An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price

Abstract: Abstract-Security defects in software cost millions of dollars to firms in terms of downtime, disruptions, and confidentiality breaches. However, the economic implications of these defects for software vendors are not well understood. Lack of legal liability and the presence of switching costs and network externalities may protect software vendors from incurring significant costs in the event of a vulnerability announcement, unlike such industries as auto and pharmaceuticals, which have been known to suffer si… Show more

“…The severity of the event would weaken the benefit of voluntary disclosure. Previous research shows that if the breach announcement suggests that the breach is severe, it could cause a significantly negative impact to the firm's CAR [25]. We believe the disclosure of a data breach event with larger data record loss could lead to more negative confidence on a firm's security controls.…”

“…But no literature considers the firm's decision to notify the data breach event to customers or the public as a factor to impact the market return. In our view, timely disclosure can be used to reduce the legal and reputation cost of bad news [25]. Firm's disclosure behavior also prevents competitors from unambiguously inferring that these firms are hiding information [8].…”

“…A company's costs for data breach events depend on the number of individuals whose information has been compromised. Telang and Wattel [25] manually categorize breach events as severe or not, and find that the security breach events categorized as severe could cause a significantly negative impact to the firm's CAR. As mentioned earlier, we believe that the number of records breached could be used to measure the severity of the data breach event.…”

“…These studies show that data breach announcements lead to significant negative market return. For example, Telang and Wattel [25] evaluate the impact of software vulnerability announcement on firms, and find that firms will lose 0.6% of their market value. Cavusoglu et al [9] conclude that firms lose 2.1% of their market value within two days after the announcement of a breach event.…”

Firm Actions Toward Data Breach Incidents and Firm Equity Value: An Empirical Study

“…The severity of the event would weaken the benefit of voluntary disclosure. Previous research shows that if the breach announcement suggests that the breach is severe, it could cause a significantly negative impact to the firm's CAR [25]. We believe the disclosure of a data breach event with larger data record loss could lead to more negative confidence on a firm's security controls.…”

“…But no literature considers the firm's decision to notify the data breach event to customers or the public as a factor to impact the market return. In our view, timely disclosure can be used to reduce the legal and reputation cost of bad news [25]. Firm's disclosure behavior also prevents competitors from unambiguously inferring that these firms are hiding information [8].…”

“…A company's costs for data breach events depend on the number of individuals whose information has been compromised. Telang and Wattel [25] manually categorize breach events as severe or not, and find that the security breach events categorized as severe could cause a significantly negative impact to the firm's CAR. As mentioned earlier, we believe that the number of records breached could be used to measure the severity of the data breach event.…”

“…These studies show that data breach announcements lead to significant negative market return. For example, Telang and Wattel [25] evaluate the impact of software vulnerability announcement on firms, and find that firms will lose 0.6% of their market value. Cavusoglu et al [9] conclude that firms lose 2.1% of their market value within two days after the announcement of a breach event.…”

Firm Actions Toward Data Breach Incidents and Firm Equity Value: An Empirical Study

“…The poor password protection practises [3] are exploited by the attackers in order to recover the user passwords from the stolen data. These attacks lead to negative and significant loss in the vendor's market value [4]. collector attacks [10] can be countered by build-in memory safety techniques, specifically designed for embedded applications [18].…”

Lightweight Password Hashing Scheme for Embedded Systems

Risk Management in Current and Future Networks