Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis Sunil Wattal Rahul Telang Carnegie Mellon University WEIS.

Published byTheodore Farmer Modified over 9 years ago

Similar presentations

Presentation on theme: "Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis Sunil Wattal Rahul Telang Carnegie Mellon University WEIS."— Presentation transcript:

1 Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis Sunil Wattal Rahul Telang Carnegie Mellon University WEIS 2005

2 Introduction Definition Vendor Incentives  Pressure for early release  ‘5000 year error’ – Adams 1980 Quality Vs Security

3 Motivation Increased media attention (security breaches)  Successful Exploitation of Software Vulnerabilities Melissa - $1.9 bn damages Code Red - $2.1 bn damages Anecdotal Evidence - Internet Explorer  Losing market share  8m people downloaded Mozilla in 2-3 months Strategic Vulnerability Disclosures  Checkpoint Rivals Disclosed Vulnerabilities ahead of Investor Conference  Microsoft $200mn campaign for.NET marred by vulnerability disclosures

4 Impact on Vendors Product defects in other industries  Vendors lose market value Jarrell & Peltzman (1985) Davidson & Worrell (1992) Characteristics of Software Industry  EULA / Click Wrap Agreements  Frequent Vulnerability Announcements  Popularity of Products

5 Literature Review Information Security  Information Sharing & Investments Gordon et al (2002), Gal-Or & Ghose (2003), Gordon & Loeb (2002)  Vulnerability disclosure Arora, Telang and Xu (2004), Kannan and Telang (2004)

6 Software Vulnerability, Flaw or Bug Software Vendors Firms (Clients) Can get hacked Downtime / Disruptions Sensitive Information Compromised Develop Patch Increased Product Cost Our Research Cavusoglu et al (2002) Campbell et al (2003) Hovav & D’Arcy (2003)

7 Research Questions How does market value of a software vendor change if a vulnerability is reported for its product? How is this change in market value linked to the characteristics of the vulnerability?

8 Data Popular Press  Newspapers: WSJ, NY Times, Washington Post, LA Times (Source: Proquest Newspapers)  Newswires: Business wire, PR News wire (Source: Lexis Nexis Database) Industry Sources  CERT  News.com: Owned by CNET, ZDNET; round the clock technology news

9 Data Search Terms  Vulnerability & disclosure  Software & Vulnerability  Vulnerability & patch  Software & flaw  Security & flaw  Software & breach

10 Data Exclusions  Non-daily publications e.g. Computerworld  Duplications : earliest date  Confounding Events – mergers, stock splits  Vulnerability due to protocol flaw  Non-publicly traded firms  Non-security related flaws

11 Examples of Vulnerability Announcements News.com(04/25/2000) “A computer security firm has discovered a serious vulnerability in Red Hat’s newest version of Linux that could let attackers destroy or deface a Web site - ……..” WSJ(02/11/2004) “Microsoft Corp. warned customers about serious security problems with its Windows software that let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information……..- or possibly even take over the machine itself”

12 Classification of Vulnerabilities Patch Vs No-Patch Severe Vs. Non-Severe Confidential Vs. Non-Confidential Publicly Circulating ‘Exploit’ Vendor Discovered Vs Third Party Discovered

13 Hypothesis H1 : A software vendor suffers a loss in market value when a security related vulnerability is announced in its products.  Banker and Slaughter (1998)  Jarrell and Peltzman (1985)  Davidson and Worrell (1992)

14 Impact on Market Value SeverityPatch Non- Availability Confidentiality Related Source of Discovery ‘Exploit Availability’ -ve Campbell et al (2003) Hovav and D’Arcy (2003) Davidson & Worrell (1992)

15 Descriptive Statistics Time Frame Jan 1999 May 2004 Number of firms18 Number of announcements148 %age of vulnerabilities - in popular press35 %age of vulnerabilities - without patch24 %age of vulnerabilities - discovered by vendor36 % of vulnerabilities - confidentiality related breach39 %age of vulnerabilities - publicly available ‘exploit’22

16 Event Study Steps  Abnormal Returns Actual Returns – Predicted Returns  Event Window – Actual Announcement  Estimation Window tt-160 Estimation Window Event Window t+n

17 Abnormal Returns Market Method Market Adjusted Method Mean Adjusted Method

18 Statistical Test Abnormal Return Statistical Test S A is the S.D. of Abnormal Returns in Estimation Period Null Hypothesis : Abnormal Returns are not significantly different from zero. Advantage of this test: (Brown & Warner 1985)  Allows for event day clustering and cross sectional dependence

19 Effect of Vulnerability Characteristics Fixed Effects Regression  To account for firm specific heterogeneity   i – Firm specific dummy variable  X it – vulnerability characteristics

