Researchers in the area of information security have mainly been concerned with tools, techniques and policies that firms can use to protect themselves against security breaches. However, information security is as much about security software as it is about secure software. Software is not secure when it has defects or flaws which can be exploited by hackers to cause attacks such as unauthorized intrusion or denial of service attacks. Any public announcement about a software defect is termed as ‘vulnerability disclosure’. Although research in software economics have studied firms’ incentive to improve overall quality, there have been no studies to show that software vendors have an incentive to invest in building more secure software. This paper uses the event study methodology to examine the role that financial markets play in determining software vendors’ incentives to build more secure software. Data is collected from leading national newspapers and industry sources like CERT by searching for reports on published software vulnerabilities. It is shown that vulnerability disclosures lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6% value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement. To provide further insight, the information content of the disclosure announcement is used to classify vulnerabilities into various types.
Adobe .pdf files require the Adobe Acrobat Reader.
Download and install the Adobe Acrobat Reader.