Feeds

Study: Flaw disclosure hurts software makers' stock

But for how long?

  • alert
  • submit to reddit

Reducing security risks from open source software

Software makers stand to lose significant market value whenever a flaw is found in their products, two university researcher said in a paper published last week.

The study analyzed the release of 146 vulnerabilities and found that a software company's stock price decreases 0.63 percent compared to the tech-heavy NASDAQ on the day a flaw in that company's product is announced. The study assumed that the stock of a company would have the same trend as the stock index, and that any departure from the index would be due to the disclosure.

"Investors pay attention and feel that (a vulnerability announcement) signals poor quality of the product and reputation loss for the firm and, hence, are willing to punish them," Rahul Telang, assistant professor of information systems at Carnegie Mellon University and co-author of the paper, said in an email interview. "Therefore, we found evidence that such disclosure does create incentives for vendors to invest in better security."

While many security experts have pointed to evidence that fixing security issues early in software development costs far less than fixing the holes after the product has shipped, the Carnegie Mellon study is the first time that investors reaction to software vulnerabilities has been measured.

The paper, presented at the Workshop on the Economics of Information Security, measured the statistical effects of 146 vulnerability disclosures on 18 publicly traded companies whose software products contained the flaws. The paper's other author, Sunil Wattal, is a graduate student of information systems at Carnegie Mellon.

The survey of 146 incidents of vulnerability disclosure found that almost two thirds of the announcements were followed by the software maker's stock falling compared to the NASDAQ market average. The average vendor's stock fell 0.63 percent compared to the technology index the day a vulnerability in the company's product was released. Analysis of the models showed that the decrease is statistically significant, the paper stated.

Increasing the time period under consideration from one day to two days gives similar results --an average decrease in the stock price of the software maker of 0.65 per cent compared to the NASDAQ - and only weakens the statistical significance slightly.

The effects of vulnerability disclosure are most evident when the flaw is publicized by the press or the software maker. In those cases, the vendor's stock performs nearly one per cent worse than the NASDAQ average, according to the paper.

While the full disclosure community generally argues that public announcement of a vulnerability increases awareness of the dangers for system administrators, the effect of such announcements on stock price show there is a significant secondary reason for disclosure: A penalty for companies that don't secure their products adequately.

However, the paper also suggest that immediate disclosure of vulnerabilities, before a patch is available from the software maker, punishes companies to a higher degree. If the patch is available, a company's stock price falls 0.37 percent below the NASDAQ on average, while disclosing a vulnerability before a patch is available signaled a decrease of 1.49 percent, according to the paper.

Surprisingly, investors appear to punish software giant Microsoft far less for its vulnerabilities, with that company's stock price falling 0.28 percent compared to the NASDAQ on days flaws in its product are revealed. Other companies suffered a average decrease of 0.91 percent, the paper stated.

The researchers' presentation showed that a connection did exist between short term stock price and the bad news of a vulnerability in the company's software, but more analysis needs to be done, said Bruce Schneier, chief technology officer for network monitoring firm Counterpane Internet Security and author of eight books on security, encryption and privacy.

"I want to know if it is more than just bad news about a company that affects stock price," said Schneier, who attended the researchers' presentation. "I want to know if there is more of a long term effect, and that question they didn't answer."

The researchers did show that, compared to the effect of other types of product related defects, the disclosure of software flaws seems to have the least impact. The two researchers found that the 0.63 per cent decrease fell below the estimated 2.1 per cent drop in the stock price of companies that were victims of public security breaches, or the estimated 0.81 per cent drop in the stock price of auto makers that recalled their vehicles.

Other factors, such as missing the ship date for a product, may also have greater impacts, but were not studied by the researchers. So even if there is a connection between public vulnerability disclosure and stock price, the penalty for having vulnerabilities may not be high enough to convince product managers to spend more time on security, said Amit Jasuja, vice president of product management for database maker Oracle's security group.

"Investors response to anything that hurts the bottom line," Jasuja said. "Not shipping a product on time hurts the stock price as well. I am not sure there is an easy answer. As a product manager, I will still make sure that the product meets all the exit criteria before it ships."

Copyright © 2005, SecurityFocus logo

Related stories

Sybase invokes licence gag in flaw disclosure row
French security researcher fined
Tech lobby loses stock options battle
Software biz urges tougher bug disclosure rules

Reducing security risks from open source software

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
Microsoft: We're making ONE TRUE WINDOWS to rule us all
Enterprise, Windows still power firm's shaky money-maker
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.