Security testing: mind the knowledge gap
ACM SIGCSE Bulletin
Estimating the market impact of security breach announcements on firm values
Information and Management
Improving CVSS-based vulnerability prioritization and response with context information
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
An Economic Analysis of the Software Market with a Risk-Sharing Mechanism
International Journal of Electronic Commerce
Information Systems Research
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Firms' information security investment decisions: Stock market evidence of investors' behavior
Decision Support Systems
Uncertainty in interdependent security games
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
The impact of information security breaches: Has there been a downward shift in costs?
Journal of Computer Security
Are markets for vulnerabilities effective?
MIS Quarterly
A large scale exploratory analysis of software vulnerability life cycles
Proceedings of the 34th International Conference on Software Engineering
Theorizing Information Security Success: Towards Secure E-Government
International Journal of Electronic Government Research
OSDC: adapting ODC for developing more secure software
Proceedings of the 28th Annual ACM Symposium on Applied Computing
A novel approach to evaluate software vulnerability prioritization
Journal of Systems and Software
Hi-index | 0.00 |
Security defects in software cost millions of dollars to firms in terms of downtime, disruptions, and confidentiality breaches. However, the economic implications of these defects for software vendors are not well understood. Lack of legal liability and the presence of switching costs and network externalities may protect software vendors from incurring significant costs in the event of a vulnerability announcement, unlike such industries as auto and pharmaceuticals, which have been known to suffer significant loss in market value in the event of a defect announcement. Although research in software economics has studied firms' incentives to improve overall quality, there have not been any studies which show that software vendors have an incentive to invest in building more secure software. The objectives of this paper are twofold. 1) We examine how a software vendor's market value changes when a vulnerability is announced. 2) We examine how firm and vulnerability characteristics mediate the change in the market value of a vendor. We collect data from leading national newspapers and industry sources, such as the Computer Emergency Response Team (CERT), by searching for reports on published software vulnerabilities. We show that vulnerability announcements lead to a negative and significant change in a software vendor's market value. In our sample, on average, a vendor loses around 0.6 percent value in stock price when a vulnerability is reported. We find that a software vendor loses more market share if the market is competitive or if the vendor is small. To provide further insight, we use the information content of the disclosure announcement to classify vulnerabilities into various types. We find that the change in stock price is more negative if the vendor fails to provide a patch at the time of disclosure. Also, more severe flaws have a significantly greater impact. Our analysis provides many interesting implications for software vendors as well as policy makers. In particular, our study provides some evidence of the value of secure software.