effect of vulnerability disclosures on market value of software vendors an empirical analysis l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis PowerPoint Presentation
Download Presentation
Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis

Loading in 2 Seconds...

play fullscreen
1 / 32

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis - PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis. Sunil Wattal Rahul Telang Carnegie Mellon University WEIS 2005. Introduction. Definition Vendor Incentives Pressure for early release ‘5000 year error’ – Adams 1980 Quality Vs Security.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis' - mickey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
effect of vulnerability disclosures on market value of software vendors an empirical analysis

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis

Sunil Wattal

Rahul Telang

Carnegie Mellon University

WEIS 2005

introduction
Introduction
  • Definition
  • Vendor Incentives
    • Pressure for early release
    • ‘5000 year error’ – Adams 1980
  • Quality Vs Security
motivation
Motivation
  • Increased media attention (security breaches)
    • Successful Exploitation of Software Vulnerabilities
      • Melissa - $1.9 bn damages
      • Code Red - $2.1 bn damages
  • Anecdotal Evidence - Internet Explorer
    • Losing market share
    • 8m people downloaded Mozilla in 2-3 months
  • Strategic Vulnerability Disclosures
    • Checkpoint
      • Rivals Disclosed Vulnerabilities ahead of Investor Conference
    • Microsoft
      • $200mn campaign for .NET marred by vulnerability disclosures
impact on vendors
Impact on Vendors
  • Product defects in other industries
    • Vendors lose market value
      • Jarrell & Peltzman (1985)
      • Davidson & Worrell (1992)
  • Characteristics of Software Industry
    • EULA / Click Wrap Agreements
    • Frequent Vulnerability Announcements
    • Popularity of Products
literature review
Literature Review
  • Information Security
    • Information Sharing & Investments
      • Gordon et al (2002), Gal-Or & Ghose (2003), Gordon & Loeb (2002)
    • Vulnerability disclosure
      • Arora, Telang and Xu (2004), Kannan and Telang (2004)
slide6

Software Vulnerability,

Flaw or Bug

Firms (Clients)

Software Vendors

Our Research

  • Cavusoglu et al (2002)
  • Campbell et al (2003)
  • Hovav & D’Arcy (2003)
  • Develop Patch
  • Increased Product Cost
  • Can get hacked
  • Downtime / Disruptions
  • Sensitive Information Compromised
research questions
Research Questions
  • How does market value of a software vendor change if a vulnerability is reported for its product?
  • How is this change in market value linked to the characteristics of the vulnerability?
slide8
Data
  • Popular Press
    • Newspapers: WSJ, NY Times, Washington Post, LA Times (Source: Proquest Newspapers)
    • Newswires: Business wire, PR News wire (Source: Lexis Nexis Database)
  • Industry Sources
    • CERT
    • News.com: Owned by CNET, ZDNET; round the clock technology news
slide9
Data
  • Search Terms
    • Vulnerability & disclosure
    • Software & Vulnerability
    • Vulnerability & patch
    • Software & flaw
    • Security & flaw
    • Software & breach
slide10
Data
  • Exclusions
    • Non-daily publications e.g. Computerworld
    • Duplications : earliest date
    • Confounding Events – mergers, stock splits
    • Vulnerability due to protocol flaw
    • Non-publicly traded firms
    • Non-security related flaws
examples of vulnerability announcements
Examples of Vulnerability Announcements
  • News.com(04/25/2000) “A computer security firm has discovered a serious vulnerability in Red Hat’s newest version of Linux that could let attackers destroy or deface a Web site - ……..”
  • WSJ(02/11/2004) “Microsoft Corp. warned customers about serious security problems with its Windows software that let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information……..- or possibly even take over the machine itself”
classification of vulnerabilities
Classification of Vulnerabilities
  • Patch Vs No-Patch
  • Severe Vs. Non-Severe
  • Confidential Vs. Non-Confidential
  • Publicly Circulating ‘Exploit’
  • Vendor Discovered Vs Third Party Discovered
hypothesis
Hypothesis
  • H1 : A software vendor suffers a loss in market value when a security related vulnerability is announced in its products.
    • Banker and Slaughter (1998)
    • Jarrell and Peltzman (1985)
    • Davidson and Worrell (1992)
slide14

