An empirical analysis of the impact of software vulnerability announcements on firm stock price

IEEE Transactions on Software Engineering

Volumn 33, Issue 8, 2007, Pages 544-557

  Telang, Rahul ^a   Wattal, Sunil ^b  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b TEMPLE UNIVERSITY   (United States)

Author keywords

Event study; Information security; Patching; Quality; Software vendors; Software vulnerability

Indexed keywords

EMPIRICAL ANALYSIS; SOFTWARE VENDORS; SOFTWARE VULNERABILITY;

COMMERCE; COSTS; QUALITY OF SERVICE; SECURITY OF DATA; SOFTWARE DESIGN; SOFTWARE ENGINEERING;

COMPUTER SOFTWARE SELECTION AND EVALUATION;

EID: 34547100991     PISSN: 00985589     EISSN: None     Source Type: Journal    
DOI: 10.1109/TSE.2007.70712     Document Type: Article

References (48)

1. A. Applewhite, "Whose Bug Is It Anyway? The Battle over Handling Software Flaws," IEEE Software, vol. 21, no. 2, pp. 94-97, Mar.-Apr. 2004.
2. R. Anderson, "Why Information Security Is Hard - An Economic Perspective," Proc. 17th Ann. Computer Security Applications Conf. 2001.
3. A. Arora, J. Caulkins, and R. Telang, "Sell First, Fix Later: Impact of Patching on Software Quality," research note, Management Science, vol. 52, no. 3, pp. 465-471, 2006.
4. A. Arora, R. Telang, and H. Xu, "Optimal Policy for Software Vulnerability Disclosure," Proc. Workshop Economics of Information Security (WEIS '04), 2004.
5. H. Barki, H. Rivard, S.J. Talbot, "Toward an Assessment of Software Development Risk," J. Management Information Systems, vol. 10, no. 2, pp. 203-225, 1993.
6. V.R. Basiliand and J.D. Musa, "The Future Engineering of Software: A Management Perspective," Computer, vol. 20, no. 4, pp. 90-96, Apr. 1991.
7. S.J. Brown and J.B. Warner, "Measuring Security Price Performance," J. Financial Economics, vol. 8, pp. 205-258, 1980.
8. S.J. Brown and J.B. Warner, "Using Daily Stock Returns: The Case of Event Studies," J. Financial Economics, vol 14, pp. 3-31, 1985.
9. E. Brynjolfsson and C.F. Kemerer, "Network Externalities in Microcomputer Software: An Econometric Analysis of the Spreadsheet Market," Management Science, vol. 42, no. 12, pp. 1627-1647, 1996.
10. J.Y. Campbell, W.L. Andrew, and A.C. MacKinlay, The Econometrics of Financial Markets. Princeton Univ. Press, 1997.
11. K. Campbell, L.A. Gordon, M.P. Loeb, and L. Zhou, "The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market," J. Computer Security, vol 11, no. 3, pp. 431-448, 2003.
12. H. Cavusoglu, B. Mishra, and S. Raghunathan, "The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers," Int'l J. Electronic Commerce, vol. 9, no. 1, p. 69, 2004.
13. D. Chatterjee, V.J. Richardson, and R.W. Zmud, "Examining the Shareholder Wealth Effects of Announcements of Newly Created CIO Positions," MIS Quarterly, vol. 25, no. 1, pp. 43-70, 2001.
14. J. Clayman, "Microsoft Security Response Center (A), Case 9B01E019," Richard Ivey School of Business, 2001.
15. M.J. Cooper, O. Dimitrov, and P.R. Rau, "A Rose.com by Any Other Name" J. Finance," vol. 6, pp. 2371-2387, 2001.
16. M.A. Cusumano, "Who Is Liable for Bugs and Security Flaws in Software?" Comm. ACM, vol. 47, no. 3, pp. 25-27, 2004.
17. W.L. Davidson III and D.L. Worrell, "The Effect of Product Recall Announcements on Shareholder Wealth," Strategic Management J., vol. 13, no. 6, pp. 467-473, 1992.
18. P. Devanbu and S. Stubblebine, "Software Engineering for Security: A Roadmap," Future of Software Eng., pp. 225-239, 2000.
19. B.L. Dos Santos, K. Peffers, and D. Mauer, "The Impact of Information Technology on the Market Value of the Firm," Information Systems Research, vol. 4, pp. 1-23, Mar. 1993.
20. J.M. Gallaugher and Y.M. Yang, "Understanding Network Effects in Software Markets: Evidence from Webserver Pricing," MIS Quarterly vol 26, no. 4, pp. 303-327, 2002.
21. N. Gandal, "Hedonic Price Indexes for Spreadsheets and an Empirical Test for Network Externalities," Rand J. Economics, vol. 25, no. 1, pp. 160-170, 1994.
