Feeds

Study: Flaw disclosure hurts software makers' stock

But for how long?

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Software makers stand to lose significant market value whenever a flaw is found in their products, two university researcher said in a paper published last week.

The study analyzed the release of 146 vulnerabilities and found that a software company's stock price decreases 0.63 percent compared to the tech-heavy NASDAQ on the day a flaw in that company's product is announced. The study assumed that the stock of a company would have the same trend as the stock index, and that any departure from the index would be due to the disclosure.

"Investors pay attention and feel that (a vulnerability announcement) signals poor quality of the product and reputation loss for the firm and, hence, are willing to punish them," Rahul Telang, assistant professor of information systems at Carnegie Mellon University and co-author of the paper, said in an email interview. "Therefore, we found evidence that such disclosure does create incentives for vendors to invest in better security."

While many security experts have pointed to evidence that fixing security issues early in software development costs far less than fixing the holes after the product has shipped, the Carnegie Mellon study is the first time that investors reaction to software vulnerabilities has been measured.

The paper, presented at the Workshop on the Economics of Information Security, measured the statistical effects of 146 vulnerability disclosures on 18 publicly traded companies whose software products contained the flaws. The paper's other author, Sunil Wattal, is a graduate student of information systems at Carnegie Mellon.

The survey of 146 incidents of vulnerability disclosure found that almost two thirds of the announcements were followed by the software maker's stock falling compared to the NASDAQ market average. The average vendor's stock fell 0.63 percent compared to the technology index the day a vulnerability in the company's product was released. Analysis of the models showed that the decrease is statistically significant, the paper stated.

Increasing the time period under consideration from one day to two days gives similar results --an average decrease in the stock price of the software maker of 0.65 per cent compared to the NASDAQ - and only weakens the statistical significance slightly.

The effects of vulnerability disclosure are most evident when the flaw is publicized by the press or the software maker. In those cases, the vendor's stock performs nearly one per cent worse than the NASDAQ average, according to the paper.

While the full disclosure community generally argues that public announcement of a vulnerability increases awareness of the dangers for system administrators, the effect of such announcements on stock price show there is a significant secondary reason for disclosure: A penalty for companies that don't secure their products adequately.

However, the paper also suggest that immediate disclosure of vulnerabilities, before a patch is available from the software maker, punishes companies to a higher degree. If the patch is available, a company's stock price falls 0.37 percent below the NASDAQ on average, while disclosing a vulnerability before a patch is available signaled a decrease of 1.49 percent, according to the paper.

Surprisingly, investors appear to punish software giant Microsoft far less for its vulnerabilities, with that company's stock price falling 0.28 percent compared to the NASDAQ on days flaws in its product are revealed. Other companies suffered a average decrease of 0.91 percent, the paper stated.

The researchers' presentation showed that a connection did exist between short term stock price and the bad news of a vulnerability in the company's software, but more analysis needs to be done, said Bruce Schneier, chief technology officer for network monitoring firm Counterpane Internet Security and author of eight books on security, encryption and privacy.

"I want to know if it is more than just bad news about a company that affects stock price," said Schneier, who attended the researchers' presentation. "I want to know if there is more of a long term effect, and that question they didn't answer."

The researchers did show that, compared to the effect of other types of product related defects, the disclosure of software flaws seems to have the least impact. The two researchers found that the 0.63 per cent decrease fell below the estimated 2.1 per cent drop in the stock price of companies that were victims of public security breaches, or the estimated 0.81 per cent drop in the stock price of auto makers that recalled their vehicles.

Other factors, such as missing the ship date for a product, may also have greater impacts, but were not studied by the researchers. So even if there is a connection between public vulnerability disclosure and stock price, the penalty for having vulnerabilities may not be high enough to convince product managers to spend more time on security, said Amit Jasuja, vice president of product management for database maker Oracle's security group.

"Investors response to anything that hurts the bottom line," Jasuja said. "Not shipping a product on time hurts the stock price as well. I am not sure there is an easy answer. As a product manager, I will still make sure that the product meets all the exit criteria before it ships."

Copyright © 2005, SecurityFocus logo

Related stories

Sybase invokes licence gag in flaw disclosure row
French security researcher fined
Tech lobby loses stock options battle
Software biz urges tougher bug disclosure rules

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Facebook, Google and Instagram 'worse than drugs' says Miley Cyrus
Italian boffins agree with popette's theory that haters are the real wrecking balls
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
Facebook to let stalkers unearth buried posts with mobe search
Prepare to HAUNT your pal's back catalogue
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.