TY - GEN
T1 - Understanding the hidden cost of software vulnerabilities
T2 - 14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018
AU - Anwar, Afsah
AU - Khormali, Aminollah
AU - Nyang, Dae Hun
AU - Mohaisen, Aziz
N1 - Funding Information:
Acknowledgement. This work is supported in part by NSF grant CNS-1809000 and NRF grant NRF-2016K1A1A2912757. Part of this work has been presented as a poster at ACM AsiaCCS 2018 [38].
Publisher Copyright:
© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.
PY - 2018
Y1 - 2018
N2 - Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.
AB - Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.
KW - National vulnerability database
KW - Prediction
KW - Vulnerability economics
UR - http://www.scopus.com/inward/record.url?scp=85059689535&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-01701-9_21
DO - 10.1007/978-3-030-01701-9_21
M3 - Conference contribution
AN - SCOPUS:85059689535
SN - 9783030017002
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 377
EP - 395
BT - Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings
A2 - Li, Yingjiu
A2 - Chang, Bing
A2 - Zhu, Sencun
A2 - Beyah, Raheem
PB - Springer Verlag
Y2 - 8 August 2018 through 10 August 2018
ER -