Search citation statements
Paper Sections
Citation Types
Year Published
Publication Types
Relationship
Authors
Journals
Researchers in the area of information security have mainly been concerned with tools, techniques and policies that firms can use to protect themselves against security breaches.However, information security is as much about security software as it is about secure software.Software is not secure when it has defects or flaws which can be exploited by hackers to cause attacks such as unauthorized intrusion or denial of service attacks. Any public announcement about a software defect is termed as 'vulnerability disclosure'.Although research in software economics have studied firms' incentive to improve overall quality, there have been no studies to show that software vendors have an incentive to invest in building more secure software. In this paper, we use the event study methodology to examine the role that financial markets play in determining software vendors' incentives to build more secure software. We collect data from leading national newspapers and industry sources like CERT by searching for reports on published software vulnerabilities. We show that vulnerability disclosures lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6% value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement. To provide further insight, we use the information content of the disclosure announcement to classify vulnerabilities into various types. We find that the change in stock price is more negative if the vendor fails to provide a patch at the time of disclosure. Moreover, vulnerabilities which cause a confidentiality related breach cause a greater decline in the market value for a vendor than the vulnerabilities which cause non-confidentiality related breaches. Also, more severe flaws have a significantly greater impact than flaws with low or moderate severity. Finally, we find that the markets do not punish a software vendor more severely if a third party discovers a flaw in its product than if the vendor itself discovers the flaw. Our analysis provides many interesting implications for software vendors as well as policy makers.
Researchers in the area of information security have mainly been concerned with tools, techniques and policies that firms can use to protect themselves against security breaches.However, information security is as much about security software as it is about secure software.Software is not secure when it has defects or flaws which can be exploited by hackers to cause attacks such as unauthorized intrusion or denial of service attacks. Any public announcement about a software defect is termed as 'vulnerability disclosure'.Although research in software economics have studied firms' incentive to improve overall quality, there have been no studies to show that software vendors have an incentive to invest in building more secure software. In this paper, we use the event study methodology to examine the role that financial markets play in determining software vendors' incentives to build more secure software. We collect data from leading national newspapers and industry sources like CERT by searching for reports on published software vulnerabilities. We show that vulnerability disclosures lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6% value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement. To provide further insight, we use the information content of the disclosure announcement to classify vulnerabilities into various types. We find that the change in stock price is more negative if the vendor fails to provide a patch at the time of disclosure. Moreover, vulnerabilities which cause a confidentiality related breach cause a greater decline in the market value for a vendor than the vulnerabilities which cause non-confidentiality related breaches. Also, more severe flaws have a significantly greater impact than flaws with low or moderate severity. Finally, we find that the markets do not punish a software vendor more severely if a third party discovers a flaw in its product than if the vendor itself discovers the flaw. Our analysis provides many interesting implications for software vendors as well as policy makers.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.