effect of vulnerability disclosures on market value of software vendors – an empirical analysis...
TRANSCRIPT
Effect of Vulnerability Disclosures on Market Value of
Software Vendors – An Empirical Analysis
Sunil WattalRahul Telang
Carnegie Mellon University
WEIS 2005
Introduction
Definition
Vendor Incentives Pressure for early release ‘5000 year error’ – Adams 1980
Quality Vs Security
Motivation
Increased media attention (security breaches) Successful Exploitation of Software Vulnerabilities
Melissa - $1.9 bn damages Code Red - $2.1 bn damages
Anecdotal Evidence - Internet Explorer Losing market share 8m people downloaded Mozilla in 2-3 months
Strategic Vulnerability Disclosures Checkpoint
Rivals Disclosed Vulnerabilities ahead of Investor Conference Microsoft
$200mn campaign for .NET marred by vulnerability disclosures
Impact on Vendors
Product defects in other industries Vendors lose market value
Jarrell & Peltzman (1985) Davidson & Worrell (1992)
Characteristics of Software Industry EULA / Click Wrap Agreements Frequent Vulnerability Announcements Popularity of Products
Literature Review
Information Security Information Sharing & Investments
Gordon et al (2002), Gal-Or & Ghose (2003), Gordon & Loeb (2002)
Vulnerability disclosure Arora, Telang and Xu (2004), Kannan and Telang (2004)
Software Vulnerability,
Flaw or Bug
Software Vendors
Firms (Clients)
• Can get hacked
• Downtime / Disruptions
• Sensitive Information Compromised
• Develop Patch
• Increased Product Cost
Our Research
•Cavusoglu et al (2002)•Campbell et al (2003)•Hovav & D’Arcy (2003)
Research Questions
How does market value of a software vendor change if a vulnerability is reported for its product?
How is this change in market value linked to the characteristics of the vulnerability?
Data
Popular Press Newspapers: WSJ, NY Times, Washington Post,
LA Times (Source: Proquest Newspapers) Newswires: Business wire, PR News wire
(Source: Lexis Nexis Database)
Industry Sources CERT News.com: Owned by CNET, ZDNET; round the
clock technology news
Data
Search Terms Vulnerability & disclosure Software & Vulnerability Vulnerability & patch Software & flaw Security & flaw Software & breach
Data
Exclusions Non-daily publications e.g. Computerworld
Duplications : earliest date
Confounding Events – mergers, stock splits
Vulnerability due to protocol flaw
Non-publicly traded firms
Non-security related flaws
Examples of Vulnerability Announcements News.com(04/25/2000) “A computer security firm
has discovered a serious vulnerability in Red Hat’s newest version of Linux that could let attackers destroy or deface a Web site - ……..”
WSJ(02/11/2004) “Microsoft Corp. warned customers about serious security problems with its Windows software that let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information……..- or possibly even take over the machine itself”
Classification of Vulnerabilities Patch Vs No-Patch
Severe Vs. Non-Severe
Confidential Vs. Non-Confidential
Publicly Circulating ‘Exploit’
Vendor Discovered Vs Third Party Discovered
Hypothesis
H1 : A software vendor suffers a loss in market value when a security related vulnerability is announced in its products.
Banker and Slaughter (1998) Jarrell and Peltzman (1985) Davidson and Worrell (1992)
Impact on Market Value
SeverityPatch Non- Availability
Confidentiality Related
Source of Discovery
‘Exploit Availability’
-ve
-ve-ve
-ve
-ve
•Campbell et al (2003) •Hovav and D’Arcy (2003)
•Davidson & Worrell (1992)
Descriptive Statistics
Time Frame Jan 1999 May 2004
Number of firms 18
Number of announcements 148
%age of vulnerabilities - in popular press 35
%age of vulnerabilities - without patch 24
%age of vulnerabilities - discovered by vendor 36
% of vulnerabilities - confidentiality related breach 39
%age of vulnerabilities - publicly available ‘exploit’ 22
Event Study Steps
Abnormal Returns Actual Returns – Predicted Returns
Event Window – Actual Announcement
Estimation Window
tt-160 Estimation WindowEvent Window
t+n
Abnormal Returns
Market Method
Market Adjusted Method
Mean Adjusted Method
)( mtititit RRAR
mtitit RRAR
iitit RRAR
Statistical Test
Abnormal Return
Statistical Test
SA is the S.D. of Abnormal Returns in Estimation Period
Null Hypothesis : Abnormal Returns are not significantly different from zero.
