An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price

Security defects in software cost millions of dollars to firms in terms of downtime, disruptions, and confidentiality breaches. However, the economic implications of these defects for software vendors are not well understood. Lack of legal liability and the presence of switching costs and network externalities may protect software vendors from incurring significant costs in the event of a vulnerability announcement, unlike such industries as auto and pharmaceuticals, which have been known to suffer significant loss in market value in the event of a defect announcement. Although research in software economics has studied firms' incentives to improve overall quality, there have not been any studies which show that software vendors have an incentive to invest in building more secure software. The objectives of this paper are twofold. 1) We examine how a software vendor's market value changes when a vulnerability is announced. 2) We examine how firm and vulnerability characteristics mediate the change in the market value of a vendor. We collect data from leading national newspapers and industry sources, such as the Computer Emergency Response Team (CERT), by searching for reports on published software vulnerabilities. We show that vulnerability announcements lead to a negative and significant change in a software vendor's market value. In our sample, on average, a vendor loses around 0.6 percent value in stock price when a vulnerability is reported. We find that a software vendor loses more market share if the market is competitive or if the vendor is small. To provide further insight, we use the information content of the disclosure announcement to classify vulnerabilities into various types. We find that the change in stock price is more negative if the vendor fails to provide a patch at the time of disclosure. Also, more severe flaws have a significantly greater impact. Our analysis provides many interesting implications for software vendors as well as policy makers.

[1]  S. P. Kothari,et al.  Econometrics of Event Studies , 2007 .

[2]  Gerard J. Holzmann,et al.  Economics of software verification , 2001, PASTE '01.

[3]  Mark Keil,et al.  How Software Project Risk Affects Project Performance: An Investigation of the Dimensions of Risk and an Exploratory Model , 2004, Decis. Sci..

[4]  J RyanDaniel Two Views on Security Software Liability , 2003, S&P 2003.

[5]  K. B. Hendricks,et al.  Quality awards and the market value of the firm: an empirical investigation , 1996 .

[6]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[7]  J. Christopher Westland,et al.  The cost behavior of software defects , 2004, Decis. Support Syst..

[8]  宮脇 卓 John Y.Campbell,Andrew W.Lo,A.Craig MacKinlay著「The Econometrics of Financial Markets」 , 1997 .

[9]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[10]  John Gallaugher,et al.  Understanding Network Effects in Software Markets: Evidence from Web Server Pricing , 2002, MIS Q..

[11]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[12]  Anat Hovav,et al.  Capital market reaction to defective IT products: The case of computer viruses , 2005, Comput. Secur..

[13]  Rahul Telang,et al.  Research Note - Sell First, Fix Later: Impact of Patching on Software Quality , 2006, Manag. Sci..

[14]  Wei Zhongshan On Fundamentals of Information Security , 1993, Terminology and Knowledge Engineering.

[15]  Michael J. Cooper,et al.  A Rose.Com by Any Other Name , 2000 .

[16]  T. Andersen THE ECONOMETRICS OF FINANCIAL MARKETS , 1998, Econometric Theory.

[17]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[18]  Gregory Tassey,et al.  Prepared for what , 2007 .

[19]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[20]  A. Mackinlay,et al.  Event Studies in Economics and Finance , 1997 .

[21]  W. Greene,et al.  计量经济分析 = Econometric analysis , 2009 .

[22]  Michael A. Cusumano,et al.  Who is liable for bugs and security flaws in software? , 2004, CACM.

[23]  Eric Walden,et al.  The Impact of E-Commerce Announcements on the Market Value of Firms , 2001, Inf. Syst. Res..

[24]  W. Davidson,et al.  Research notes and communications: The effect of product recall announcements on shareholder wealth , 1992 .

[25]  K. B. Hendricks,et al.  Delays in new product introductions and the market value of the firm: the consequences of being late to the market , 1997 .

[26]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[27]  Neil Gandal Hedonic Price Indexes for Spreadsheets and an Empirical Test for Network Externalities , 1994 .

[28]  Chen Wang,et al.  Taxonomy of security considerations and software quality , 2003, CACM.

[29]  A. Hovav,et al.  The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms , 2003 .

[30]  Jerold B. Warner,et al.  MEASURING SECURITY PRICE PERFORMANCE , 1980 .

[31]  S. B. Kiselev,et al.  The capability maturity model: guidelines for improving the software process , 1995 .

[32]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[33]  Suzanne Rivard,et al.  Toward an Assessment of Software Development Risk , 1993, J. Manag. Inf. Syst..

[34]  Ken Peffers,et al.  The Impact of Information Technology Investment Announcements on the Market Value of the Firm , 1993, Inf. Syst. Res..

[35]  K. Palepu Diversification strategy, profit performance and the entropy measure , 1985 .

[36]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[37]  Mayuram S. Krishnan,et al.  Evaluating the cost of software quality , 1998, CACM.

[38]  Rahul Telang,et al.  Sell First, Fix Later: Impact of Patching on Software Quality , 2004 .

[39]  Varun Grover,et al.  Research Report: A Reexamination of IT Investment and the Market Value of the Firm - An Event Study Methodology , 2001, Inf. Syst. Res..

[40]  Jerold B. Warner,et al.  Using daily stock returns: The case of event studies , 1985 .

[41]  Victor R. Basili,et al.  The Future Engineering of Software: A Management Perspective , 1991, Computer.

[42]  Mayuram S. Krishnan,et al.  Effects of Process Maturity on Quality, Cycle Time, and Effort in Software Product Development , 2000 .

[43]  Vernon J. Richardson,et al.  Examining the Shareholder Wealth Effects of Announcements of Newly Created CIO Positions , 2001, MIS Q..

[44]  A. Applewhite Whose bug is it anyway? The battle over handling software flaws , 2004, IEEE Software.

[45]  Daniel J. Ryan Two Views on Security Software Liability: Let the Legal System Decide , 2003, IEEE Secur. Priv..

[46]  Sam Peltzman,et al.  The Impact of Product Recalls on the Wealth of Sellers , 1985, Journal of Political Economy.