20 Independent Variables Binary Independent Variables (0 or 1) SEVR: whether the vulnerability has been classified as severe PATCH: Whether a patch is available at the time of the vulnerability disclosure. DISC: Whether the vulnerability was discovered by the vendor itself. EXPLOIT: If an exploit is publicly available at the time of the vulnerability announcement, then EXPLOIT = 1; otherwise it is zero CERT: If the vulnerability was first reported in CERT. PRESS: If the vulnerability was first reported in popular press. DOS: If the vulnerability can potentially lead to a denial of service type attack. EXECUTE_CODE: If the vulnerability can potentially lead to a hacker executing malicious code, then EXECUTE_CODE = 1.

21 Results Median Abnormal Return  Wilcoxon Signed Rank Test Percent Less than Zero  Sign Test  Non Parametric Tests Day 0 Abnormal ReturnsMarket ModelMarket Adjusted Model Mean Model Mean Abnormal Return (in %) -0.63 (0.01) -0.67 (0.01) -0.5 (0.09) Median Abnormal Return (in %) -0.44 (0.00) -0.5 (0.00) -0.55 (0.01) Percent Less than Zero64% (0.00) 63.5% (0.001) 58.7% (0.03)

22 Robustness Check Outlier Effect :  Remove Top 10 and Bottom 10 Percentile  Abnormal Returns (-0.53 against -0.63) Significant at 5% level Market Momentum Effects  day -10 to day -1 CAR and day 0 CAR (correlation: -0.05, p-value 0.5)  day -1 CAR and day 0 CAR (correlation: 0.03, p- value 0.67)

23 Results Abnormal Returns Negative and Significant  Mean Range (0.5 – 0.67%) Confirms loss in market value for software vendors Median and Percent Zero values also negative and significant Market Capitalization  Average change - $ 0.86bn per vulnerability

24 Different Event Windows Day00 to 10 to 20 to 50 to 10 CAR (t-value) 0.25 (0.4) -0.63 (0.01) -0.65 (0.07) -0.47 (0.35) -0.25 (0.7) -0.9 (0.36)

25 Fixed Effects Regression R 2 = 17.3% F-value = 2.77 – significant at the 1% level VariableCoefficientP>|t| SEVR-0.0060.1 PATCH0.00830.04 DISC-0.0050.16 CERT0.0060.3 PRESS-0.00530.27 DOS0.00760.06 EXPLOIT-0.0050.24 Y_9900-0.0070.26 Pre_911-0.0110.05 Post_911-0.020.001 Y_0203-0.010.05 Constant0.010.05

26 Interpretation Coefficient on non-availability of patch significant and positive  Software vendors lose 0.83% more in market value.  Intuitive: possible loss in consumer goodwill and future cash flows  Incentive for vendors to push for limited disclosure

27 Interpretation Coefficient on DoS significant and positive  Software vendors lose 0.76% less in market value  Campbell et al (2003)  Implications for quality investments

28 Interpretation Coefficient on SEVR significant and negative  Software vendors lose 0.6% more in market value.  Davidson & Worrell (1992)

29 Interpretation Coefficient on Source of Discovery not significant  Markets do not penalize firms for failing to find flaws in own products.

30 Other Event Study Results Classification of Event Study AuthorsTime PeriodCAR Impact of Vulnerability Disclosures on Software Vendors Telang R and S Wattal (2004)1999-2004-0.63% Impact of Security BreachesCampbell K, Gordon LA, Loeb MP and L Zhou (2003) 1995-2000 -2.0%* Cavusoglu H, Mishra B and S Raghunathan (2002) 1998-2000-2.1% Impact of Product Recall Announcements Jarrell G and S Peltzman (1985)1967-1981-0.81% (for auto) Davidson WL III and DL Worrell (1992)1968-1987-0.36% (day -1) Impact of IT Investment Announcements Chatterjee D, Richardson VJ and RW Zmud (2001) 1987-1998 1.16% Subramani M and E Walden (2001)Oct 1998 - Dec 1998 7.5% Dos Santos BL, Peffers K and DC Mauer (1993) 1981-19881% Impact of Winning a Quality Award Hendricks KB and Singhal VR (1996)1985-19910.59%

31 Conclusions Significant Loss to Software Vendors Loss is Greater for  No Patch  Confidentiality Related  More Severe Limited Disclosure may lead to sub-optimal investments  Impact on consumer welfare??

32 Questions!!!

Download ppt "Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis Sunil Wattal Rahul Telang Carnegie Mellon University WEIS."