Advantage of this test: (Brown & Warner 1985) Allows for event day clustering and cross sectional dependence
N
iitt ARA
1
2
A
t
S
At
Effect of Vulnerability Characteristics Fixed Effects Regression
To account for firm specific heterogeneity
i – Firm specific dummy variable
Xit – vulnerability characteristics
itiitit Xy
Independent Variables
Binary Independent Variables (0 or 1)
SEVR: whether the vulnerability has been classified as severe
PATCH: Whether a patch is available at the time of the vulnerability disclosure.
DISC: Whether the vulnerability was discovered by the vendor itself.
EXPLOIT: If an exploit is publicly available at the time of the vulnerability announcement, then EXPLOIT = 1; otherwise it is zero
CERT: If the vulnerability was first reported in CERT.
PRESS: If the vulnerability was first reported in popular press.
DOS: If the vulnerability can potentially lead to a denial of service type attack.
EXECUTE_CODE: If the vulnerability can potentially lead to a hacker executing malicious code, then EXECUTE_CODE = 1.
Results
Median Abnormal Return Wilcoxon Signed Rank Test
Percent Less than Zero Sign Test Non Parametric Tests
Day 0 Abnormal Returns Market Model Market Adjusted Model
Mean Model
Mean Abnormal Return (in %)
-0.63(0.01)
-0.67(0.01)
-0.5(0.09)
Median Abnormal Return (in %)
-0.44(0.00)
-0.5(0.00)
-0.55(0.01)
Percent Less than Zero 64%(0.00)
63.5%(0.001)
58.7%(0.03)
Robustness Check
Outlier Effect : Remove Top 10 and Bottom 10 Percentile Abnormal Returns (-0.53 against -0.63)
Significant at 5% level
Market Momentum Effects day -10 to day -1 CAR and day 0 CAR
(correlation: -0.05, p-value 0.5) day -1 CAR and day 0 CAR (correlation: 0.03, p-
value 0.67)
Results
Abnormal Returns Negative and Significant Mean Range (0.5 – 0.67%)
Confirms loss in market value for software vendors
Median and Percent Zero values also negative and significant
Market Capitalization Average change - $ 0.86bn per vulnerability
Different Event Windows
Day -1 0 0 to 1 0 to 2 0 to 5 0 to 10
CAR(t-value)
0.25(0.4)
-0.63(0.01)
-0.65(0.07)
-0.47(0.35)
-0.25(0.7)
-0.9(0.36)
Fixed Effects RegressionR2 = 17.3%F-value = 2.77 – significant at the 1% level
Variable Coefficient P>|t|
SEVR -0.006 0.1
PATCH 0.0083 0.04
DISC -0.005 0.16
CERT 0.006 0.3
PRESS -0.0053 0.27
DOS 0.0076 0.06
EXPLOIT -0.005 0.24
Y_9900 -0.007 0.26
Pre_911 -0.011 0.05
Post_911 -0.02 0.001
Y_0203 -0.01 0.05
Constant 0.01 0.05
Interpretation
Coefficient on non-availability of patch significant and positive Software vendors lose 0.83% more in market
value. Intuitive: possible loss in consumer goodwill and
future cash flows Incentive for vendors to push for limited disclosure
Interpretation
Coefficient on DoS significant and positive Software vendors lose 0.76% less in market value Campbell et al (2003) Implications for quality investments
Interpretation
Coefficient on SEVR significant and negative Software vendors lose 0.6% more in market
value. Davidson & Worrell (1992)
Interpretation
Coefficient on Source of Discovery not significant Markets do not penalize firms for failing to find
flaws in own products.
Other Event Study Results
Classification of Event Study Authors Time Period CAR
Impact of Vulnerability Disclosures on Software Vendors
Telang R and S Wattal (2004) 1999-2004 -0.63%
Impact of Security Breaches Campbell K, Gordon LA, Loeb MP and L Zhou (2003)
1995-2000 -2.0%*
Cavusoglu H, Mishra B and S Raghunathan (2002)
1998-2000 -2.1%
Impact of Product Recall Announcements
Jarrell G and S Peltzman (1985) 1967-1981 -0.81% (for auto)
Davidson WL III and DL Worrell (1992) 1968-1987 -0.36%(day -1)
Impact of IT Investment Announcements
Chatterjee D, Richardson VJ and RW Zmud (2001)
1987-1998 1.16%
Subramani M and E Walden (2001) Oct 1998 - Dec 1998
7.5%
Dos Santos BL, Peffers K and DC Mauer (1993)
1981-1988 1%
Impact of Winning a Quality Award
Hendricks KB and Singhal VR (1996) 1985-1991 0.59%
Conclusions
Significant Loss to Software Vendors
Loss is Greater for No Patch Confidentiality Related More Severe
Limited Disclosure may lead to sub-optimal investments
Impact on consumer welfare??
Questions!!!