Abstract
Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities.
In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Wang, A., Mohaisen, A., Chang, W., Chen, S.: Delving into internet DDoS attacks by botnets: characterization and analysis. In: Proceedings of the 45th International Conference on Dependable Systems and Networks (DSN), Rio de Janeiro, Brazil, pp. 379–390 (2015)
Wang, A., Mohaisen, A., Chang, W., Chen, S.: Measuring and analyzing trends in recent distributed denial of service attacks. In: Proceedings of the 17th International Workshop on Information Security Applications (WISA), pp. 15–28 (2016)
Spaulding, J., Nyang, D., Mohaisen, A.: Understanding the effectiveness of typosquatting techniques. In: Proceedings of the 5th ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies, p. 9 (2017)
Tassey, G.: The economic impacts of inadequate infrastructure for software testing. National Institute of Standards and Technology, RTI Project, vol. 7007, no. 011 (2002)
Strasburg, J., Bunge, J.: Loss swamps trading firm, knight capital searches for partner as tab for computer glitch hits \$440 million. Wall Street Journal (2012). http://search.proquest.com/docview/1033163975
Berr, J.: “WannaCry” ransomware attack losses could reach \(\$\)4 billion”, May 2017. http://cbsn.ws/2yYjif2
The cost impact of major virus attacks since 1995. http://www.computereconomics.com/article.cfm?id=936
Geppert, L.: Lost radio contact leaves pilots on their own. IEEE Spectr. 41(11), 16–17 (2004)
Jarrell, G., Peltzman, S.: The impact of product recalls on the wealth of sellers. J. Polit. Econ. 93(3), 512–536 (1985)
Hovav, A., D’arcy, J.: Capital market reaction to defective it products: the case of computer viruses. Comput. Secur. 24(5), 409–424 (2005)
Romanosky, S., Hoffman, D., Acquisti, A.: Empirical analysis of data breach litigation. J. Empir. Leg. Stud. 11(1), 74–104 (2014)
Spanos, G., Angelis, L.: The impact of information security events to the stock market: a systematic literature review. Comput. Secur. 58, 216–229 (2016)
Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans. Softw. Eng. 33(8), 544–557 (2007)
Goel, S., Shawky, H.A.: Estimating the market impact of security breach announcements on firm values. Inf. Manag. 46(7), 404–410 (2009)
Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11(3), 431–448 (2003)
Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. Int. J. Electron. Commer. 9(1), 70–104 (2004)
Bose, I., Leung, A.C.M.: Do phishing alerts impact global corporations? A firm value analysis. Decis. Support. Syst. 64, 67–78 (2014)
Li, F., Paxson, V.: A large-scale empirical study of security patches. In: Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS), Dallas, TX, October–Novvember 2017, pp. 2201–2215 (2017)
Nguyen, V.H., Massacci, F.: The (un)reliability of NVD vulnerable versions data: an empirical experiment on Google chrome vulnerabilities. In: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Sydney, Australia, pp. 493–498, March 2013
Christey, S., Martin, B.: Buying into the bias: why vulnerability statistics suck. BlackHat, Las Vegas, Technical report, vol. 1 (2013)
Romanosky, S., Telang, R., Acquisti, A.: Do data breach disclosure laws reduce identity theft? J. Policy Anal. Manag. 30(2), 256–286 (2011)
Gordon, L.A., Loeb, M.P., Zhou, L.: The impact of information security breaches: has there been a downward shift in costs? J. Comput. Secur. 19(1), 33–56 (2011)
Kar, A.: Stock prediction using artificial neural networks. Department of Computer Science and Engineering, IIT Kanpur (1990)
Farhang, S., Laszka, A., Grossklags, J.: An economic study of the effect of android platform fragmentation on security updates, arXiv preprint arXiv:1712.08222 (2017)
National Vulnerability Database (NVD). https://nvd.nist.gov/
Symbol lookup from Yahoo! finance. https://finance.yahoo.com/lookup/
CVE - common vulnerabilities and exposures (CVE). https://cve.mitre.org/
Common weakness enumeration. https://cwe.mitre.org/
Common vulnerability scoring system SIG. https://www.first.org/cvss/
CVSS version 3. https://www.first.org/cvss/cvss-v30-user_guide_v1.1.pdf
Elman, J.L.: Finding structure in time. Cogn. Sci. 14(2), 179–211 (1990)
Horne, B.G., Giles, C.L.: An experimental comparison of recurrent neural networks. In: Proceedings of the Advances in Neural Information Processing Systems 7, [NIPS Conference], pp. 697–704 (1994)
Moré, J.J.: The levenberg-marquardt algorithm: implementation and theory. In: Watson, G.A. (ed.) Numerical Analysis. LNM, vol. 630, pp. 105–116. Springer, Heidelberg (1978). https://doi.org/10.1007/BFb0067700
Box, G.E., Pierce, D.A.: Distribution of residual autocorrelations in autoregressive-integrated moving average time series models. J. Am. Stat. Assoc. 65(332), 1509–1526 (1970)
Menn, J.: Exclusive: Microsoft responded quietly after detecting secret database hack in 2013, October 2017. http://reut.rs/2ysNpw2
A social science approach to information security. http://bit.ly/2l7IefL
Violino, B.: Data breaches rising because of lack of cybersecurity acumen, December 2017. http://bit.ly/2CbIQKR
Anwar, A., Khormali, A. Mohaisen, A.: POSTER: understanding the hidden cost of software vulnerabilities: measurements and predictions. In: Proceedings of the 13th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Incheon, Korea, June 2018
Acknowledgement
This work is supported in part by NSF grant CNS-1809000 and NRF grant NRF-2016K1A1A2912757. Part of this work has been presented as a poster at ACM AsiaCCS 2018 [38].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Anwar, A., Khormali, A., Nyang, D., Mohaisen, A. (2018). Understanding the Hidden Cost of Software Vulnerabilities: Measurements and Predictions. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 254. Springer, Cham. https://doi.org/10.1007/978-3-030-01701-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-01701-9_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01700-2
Online ISBN: 978-3-030-01701-9
eBook Packages: Computer ScienceComputer Science (R0)