Effect of Vulnerability Disclosures on Market Value of

Software Vendors – An Empirical Analysis

Sunil WattalRahul Telang

Carnegie Mellon University

WEIS 2005

Introduction

Definition

Vendor Incentives Pressure for early release ‘5000 year error’ – Adams 1980

Quality Vs Security

Motivation

Increased media attention (security breaches) Successful Exploitation of Software Vulnerabilities

Melissa - $1.9 bn damages Code Red - $2.1 bn damages

Anecdotal Evidence - Internet Explorer Losing market share 8m people downloaded Mozilla in 2-3 months

Strategic Vulnerability Disclosures Checkpoint

Rivals Disclosed Vulnerabilities ahead of Investor Conference Microsoft

$200mn campaign for .NET marred by vulnerability disclosures

Impact on Vendors

Product defects in other industries Vendors lose market value

Jarrell & Peltzman (1985) Davidson & Worrell (1992)

Characteristics of Software Industry EULA / Click Wrap Agreements Frequent Vulnerability Announcements Popularity of Products

Literature Review

Information Security Information Sharing & Investments

Gordon et al (2002), Gal-Or & Ghose (2003), Gordon & Loeb (2002)

Vulnerability disclosure Arora, Telang and Xu (2004), Kannan and Telang (2004)

Software Vulnerability,

Flaw or Bug

Software Vendors

Firms (Clients)

• Can get hacked

• Downtime / Disruptions

• Sensitive Information Compromised

• Develop Patch

• Increased Product Cost

Our Research

•Cavusoglu et al (2002)•Campbell et al (2003)•Hovav & D’Arcy (2003)

Research Questions

How does market value of a software vendor change if a vulnerability is reported for its product?

How is this change in market value linked to the characteristics of the vulnerability?

Data

Popular Press Newspapers: WSJ, NY Times, Washington Post,

LA Times (Source: Proquest Newspapers) Newswires: Business wire, PR News wire

(Source: Lexis Nexis Database)

Industry Sources CERT News.com: Owned by CNET, ZDNET; round the

clock technology news

Data

Search Terms Vulnerability & disclosure Software & Vulnerability Vulnerability & patch Software & flaw Security & flaw Software & breach

Data

Exclusions Non-daily publications e.g. Computerworld

Duplications : earliest date

Confounding Events – mergers, stock splits

Vulnerability due to protocol flaw

Non-publicly traded firms

Non-security related flaws

Examples of Vulnerability Announcements News.com(04/25/2000) “A computer security firm

has discovered a serious vulnerability in Red Hat’s newest version of Linux that could let attackers destroy or deface a Web site - ……..”

WSJ(02/11/2004) “Microsoft Corp. warned customers about serious security problems with its Windows software that let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information……..- or possibly even take over the machine itself”

Classification of Vulnerabilities Patch Vs No-Patch

Severe Vs. Non-Severe

Confidential Vs. Non-Confidential

Publicly Circulating ‘Exploit’

Vendor Discovered Vs Third Party Discovered

Hypothesis

H1 : A software vendor suffers a loss in market value when a security related vulnerability is announced in its products.

Banker and Slaughter (1998) Jarrell and Peltzman (1985) Davidson and Worrell (1992)

Impact on Market Value

SeverityPatch Non- Availability

Confidentiality Related

Source of Discovery

‘Exploit Availability’

-ve

-ve-ve

-ve

-ve

•Campbell et al (2003) •Hovav and D’Arcy (2003)

•Davidson & Worrell (1992)

Descriptive Statistics

Time Frame Jan 1999 May 2004

Number of firms 18

Number of announcements 148

%age of vulnerabilities - in popular press 35

%age of vulnerabilities - without patch 24

%age of vulnerabilities - discovered by vendor 36

% of vulnerabilities - confidentiality related breach 39

%age of vulnerabilities - publicly available ‘exploit’ 22

Event Study Steps

Abnormal Returns Actual Returns – Predicted Returns

Event Window – Actual Announcement

Estimation Window

tt-160 Estimation WindowEvent Window

t+n

Abnormal Returns

Market Method

Market Adjusted Method

Mean Adjusted Method

)( mtititit RRAR

mtitit RRAR

iitit RRAR

Statistical Test

Abnormal Return

Statistical Test

SA is the S.D. of Abnormal Returns in Estimation Period

Null Hypothesis : Abnormal Returns are not significantly different from zero.

