Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2018: Security and Privacy in Communication Networks pp 377–395Cite as

Understanding the Hidden Cost of Software Vulnerabilities: Measurements and Predictions

  • Conference paper
  • First Online:

Abstract

Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities.

In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Wang, A., Mohaisen, A., Chang, W., Chen, S.: Delving into internet DDoS attacks by botnets: characterization and analysis. In: Proceedings of the 45th International Conference on Dependable Systems and Networks (DSN), Rio de Janeiro, Brazil, pp. 379–390 (2015)

    Google Scholar 

  2. Wang, A., Mohaisen, A., Chang, W., Chen, S.: Measuring and analyzing trends in recent distributed denial of service attacks. In: Proceedings of the 17th International Workshop on Information Security Applications (WISA), pp. 15–28 (2016)

    Chapter  Google Scholar 

  3. Spaulding, J., Nyang, D., Mohaisen, A.: Understanding the effectiveness of typosquatting techniques. In: Proceedings of the 5th ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies, p. 9 (2017)

    Google Scholar 

  4. Tassey, G.: The economic impacts of inadequate infrastructure for software testing. National Institute of Standards and Technology, RTI Project, vol. 7007, no. 011 (2002)

    Google Scholar 

  5. Strasburg, J., Bunge, J.: Loss swamps trading firm, knight capital searches for partner as tab for computer glitch hits \$440 million. Wall Street Journal (2012). http://search.proquest.com/docview/1033163975

  6. Berr, J.: “WannaCry” ransomware attack losses could reach \(\$\)4 billion”, May 2017. http://cbsn.ws/2yYjif2

  7. The cost impact of major virus attacks since 1995. http://www.computereconomics.com/article.cfm?id=936

  8. Geppert, L.: Lost radio contact leaves pilots on their own. IEEE Spectr. 41(11), 16–17 (2004)

    Article  Google Scholar 

  9. Jarrell, G., Peltzman, S.: The impact of product recalls on the wealth of sellers. J. Polit. Econ. 93(3), 512–536 (1985)

    Article  Google Scholar 

  10. Hovav, A., D’arcy, J.: Capital market reaction to defective it products: the case of computer viruses. Comput. Secur. 24(5), 409–424 (2005)

    Article  Google Scholar 

  11. Romanosky, S., Hoffman, D., Acquisti, A.: Empirical analysis of data breach litigation. J. Empir. Leg. Stud. 11(1), 74–104 (2014)

    Article  Google Scholar 

  12. Spanos, G., Angelis, L.: The impact of information security events to the stock market: a systematic literature review. Comput. Secur. 58, 216–229 (2016)

    Article  Google Scholar 

  13. Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans. Softw. Eng. 33(8), 544–557 (2007)

    Article  Google Scholar 

  14. Goel, S., Shawky, H.A.: Estimating the market impact of security breach announcements on firm values. Inf. Manag. 46(7), 404–410 (2009)

    Article  Google Scholar 

  15. Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11(3), 431–448 (2003)

    Article  Google Scholar 

  16. Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. Int. J. Electron. Commer. 9(1), 70–104 (2004)

    Article  Google Scholar 

  17. Bose, I., Leung, A.C.M.: Do phishing alerts impact global corporations? A firm value analysis. Decis. Support. Syst. 64, 67–78 (2014)

    Article  Google Scholar 

  18. Li, F., Paxson, V.: A large-scale empirical study of security patches. In: Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS), Dallas, TX, October–Novvember 2017, pp. 2201–2215 (2017)

    Google Scholar 

  19. Nguyen, V.H., Massacci, F.: The (un)reliability of NVD vulnerable versions data: an empirical experiment on Google chrome vulnerabilities. In: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Sydney, Australia, pp. 493–498, March 2013

    Google Scholar 

  20. Christey, S., Martin, B.: Buying into the bias: why vulnerability statistics suck. BlackHat, Las Vegas, Technical report, vol. 1 (2013)

    Google Scholar 

  21. Romanosky, S., Telang, R., Acquisti, A.: Do data breach disclosure laws reduce identity theft? J. Policy Anal. Manag. 30(2), 256–286 (2011)

