Reading: An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price

From Software Business Community

Jump to: navigation, search


An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price

An empirical study assessing the impact of announced software vulnerabilities to the vendors stock price. The study's main result is "that vulnerability disclosures do lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6% value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement."


Authors

  • Telang,Rahul
  • Wattal,Sunil


Summary

From the Abstract:

"Information security is as much about security software as it is about secure software. Software is not secure when it has defects or flaws which can be exploited by hackers to cause attacks such as unauthorized intrusion or denial of service attacks. Any public announcement about a software defect is termed as ‘vulnerability disclosure’.

In this paper, we use the event study methodology to examine the role that financial markets play in determining the impact of vulnerability disclosures on software vendors. We collect data from leading national newspapers and industry sources by searching for reports on published software vulnerabilities. Our main result is that vulnerability disclosures do lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6% value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement. To provide further insight, we use the information content of the disclosure announcement to classify vulnerabilities into various types. This is the first study to measure vendors’ incentive to develop secure software and also provides many interesting implications for software vendors as well as policy makers. "


Why is it recommended?

As discussed in another article Reading:_Electronic_Commerce:_Who_Carries_the_Risk_of_Fraud, customers may carry the most of the direct risks of bugs or security holes in software products, however, when it comes to the total financial impact, the software vendor suffers the biggest loss. The paper provides empirical evidence of how the stock market reacts to announced software vulnerabilities of different kinds and in different companies. The paper is recommended for software business managers, strategists and risk managers as a guide for their own risk planning activities.


Publication Info

  • Periodical, Abbrev: Software Engineering, IEEE Transactions on
  • Pub Year: 2007
  • Volume: 33, Issue: 8, Page:544-557


Citation

@misc{RefWorks:2,
  author = 	 {Rahul Telang and Sunil Wattal},
  year = 	 {2007},
  title = 	 {An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price},
  journal = 	 {Software Engineering, IEEE Transactions on},
  volume = 	 {33},
  number = 	 {8},
  pages = 	 {544-557},
  note = 	 {ID: 1},
  isbn = 	 {0098-5589}
}


Links

Retrieved from "http://swbcommunity.org/swbc/index.php/Reading:_An_Empirical_Analysis_of_the_Impact_of_Software_Vulnerability_Announcements_on_Firm_Stock_Price"