Impact on Market Value

Severity

Patch Non- Availability

Confidentiality Related

Source of Discovery

‘Exploit Availability’

  • Davidson & Worrell (1992)

-ve

-ve

-ve

-ve

-ve

  • Campbell et al (2003)
  • Hovav and D’Arcy (2003)
event study
Event Study
  • Steps
    • Abnormal Returns
      • Actual Returns – Predicted Returns
    • Event Window – Actual Announcement
    • Estimation Window

t-160

t

t+n

Estimation Window

Event Window

abnormal returns
Abnormal Returns
  • Market Method
  • Market Adjusted Method
  • Mean Adjusted Method
statistical test
Statistical Test
  • Abnormal Return
  • Statistical Test
  • SA is the S.D. of Abnormal Returns in Estimation Period
  • Null Hypothesis : Abnormal Returns are not significantly different from zero.
  • Advantage of this test: (Brown & Warner 1985)
    • Allows for event day clustering and cross sectional dependence
effect of vulnerability characteristics
Effect of Vulnerability Characteristics
  • Fixed Effects Regression
    • To account for firm specific heterogeneity
    • i – Firm specific dummy variable
    • Xit – vulnerability characteristics
independent variables
Independent Variables
  • Binary Independent Variables (0 or 1)
  • SEVR: whether the vulnerability has been classified as severe
  • PATCH: Whether a patch is available at the time of the vulnerability disclosure.
  • DISC: Whether the vulnerability was discovered by the vendor itself.
  • EXPLOIT: If an exploit is publicly available at the time of the vulnerability announcement, thenEXPLOIT = 1; otherwise it is zero
  • CERT: If the vulnerability was first reported in CERT.
  • PRESS: If the vulnerability was first reported in popular press.
  • DOS: If the vulnerability can potentially lead to a denial of service type attack.
  • EXECUTE_CODE: If the vulnerability can potentially lead to a hacker executing malicious code, then EXECUTE_CODE = 1.
results
Results
  • Median Abnormal Return
    • Wilcoxon Signed Rank Test
  • Percent Less than Zero
    • Sign Test
    • Non Parametric Tests
robustness check
Robustness Check
  • Outlier Effect :
    • Remove Top 10 and Bottom 10 Percentile
    • Abnormal Returns (-0.53 against -0.63)
      • Significant at 5% level
  • Market Momentum Effects
    • day -10 to day -1 CAR and day 0 CAR (correlation: -0.05, p-value 0.5)
    • day -1 CAR and day 0 CAR (correlation: 0.03, p-value 0.67)
results23
Results
  • Abnormal Returns Negative and Significant
    • Mean Range (0.5 – 0.67%)
  • Confirms loss in market value for software vendors
  • Median and Percent Zero values also negative and significant
  • Market Capitalization
    • Average change - $ 0.86bn per vulnerability
interpretation
Interpretation
  • Coefficient on non-availability of patch significant and positive
    • Software vendors lose 0.83% more in market value.
    • Intuitive: possible loss in consumer goodwill and future cash flows
    • Incentive for vendors to push for limited disclosure
interpretation27
Interpretation
  • Coefficient on DoS significant and positive
    • Software vendors lose 0.76% less in market value
    • Campbell et al (2003)
    • Implications for quality investments
interpretation28
Interpretation
  • Coefficient on SEVR significant and negative
    • Software vendors lose 0.6% more in market value.
    • Davidson & Worrell (1992)
interpretation29
Interpretation
  • Coefficient on Source of Discovery not significant
    • Markets do not penalize firms for failing to find flaws in own products.
conclusions
Conclusions
  • Significant Loss to Software Vendors
  • Loss is Greater for
    • No Patch
    • Confidentiality Related
    • More Severe
  • Limited Disclosure may lead to sub-optimal investments
    • Impact on consumer welfare??