22. A.S. Goldberger, Introductory Econometrics. Harvard Univ. Press, 1998.
23. L.A. Gordon and M.P. Loeb, "The Economics of Information Security Investments," ACM Trans. Information and Systems Security, vol. 5, no. 4, pp. 438-457, 2002.
24. L.A. Gordon, M.P. Loeb, and T. Sohail, "A Framework for Using Insurance for Cyber Risk Management," Comm. ACM, vol. 46, no. 3, pp. 81-85, 2003.
25. W.H. Greene, Econometric Analysis. Prentice Hall, 2002.
26. D.E. Harter, M.S. Krishnan, and S.A. Slaughter, "Effects of Process Maturity on Quality, Cycle Time, and Effort in Software Product Development," Management Science, vol. 46, no. 4, pp. 451-466, 2000.
27. K.B. Hendricks and V.R. Singhal, "Quality Awards and the Market Value of the Firm: An Empirical Investigation," Management Science, vol 42, no. 2, pp. 415-436, 1996.
28. K.B. Hendricks and V.R. Singhal, "Delays in New Product Introductions and the Market Value of the Firm: The Consequences of Being Late to the Market," Management Science, vol 43, no. 4, pp. 422-436, 1997.
29. G.J. Holzmann, "Economics of Software Verification," Proc. Workshop Program Analysis of Software Tools and Eng., 2001.
30. A. Hovav and J. D'Arcy, "The Impact of Denial-of-Service Attack Announcements of the Market Value of Firms," Risk Management and Insurance Rev., vol. 6, no. 2, pp. 97-121, 2003.
31. A. Hovav and J. D'Arcy, "Capital Market Reaction to Defective IT Products: The Case of Computer Viruses," Computers and Security, vol. 24, pp. 409-424, 2005.
32. K.S. Im, K.E. Dow, and V. Grover, "Research Report: A Reexamination of IT Investment and the Market Value of the Firm_An Event Study Methodology," Information Systems Research, vol. 12, no. 1, pp. 103-117, 2001.
33. G. Jarrell and S. Peltzman, "The Impact of Product Recalls on the Wealth of Sellers," J. Political Economy, vol. 93, no. 1, pp. 512-536, 1985.
34. K. Kannan, R. Telang, "Market for Software Vulnerabilities? Think Again," Management Science, vol. 51, no. 5, pp. 726-740, 2005.
35. K. Kannan, J. Rees, and S. Sridhar, "Reexamining the Impact of Information Security Breach Announcements on Firm Performance," working paper, 2004.
36. S.P. Kothari and J.P. Warner, "Econometrics of Event Studies," Handbook of Empirical Corporate Finance, Espin Eckbo, ed. pp. 33-36, Elsevier-North-Holland, 2007.
37. A.C. MacKinlay, "Event Studies in Economics and Finance," J. Economic Literature, vol. 35, no. 1, pp. 13-39, 1997.
38. G. McGraw, "Software Security" IEEE Security and Privacy, vol. 2, no. 2, pp. 80-83, 2004.
39. "The Economic Impacts of Inadequate Infrastructure for Software Testing," US Nat'l Inst. of Standards and Technology, http://www.nist.gov/director/prog-ofc/report02-3.pdf, 2002.
40. K. Palepu, "Diversification Strategy, Profit Performance and the Entropy Measure," Strategic Management J., vol. 6, pp. 239-255, 1985.
41. M. Paulk, C. Weber, W. Curtis, and M. Chrissis, "The Capability Maturity Model: Guidelines for Improving the Software Process," Software Eng. Inst., Carnegie Mellon Univ., 1994.
42. C.P. Pfleeger, "The Fundamentals of Information Security," IEEE Software, vol. 14, no. 1, pp. 15-17, Jan.-Feb. 1997.
43. D. Ryan, "Two Views of Security Software Liability," IEEE Security and Privacy, pp. 70-73, Jan.-Feb. 2003.
44. S.A. Slaughter, D.E. Harter, and M.S. Krishnan, "Evaluating the Cost of Software Quality," Comm. ACM, vol. 41, no. 8, pp. 67-73, 1998.
45. M. Subramani and E. Walden, "The Impact of E-Commerce Announcements on the Market Value of Firms," Information Systems Research, vol 12, no. 2, pp. 135-154, 2001.
46. L. Wallace, M. Keil, and A. Rai, "How Software Project Risk Affects Project Performance: An Investigation of the Dimensions of Risk and An Exploratory Model," Decision Sciences, vol. 35, no. 2, pp. 289-321, 2004.
47. H. Wang and C. Wang, "Taxonomy of Security Considerations and Software Quality," Comm. ACM, vol. 46, no. 6, pp. 75-78, 2003.
48. J.C. Westland, "The Cost Behavior of Software Defects," Decision Sciences, vol. 37, pp. 229-238, 2003.