Feeds

Study: Flaw disclosure hurts software makers' stock

But for how long?

  • alert
  • submit to reddit

Top three mobile application threats

Software makers stand to lose significant market value whenever a flaw is found in their products, two university researcher said in a paper published last week.

The study analyzed the release of 146 vulnerabilities and found that a software company's stock price decreases 0.63 percent compared to the tech-heavy NASDAQ on the day a flaw in that company's product is announced. The study assumed that the stock of a company would have the same trend as the stock index, and that any departure from the index would be due to the disclosure.

"Investors pay attention and feel that (a vulnerability announcement) signals poor quality of the product and reputation loss for the firm and, hence, are willing to punish them," Rahul Telang, assistant professor of information systems at Carnegie Mellon University and co-author of the paper, said in an email interview. "Therefore, we found evidence that such disclosure does create incentives for vendors to invest in better security."

While many security experts have pointed to evidence that fixing security issues early in software development costs far less than fixing the holes after the product has shipped, the Carnegie Mellon study is the first time that investors reaction to software vulnerabilities has been measured.

The paper, presented at the Workshop on the Economics of Information Security, measured the statistical effects of 146 vulnerability disclosures on 18 publicly traded companies whose software products contained the flaws. The paper's other author, Sunil Wattal, is a graduate student of information systems at Carnegie Mellon.

The survey of 146 incidents of vulnerability disclosure found that almost two thirds of the announcements were followed by the software maker's stock falling compared to the NASDAQ market average. The average vendor's stock fell 0.63 percent compared to the technology index the day a vulnerability in the company's product was released. Analysis of the models showed that the decrease is statistically significant, the paper stated.

Increasing the time period under consideration from one day to two days gives similar results --an average decrease in the stock price of the software maker of 0.65 per cent compared to the NASDAQ - and only weakens the statistical significance slightly.

The effects of vulnerability disclosure are most evident when the flaw is publicized by the press or the software maker. In those cases, the vendor's stock performs nearly one per cent worse than the NASDAQ average, according to the paper.

While the full disclosure community generally argues that public announcement of a vulnerability increases awareness of the dangers for system administrators, the effect of such announcements on stock price show there is a significant secondary reason for disclosure: A penalty for companies that don't secure their products adequately.

However, the paper also suggest that immediate disclosure of vulnerabilities, before a patch is available from the software maker, punishes companies to a higher degree. If the patch is available, a company's stock price falls 0.37 percent below the NASDAQ on average, while disclosing a vulnerability before a patch is available signaled a decrease of 1.49 percent, according to the paper.

Surprisingly, investors appear to punish software giant Microsoft far less for its vulnerabilities, with that company's stock price falling 0.28 percent compared to the NASDAQ on days flaws in its product are revealed. Other companies suffered a average decrease of 0.91 percent, the paper stated.

The researchers' presentation showed that a connection did exist between short term stock price and the bad news of a vulnerability in the company's software, but more analysis needs to be done, said Bruce Schneier, chief technology officer for network monitoring firm Counterpane Internet Security and author of eight books on security, encryption and privacy.

"I want to know if it is more than just bad news about a company that affects stock price," said Schneier, who attended the researchers' presentation. "I want to know if there is more of a long term effect, and that question they didn't answer."

The researchers did show that, compared to the effect of other types of product related defects, the disclosure of software flaws seems to have the least impact. The two researchers found that the 0.63 per cent decrease fell below the estimated 2.1 per cent drop in the stock price of companies that were victims of public security breaches, or the estimated 0.81 per cent drop in the stock price of auto makers that recalled their vehicles.

Other factors, such as missing the ship date for a product, may also have greater impacts, but were not studied by the researchers. So even if there is a connection between public vulnerability disclosure and stock price, the penalty for having vulnerabilities may not be high enough to convince product managers to spend more time on security, said Amit Jasuja, vice president of product management for database maker Oracle's security group.

"Investors response to anything that hurts the bottom line," Jasuja said. "Not shipping a product on time hurts the stock price as well. I am not sure there is an easy answer. As a product manager, I will still make sure that the product meets all the exit criteria before it ships."

Copyright © 2005, SecurityFocus logo

Related stories

Sybase invokes licence gag in flaw disclosure row
French security researcher fined
Tech lobby loses stock options battle
Software biz urges tougher bug disclosure rules

3 Big data security analytics techniques

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.