1 / 32

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis. Sunil Wattal Rahul Telang Carnegie Mellon University WEIS 2005. Introduction. Definition Vendor Incentives Pressure for early release ‘5000 year error’ – Adams 1980 Quality Vs Security.

mickey
Télécharger la présentation

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis Sunil Wattal Rahul Telang Carnegie Mellon University WEIS 2005

  2. Introduction • Definition • Vendor Incentives • Pressure for early release • ‘5000 year error’ – Adams 1980 • Quality Vs Security

  3. Motivation • Increased media attention (security breaches) • Successful Exploitation of Software Vulnerabilities • Melissa - $1.9 bn damages • Code Red - $2.1 bn damages • Anecdotal Evidence - Internet Explorer • Losing market share • 8m people downloaded Mozilla in 2-3 months • Strategic Vulnerability Disclosures • Checkpoint • Rivals Disclosed Vulnerabilities ahead of Investor Conference • Microsoft • $200mn campaign for .NET marred by vulnerability disclosures

  4. Impact on Vendors • Product defects in other industries • Vendors lose market value • Jarrell & Peltzman (1985) • Davidson & Worrell (1992) • Characteristics of Software Industry • EULA / Click Wrap Agreements • Frequent Vulnerability Announcements • Popularity of Products

  5. Literature Review • Information Security • Information Sharing & Investments • Gordon et al (2002), Gal-Or & Ghose (2003), Gordon & Loeb (2002) • Vulnerability disclosure • Arora, Telang and Xu (2004), Kannan and Telang (2004)

  6. Software Vulnerability, Flaw or Bug Firms (Clients) Software Vendors Our Research • Cavusoglu et al (2002) • Campbell et al (2003) • Hovav & D’Arcy (2003) • Develop Patch • Increased Product Cost • Can get hacked • Downtime / Disruptions • Sensitive Information Compromised

  7. Research Questions • How does market value of a software vendor change if a vulnerability is reported for its product? • How is this change in market value linked to the characteristics of the vulnerability?

  8. Data • Popular Press • Newspapers: WSJ, NY Times, Washington Post, LA Times (Source: Proquest Newspapers) • Newswires: Business wire, PR News wire (Source: Lexis Nexis Database) • Industry Sources • CERT • News.com: Owned by CNET, ZDNET; round the clock technology news

  9. Data • Search Terms • Vulnerability & disclosure • Software & Vulnerability • Vulnerability & patch • Software & flaw • Security & flaw • Software & breach

  10. Data • Exclusions • Non-daily publications e.g. Computerworld • Duplications : earliest date • Confounding Events – mergers, stock splits • Vulnerability due to protocol flaw • Non-publicly traded firms • Non-security related flaws

  11. Examples of Vulnerability Announcements • News.com(04/25/2000) “A computer security firm has discovered a serious vulnerability in Red Hat’s newest version of Linux that could let attackers destroy or deface a Web site - ……..” • WSJ(02/11/2004) “Microsoft Corp. warned customers about serious security problems with its Windows software that let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information……..- or possibly even take over the machine itself”

  12. Classification of Vulnerabilities • Patch Vs No-Patch • Severe Vs. Non-Severe • Confidential Vs. Non-Confidential • Publicly Circulating ‘Exploit’ • Vendor Discovered Vs Third Party Discovered

  13. Hypothesis • H1 : A software vendor suffers a loss in market value when a security related vulnerability is announced in its products. • Banker and Slaughter (1998) • Jarrell and Peltzman (1985) • Davidson and Worrell (1992)

  14. Impact on Market Value Severity Patch Non- Availability Confidentiality Related Source of Discovery ‘Exploit Availability’ • Davidson & Worrell (1992) -ve -ve -ve -ve -ve • Campbell et al (2003) • Hovav and D’Arcy (2003)

  15. Descriptive Statistics

  16. Event Study • Steps • Abnormal Returns • Actual Returns – Predicted Returns • Event Window – Actual Announcement • Estimation Window t-160 t t+n Estimation Window Event Window

  17. Abnormal Returns • Market Method • Market Adjusted Method • Mean Adjusted Method

  18. Statistical Test • Abnormal Return • Statistical Test • SA is the S.D. of Abnormal Returns in Estimation Period • Null Hypothesis : Abnormal Returns are not significantly different from zero. • Advantage of this test: (Brown & Warner 1985) • Allows for event day clustering and cross sectional dependence

  19. Effect of Vulnerability Characteristics • Fixed Effects Regression • To account for firm specific heterogeneity • i – Firm specific dummy variable • Xit – vulnerability characteristics

  20. Independent Variables • Binary Independent Variables (0 or 1) • SEVR: whether the vulnerability has been classified as severe • PATCH: Whether a patch is available at the time of the vulnerability disclosure. • DISC: Whether the vulnerability was discovered by the vendor itself. • EXPLOIT: If an exploit is publicly available at the time of the vulnerability announcement, thenEXPLOIT = 1; otherwise it is zero • CERT: If the vulnerability was first reported in CERT. • PRESS: If the vulnerability was first reported in popular press. • DOS: If the vulnerability can potentially lead to a denial of service type attack. • EXECUTE_CODE: If the vulnerability can potentially lead to a hacker executing malicious code, then EXECUTE_CODE = 1.

  21. Results • Median Abnormal Return • Wilcoxon Signed Rank Test • Percent Less than Zero • Sign Test • Non Parametric Tests

  22. Robustness Check • Outlier Effect : • Remove Top 10 and Bottom 10 Percentile • Abnormal Returns (-0.53 against -0.63) • Significant at 5% level • Market Momentum Effects • day -10 to day -1 CAR and day 0 CAR (correlation: -0.05, p-value 0.5) • day -1 CAR and day 0 CAR (correlation: 0.03, p-value 0.67)

  23. Results • Abnormal Returns Negative and Significant • Mean Range (0.5 – 0.67%) • Confirms loss in market value for software vendors • Median and Percent Zero values also negative and significant • Market Capitalization • Average change - $ 0.86bn per vulnerability

  24. Different Event Windows

  25. Fixed Effects RegressionR2 = 17.3%F-value = 2.77 – significant at the 1% level

  26. Interpretation • Coefficient on non-availability of patch significant and positive • Software vendors lose 0.83% more in market value. • Intuitive: possible loss in consumer goodwill and future cash flows • Incentive for vendors to push for limited disclosure

  27. Interpretation • Coefficient on DoS significant and positive • Software vendors lose 0.76% less in market value • Campbell et al (2003) • Implications for quality investments

  28. Interpretation • Coefficient on SEVR significant and negative • Software vendors lose 0.6% more in market value. • Davidson & Worrell (1992)

  29. Interpretation • Coefficient on Source of Discovery not significant • Markets do not penalize firms for failing to find flaws in own products.

  30. Other Event Study Results

  31. Conclusions • Significant Loss to Software Vendors • Loss is Greater for • No Patch • Confidentiality Related • More Severe • Limited Disclosure may lead to sub-optimal investments • Impact on consumer welfare??

  32. Questions!!!

More Related