors lose 0.83% more in market value.

    • Intuitive: possible loss in consumer goodwill and future cash flows

    • Incentive for vendors to push for limited disclosure


Interpretation27 l.jpg
Interpretation Software Vendors

  • Coefficient on DoS significant and positive

    • Software vendors lose 0.76% less in market value

    • Campbell et al (2003)

    • Implications for quality investments


Interpretation28 l.jpg
Interpretation Software Vendors

  • Coefficient on SEVR significant and negative

    • Software vendors lose 0.6% more in market value.

    • Davidson & Worrell (1992)


Interpretation29 l.jpg
Interpretation Software Vendors

  • Coefficient on Source of Discovery not significant

    • Markets do not penalize firms for failing to find flaws in own products.


Other event study results l.jpg
Other Event Study Results Software Vendors


Conclusions l.jpg
Conclusions Software Vendors

  • Significant Loss to Software Vendors

  • Loss is Greater for

    • No Patch

    • Confidentiality Related

    • More Severe

  • Limited Disclosure may lead to sub-optimal investments

    • Impact on consumer welfare??


Slide32 l.jpg


ad