Similar presentations

Kaiguo Zhou Sun Yat-sen University, Guangzhou, China Michael C S Wong City University of Hong Kong, Hong Kong, China The Impact of Short Selling on China.

Kaiguo Zhou Sun Yat-sen University, Guangzhou, China Michael C S Wong City University of Hong Kong, Hong Kong, China The Impact of Short Selling on China.
F-tests continued.

F-tests continued.
Hathaiwan Vongsuwan – Hengmin Zhang

Hathaiwan Vongsuwan – Hengmin Zhang
LIUQING WANG DO STOCK PRICE FULLY REFLECT INFORMATION IN ACCRUALS AND CASH FLOWS ABOUT FUTURE EARNINGS RICHARD G. SLOAN Oct 2013 University of Pennsyvania.

LIUQING WANG DO STOCK PRICE FULLY REFLECT INFORMATION IN ACCRUALS AND CASH FLOWS ABOUT FUTURE EARNINGS RICHARD G. SLOAN Oct 2013 University of Pennsyvania.
Statistical Analysis and Data Interpretation What is significant for the athlete, the statistician and team doctor? important Will Hopkins

Statistical Analysis and Data Interpretation What is significant for the athlete, the statistician and team doctor? important Will Hopkins
© 2006 Pearson Education Canada Inc.5-1 Chapter 5 The Information Perspective on Decision Usefulness.

© 2006 Pearson Education Canada Inc.5-1 Chapter 5 The Information Perspective on Decision Usefulness.
Stock Dividend Puzzles in China Hamish D. Anderson* Massey University Jing Chi Massey University Chayot Ing-aram Massey University Lu Liang Massey University.

Stock Dividend Puzzles in China Hamish D. Anderson* Massey University Jing Chi Massey University Chayot Ing-aram Massey University Lu Liang Massey University.
ECONOMIC ASPECTS OF CYBERSECURITY

ECONOMIC ASPECTS OF CYBERSECURITY
Econometrics for Finance

Econometrics for Finance
EQUITY VALUATION: APPLICATIONS AND PROCESSES Presenter Venue Date.

EQUITY VALUATION: APPLICATIONS AND PROCESSES Presenter Venue Date.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Econometric Details -- the market model Assume that asset returns are jointly multivariate normal and independently and identically distributed through.

Econometric Details -- the market model Assume that asset returns are jointly multivariate normal and independently and identically distributed through.
Operating Performance and Free Cash Flow of Asset Buyers Steven Freund Alexandros P. Prezas Gopala K. Vasudevan (Financial Management 32, 2003, 87-106)

Operating Performance and Free Cash Flow of Asset Buyers Steven Freund Alexandros P. Prezas Gopala K. Vasudevan (Financial Management 32, 2003, )
Prepared by Arabella Volkov University of Southern Queensland.

Prepared by Arabella Volkov University of Southern Queensland.
Empirical Financial Economics 3. Semistrong tests: Event Studies Stephen Brown NYU Stern School of Business UNSW PhD Seminar, June 19-21 2006.

Empirical Financial Economics 3. Semistrong tests: Event Studies Stephen Brown NYU Stern School of Business UNSW PhD Seminar, June
Board Independence and Long-Term Performance Sanjai Bhagat University of Colorado, Boulder & Bernard Black Stanford Law School Also, please see the articles.

Board Independence and Long-Term Performance Sanjai Bhagat University of Colorado, Boulder & Bernard Black Stanford Law School Also, please see the articles.
1 Investor Protection and the Information Content of Annual Earnings Announcements: International Evidence Mark L. DeFond Mingyi Hung Robert Trezevant.

1 Investor Protection and the Information Content of Annual Earnings Announcements: International Evidence Mark L. DeFond Mingyi Hung Robert Trezevant.
1 The Information School of the University of Washington Nov 17fit100-21-spyware © 2006 University of Washington The Dark Side of the Internet INFO/CSE.

1 The Information School of the University of Washington Nov 17fit spyware © 2006 University of Washington The Dark Side of the Internet INFO/CSE.
Semester 2, 20091 Re-cap from last week Single person decision theory accounting information used to update expected payoffs; applies to share markets.

Semester 2, Re-cap from last week Single person decision theory accounting information used to update expected payoffs; applies to share markets.
How To Disclose Software Vulnerabilities Responsibly?* Huseyin Cavusoglu Ph.D., Tulane University Hasan Cavusoglu Ph.D., U. of British Columbia Srinivasan.

How To Disclose Software Vulnerabilities Responsibly?* Huseyin Cavusoglu Ph.D., Tulane University Hasan Cavusoglu Ph.D., U. of British Columbia Srinivasan.

Similar presentations

Ads by Google