    Article  Google Scholar 

  22. Gordon, L.A., Loeb, M.P., Zhou, L.: The impact of information security breaches: has there been a downward shift in costs? J. Comput. Secur. 19(1), 33–56 (2011)

    Article  Google Scholar 

  23. Kar, A.: Stock prediction using artificial neural networks. Department of Computer Science and Engineering, IIT Kanpur (1990)

    Google Scholar 

  24. Farhang, S., Laszka, A., Grossklags, J.: An economic study of the effect of android platform fragmentation on security updates, arXiv preprint arXiv:1712.08222 (2017)

  25. National Vulnerability Database (NVD). https://nvd.nist.gov/

  26. Symbol lookup from Yahoo! finance. https://finance.yahoo.com/lookup/

  27. CVE - common vulnerabilities and exposures (CVE). https://cve.mitre.org/

  28. Common weakness enumeration. https://cwe.mitre.org/

  29. Common vulnerability scoring system SIG. https://www.first.org/cvss/

  30. CVSS version 3. https://www.first.org/cvss/cvss-v30-user_guide_v1.1.pdf

  31. Elman, J.L.: Finding structure in time. Cogn. Sci. 14(2), 179–211 (1990)

    Article  Google Scholar 

  32. Horne, B.G., Giles, C.L.: An experimental comparison of recurrent neural networks. In: Proceedings of the Advances in Neural Information Processing Systems 7, [NIPS Conference], pp. 697–704 (1994)

    Google Scholar 

  33. Moré, J.J.: The levenberg-marquardt algorithm: implementation and theory. In: Watson, G.A. (ed.) Numerical Analysis. LNM, vol. 630, pp. 105–116. Springer, Heidelberg (1978). https://doi.org/10.1007/BFb0067700

    Chapter  Google Scholar 

  34. Box, G.E., Pierce, D.A.: Distribution of residual autocorrelations in autoregressive-integrated moving average time series models. J. Am. Stat. Assoc. 65(332), 1509–1526 (1970)

    Article  MathSciNet  Google Scholar 

  35. Menn, J.: Exclusive: Microsoft responded quietly after detecting secret database hack in 2013, October 2017. http://reut.rs/2ysNpw2

  36. A social science approach to information security. http://bit.ly/2l7IefL

  37. Violino, B.: Data breaches rising because of lack of cybersecurity acumen, December 2017. http://bit.ly/2CbIQKR

  38. Anwar, A., Khormali, A. Mohaisen, A.: POSTER: understanding the hidden cost of software vulnerabilities: measurements and predictions. In: Proceedings of the 13th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Incheon, Korea, June 2018

    Google Scholar 

Download references

Acknowledgement

This work is supported in part by NSF grant CNS-1809000 and NRF grant NRF-2016K1A1A2912757. Part of this work has been presented as a poster at ACM AsiaCCS 2018 [38].

Author information

Authors and Affiliations

  1. University of Central Florida, Orlando, FL, 32816, USA

    Afsah Anwar, Aminollah Khormali & Aziz Mohaisen

  2. Inha University, Incheon, Republic of Korea

    DaeHun Nyang

Authors
  1. Afsah Anwar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aminollah Khormali
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. DaeHun Nyang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aziz Mohaisen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Afsah Anwar .

Editor information

Editors and Affiliations

  1. Klaus Advanced Computing Building, Georgia Institute of Technology, Atlanta, GA, USA

    Raheem Beyah

  2. Singapore Management University, Singapore, Singapore

    Bing Chang

  3. School of Information Systems, Singapore Management University, Singapore, Singapore

    Yingjiu Li

  4. Pennsylvania State University, University Park, PA, USA

    Sencun Zhu

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Anwar, A., Khormali, A., Nyang, D., Mohaisen, A. (2018). Understanding the Hidden Cost of Software Vulnerabilities: Measurements and Predictions. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 254. Springer, Cham. https://doi.org/10.1007/978-3-030-01701-9_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01701-9_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01700-2

  • Online ISBN: 978-3-030-01701-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation