Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - An Empirical Investigation: Difference between revisions

From Cybersecurity Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Full Title of Reference==
==Full Title of Reference==


Line 6: Line 5:
==Full Citation==
==Full Citation==


Rahul Telang, Sunil Wattal, ''Impact of Software Vulnerability Announcements on the Market Value of Software Vendors'' (2007), IEEE Transactions on Software Engineering, vol. 33, no. 8, pp. 544-557. [http://infosecon.net/workshop/pdf/telang_wattal.pdf  ''Web'']  
Rahul Telang, Sunil Wattal, ''Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - An Empirical Investigation'', 33 IEEE Transactions on Software Engineering 8 (2007). [http://infosecon.net/workshop/pdf/telang_wattal.pdf  ''Web'']  


[http://cyber.law.harvard.edu/cybersecurity/?title=Special:Bibliography&action=viewsource&startkey=Telang_Wattal:2007&f=wikibiblio.bib ''BibTeX'']
[http://cyber.law.harvard.edu/cybersecurity/Special:Bibliography?f=wikibiblio.bib&title=Special%3ABibliography&view=detailed&action=&keyword=Telang_Wattal%3A2007 ''BibTeX'']


==Categorization==
==Categorization==


Issues: [[Information Sharing/Disclosure]]
* Issues: [[Incentives]]; [[Information Sharing/Disclosure]]; [[Metrics]]
* Approaches: [[Regulation/Liability]]


==Key Words==  
==Key Words==


[[information security]], [[software vulnerability]], [[quality]], [[disclosure policy]]
[[Keyword_Index_and_Glossary_of_Core_Ideas#Communications_Privacy_Law | Communications Privacy Law]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Computer_Emergency_Response_Team | Computer Emergency Response Team]],  
[[Keyword_Index_and_Glossary_of_Core_Ideas#Disclosure_Policy | Disclosure Policy]],  
[[Keyword_Index_and_Glossary_of_Core_Ideas#Hacker | Hacker]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Software_Vulnerability | Software Vulnerability]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Transparency | Transparency]]


==Synopsis==
==Synopsis==
Line 23: Line 28:


==Additional Notes and Highlights==
==Additional Notes and Highlights==
Outline:
  1. Introduction
  2. Hypotheses
  3. Data Description & Methodology
    3.1 Vulnerability Disclosure Process
    3.2 Data
    3.3 Methodology
      The Market Model
      The Market Adjusted Model
      Results
      Market Capitalization
  4. Effect of Vulnerability Characteristics
      Ongoing Research
  5. Conclusions and Discussion
      Comparison with prior event studies
      Implications for Software Quality and Disclosure Policy

Latest revision as of 16:17, 29 June 2010

Full Title of Reference

Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - An Empirical Investigation

Full Citation

Rahul Telang, Sunil Wattal, Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - An Empirical Investigation, 33 IEEE Transactions on Software Engineering 8 (2007). Web

BibTeX

Categorization

Key Words

Communications Privacy Law, Computer Emergency Response Team, Disclosure Policy, Hacker, Software Vulnerability, Transparency

Synopsis

Researchers in the area of information security have mainly been concerned with tools, techniques and policies that firms can use to protect themselves against security breaches. However, information security is as much about security software as it is about secure software. Software is not secure when it has defects or flaws which can be exploited by hackers to cause attacks such as unauthorized intrusion or denial of service attacks. Any public announcement about a software defect is termed as ‘vulnerability disclosure’. In this paper, we use the event study methodology to examine the role that financial markets play in determining the impact of vulnerability disclosures on software vendors. We collect data from leading national newspapers and industry sources by searching for reports on published software vulnerabilities. Our main result is that vulnerability disclosures do lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6 % value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement. To provide further insight, we use the information content of the disclosure announcement to classify vulnerabilities into various types. This is the first study to measure vendors ’ incentive to develop secure software and also provides many interesting implications for software vendors as well as policy makers.

Additional Notes and Highlights

Outline:

 1. Introduction
 2. Hypotheses
 3. Data Description & Methodology
   3.1 Vulnerability Disclosure Process
   3.2 Data
   3.3 Methodology 
     The Market Model
     The Market Adjusted Model
     Results
     Market Capitalization
 4. Effect of Vulnerability Characteristics
     Ongoing Research
 5. Conclusions and Discussion
     Comparison with prior event studies
     Implications for Software Quality and Disclosure Policy