, SecurityFocus 2005-06-06
Software makers stand to lose significant market value whenever a flaw is found in their products, two university researcher said in a paper published on Friday.
The study analyzed the release of 146 vulnerabilities and found that a software company's stock price decreased 0.63 percent compared to the tech-heavy NASDAQ on the day a flaw in the firm's product is announced. The study assumed that the stock of a company would have the same trend as the stock index, and that any departure from the index would be due to the disclosure.
"Investors pay attention and feel that (a vulnerability announcement) signals poor quality of the product and reputation loss for the firm and, hence, are willing to punish them," Rahul Telang, assistant professor of information systems at Carnegie Mellon University and co-author of the paper, said in an e-mail interview. "Therefore, we found evidence that such disclosure does create incentives for vendors to invest in better security."
While many security experts have pointed to evidence that fixing security issues early in software development costs far less than fixing the holes after the product has shipped, the Carnegie Mellon study is the first time that investors reaction to software vulnerabilities has been measured.
The paper, presented at the Workshop on the Economics of Information Security, measured the statistical effects of 146 vulnerability disclosures on 18 publicly traded companies whose software products contained the flaws. The paper's other author, Sunil Wattal, is a graduate student of information systems at Carnegie Mellon.
The survey of 146 incidents of vulnerability disclosure found that almost two thirds of the announcements were followed by the software maker's stock falling compared to the NASDAQ market average. The average vendor's stock fell 0.63 percent compared to the technology index the day a vulnerability in the company's product was released. Analysis of the models showed that the decrease is statistically significant, the paper stated.
Increasing the time period under consideration from one day to two days gives similar results -- an average decrease in the stock price of the software maker of 0.65 percent compared to the NASDAQ -- and only weakens the statistical significance slightly.
The effects of vulnerability disclosure are most evident when the flaw is publicized by the press or the software maker. In those cases, the vendor's stock performs nearly 1 percent worse than the NASDAQ average, according to the paper.
While the full disclosure community generally argues that public announcement of a vulnerability increases awareness of the dangers for system administrators, the effect of such announcements on stock price show there is a significant secondary reason for disclosure: A penalty for companies that don't secure their products adequately.
However, the paper also suggest that immediate disclosure of vulnerabilities, before a patch is available from the software maker, punishes companies to a higher degree. If the patch is available, a company's stock price falls 0.37 percent below the NASDAQ on average, while disclosing a vulnerability before a patch is available signaled a decrease of 1.49 percent, according to the paper.
Surprisingly, investors appear to punish software giant Microsoft far less for its vulnerabilities, with that company's stock price falling 0.28 percent compared to the NASDAQ on days flaws in its product are revealed. Other companies suffered a average decrease of 0.91 percent, the paper stated.
The researchers' presentation showed that a connection did exist between short term stock price and the bad news of a vulnerability in the company's software, but more analysis needs to be done, said Bruce Schneier, chief technology officer for network monitoring firm Counterpane Internet Security and author of eight books on security, encryption and privacy.
"I want to know if it is more than just bad news about a company that affects stock price," said Schneier, who attended the researchers' presentation. "I want to know if there is more of a long term effect, and that question they didn't answer."
The researchers did show that, compared to the effect of other types of product related defects, the disclosure of software flaws seems to have the least impact. The two researchers found that the 0.63 percent decrease fell below the estimated 2.1 percent drop in the stock price of companies that were victims of public security breaches, or the estimated 0.81 percent drop in the stock price of auto makers that recalled their vehicles.
Other factors, such as missing the ship date for a product, may also have greater impacts, but were not studied by the researchers. So even if there is a connection between public vulnerability disclosure and stock price, the penalty for having vulnerabilities may not be high enough to convince product managers to spend more time on security, said Amit Jasuja, vice president of product management for database maker Oracle's security group.
"Investors response to anything that hurts the bottom line," Jasuja said. "Not shipping a product on time hurts the stock price as well. I am not sure there is an easy answer. As a product manager, I will still make sure that the product meets all the exit criteria before it ships."