Advantage of this test: (Brown & Warner 1985) Allows for event day clustering and cross sectional dependence

N

iitt ARA

1

2

A

t

S

At

Effect of Vulnerability Characteristics Fixed Effects Regression

To account for firm specific heterogeneity

i – Firm specific dummy variable

Xit – vulnerability characteristics

itiitit Xy

Independent Variables

Binary Independent Variables (0 or 1)

SEVR: whether the vulnerability has been classified as severe

PATCH: Whether a patch is available at the time of the vulnerability disclosure.

DISC: Whether the vulnerability was discovered by the vendor itself.

EXPLOIT: If an exploit is publicly available at the time of the vulnerability announcement, then EXPLOIT = 1; otherwise it is zero

CERT: If the vulnerability was first reported in CERT.

PRESS: If the vulnerability was first reported in popular press.

DOS: If the vulnerability can potentially lead to a denial of service type attack.

EXECUTE_CODE: If the vulnerability can potentially lead to a hacker executing malicious code, then EXECUTE_CODE = 1.

Results

Median Abnormal Return Wilcoxon Signed Rank Test

Percent Less than Zero Sign Test Non Parametric Tests

Day 0 Abnormal Returns Market Model Market Adjusted Model

Mean Model

Mean Abnormal Return (in %)

-0.63(0.01)

-0.67(0.01)

-0.5(0.09)

Median Abnormal Return (in %)

-0.44(0.00)

-0.5(0.00)

-0.55(0.01)

Percent Less than Zero 64%(0.00)

63.5%(0.001)

58.7%(0.03)

Robustness Check

Outlier Effect : Remove Top 10 and Bottom 10 Percentile Abnormal Returns (-0.53 against -0.63)

Significant at 5% level

Market Momentum Effects day -10 to day -1 CAR and day 0 CAR

(correlation: -0.05, p-value 0.5) day -1 CAR and day 0 CAR (correlation: 0.03, p-

value 0.67)

Results

Abnormal Returns Negative and Significant Mean Range (0.5 – 0.67%)

Confirms loss in market value for software vendors

Median and Percent Zero values also negative and significant

Market Capitalization Average change - $ 0.86bn per vulnerability

Different Event Windows

Day -1 0 0 to 1 0 to 2 0 to 5 0 to 10

CAR(t-value)

0.25(0.4)

-0.63(0.01)

-0.65(0.07)

-0.47(0.35)

-0.25(0.7)

-0.9(0.36)

Fixed Effects RegressionR2 = 17.3%F-value = 2.77 – significant at the 1% level

Variable Coefficient P>|t|

SEVR -0.006 0.1

PATCH 0.0083 0.04

DISC -0.005 0.16

CERT 0.006 0.3

PRESS -0.0053 0.27

DOS 0.0076 0.06

EXPLOIT -0.005 0.24

Y_9900 -0.007 0.26

Pre_911 -0.011 0.05

Post_911 -0.02 0.001

Y_0203 -0.01 0.05

Constant 0.01 0.05

Interpretation

Coefficient on non-availability of patch significant and positive Software vendors lose 0.83% more in market

value. Intuitive: possible loss in consumer goodwill and

future cash flows Incentive for vendors to push for limited disclosure

Interpretation

Coefficient on DoS significant and positive Software vendors lose 0.76% less in market value Campbell et al (2003) Implications for quality investments

Interpretation

Coefficient on SEVR significant and negative Software vendors lose 0.6% more in market

value. Davidson & Worrell (1992)

Interpretation

Coefficient on Source of Discovery not significant Markets do not penalize firms for failing to find

flaws in own products.

Other Event Study Results

Classification of Event Study Authors Time Period CAR

Impact of Vulnerability Disclosures on Software Vendors

Telang R and S Wattal (2004) 1999-2004 -0.63%

Impact of Security Breaches Campbell K, Gordon LA, Loeb MP and L Zhou (2003)

1995-2000 -2.0%*

Cavusoglu H, Mishra B and S Raghunathan (2002)

1998-2000 -2.1%

Impact of Product Recall Announcements

Jarrell G and S Peltzman (1985) 1967-1981 -0.81% (for auto)

Davidson WL III and DL Worrell (1992) 1968-1987 -0.36%(day -1)

Impact of IT Investment Announcements

Chatterjee D, Richardson VJ and RW Zmud (2001)

1987-1998 1.16%

Subramani M and E Walden (2001) Oct 1998 - Dec 1998

7.5%

Dos Santos BL, Peffers K and DC Mauer (1993)

1981-1988 1%

Impact of Winning a Quality Award

Hendricks KB and Singhal VR (1996) 1985-1991 0.59%

Conclusions

Significant Loss to Software Vendors

Loss is Greater for No Patch Confidentiality Related More Severe

Limited Disclosure may lead to sub-optimal investments

Impact on consumer welfare??

Questions!!!