Understanding the hidden cost of software vulnerabilities: Measurements and predictions

Afsah Anwar; Aminollah Khormali; Dae Hun Nyang; Aziz Mohaisen

doi:10.1007/978-3-030-01701-9_21

Understanding the hidden cost of software vulnerabilities: Measurements and predictions

Afsah Anwar, Aminollah Khormali, Dae Hun Nyang, Aziz Mohaisen

Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Scopus citations

Abstract

Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.

Original language	English
Title of host publication	Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings
Editors	Yingjiu Li, Bing Chang, Sencun Zhu, Raheem Beyah
Publisher	Springer Verlag
Pages	377-395
Number of pages	19
ISBN (Print)	9783030017002
DOIs	https://doi.org/10.1007/978-3-030-01701-9_21
State	Published - 2018
Event	14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018 - Singapore, Singapore Duration: 8 Aug 2018 → 10 Aug 2018

Publication series

Name	Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume	254
ISSN (Print)	1867-8211

Conference

Conference	14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018
Country/Territory	Singapore
City	Singapore
Period	8/08/18 → 10/08/18

Keywords

National vulnerability database
Prediction
Vulnerability economics

Access to Document

10.1007/978-3-030-01701-9_21

Cite this

Anwar, A., Khormali, A., Nyang, D. H., & Mohaisen, A. (2018). Understanding the hidden cost of software vulnerabilities: Measurements and predictions. In Y. Li, B. Chang, S. Zhu, & R. Beyah (Eds.), Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings (pp. 377-395). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 254). Springer Verlag. https://doi.org/10.1007/978-3-030-01701-9_21

Anwar, Afsah ; Khormali, Aminollah ; Nyang, Dae Hun et al. / Understanding the hidden cost of software vulnerabilities : Measurements and predictions. Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings. editor / Yingjiu Li ; Bing Chang ; Sencun Zhu ; Raheem Beyah. Springer Verlag, 2018. pp. 377-395 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).

@inproceedings{2107d7f4ea74478e9bc705d50fe66f6a,

title = "Understanding the hidden cost of software vulnerabilities: Measurements and predictions",

abstract = "Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.",

keywords = "National vulnerability database, Prediction, Vulnerability economics",

author = "Afsah Anwar and Aminollah Khormali and Nyang, {Dae Hun} and Aziz Mohaisen",

note = "Funding Information: Acknowledgement. This work is supported in part by NSF grant CNS-1809000 and NRF grant NRF-2016K1A1A2912757. Part of this work has been presented as a poster at ACM AsiaCCS 2018 [38]. Publisher Copyright: {\textcopyright} ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.; 14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018 ; Conference date: 08-08-2018 Through 10-08-2018",

year = "2018",

doi = "10.1007/978-3-030-01701-9_21",

language = "English",

isbn = "9783030017002",

series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",

publisher = "Springer Verlag",

pages = "377--395",

editor = "Yingjiu Li and Bing Chang and Sencun Zhu and Raheem Beyah",

booktitle = "Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings",

}

Anwar, A, Khormali, A, Nyang, DH & Mohaisen, A 2018, Understanding the hidden cost of software vulnerabilities: Measurements and predictions. in Y Li, B Chang, S Zhu & R Beyah (eds), Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 254, Springer Verlag, pp. 377-395, 14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018, Singapore, Singapore, 8/08/18. https://doi.org/10.1007/978-3-030-01701-9_21

Understanding the hidden cost of software vulnerabilities: Measurements and predictions. / Anwar, Afsah; Khormali, Aminollah; Nyang, Dae Hun et al.
Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings. ed. / Yingjiu Li; Bing Chang; Sencun Zhu; Raheem Beyah. Springer Verlag, 2018. p. 377-395 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 254).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Understanding the hidden cost of software vulnerabilities

T2 - 14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018

AU - Anwar, Afsah

AU - Khormali, Aminollah

AU - Nyang, Dae Hun

AU - Mohaisen, Aziz

N1 - Funding Information: Acknowledgement. This work is supported in part by NSF grant CNS-1809000 and NRF grant NRF-2016K1A1A2912757. Part of this work has been presented as a poster at ACM AsiaCCS 2018 [38]. Publisher Copyright: © ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.

PY - 2018

Y1 - 2018

N2 - Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.

AB - Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.

KW - National vulnerability database

KW - Prediction

KW - Vulnerability economics

UR - http://www.scopus.com/inward/record.url?scp=85059689535&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-01701-9_21

DO - 10.1007/978-3-030-01701-9_21

M3 - Conference contribution

AN - SCOPUS:85059689535

SN - 9783030017002

T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

SP - 377

EP - 395

BT - Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings

A2 - Li, Yingjiu

A2 - Chang, Bing

A2 - Zhu, Sencun

A2 - Beyah, Raheem

PB - Springer Verlag

Y2 - 8 August 2018 through 10 August 2018

ER -

Anwar A, Khormali A, Nyang DH, Mohaisen A. Understanding the hidden cost of software vulnerabilities: Measurements and predictions. In Li Y, Chang B, Zhu S, Beyah R, editors, Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings. Springer Verlag. 2018. p. 377-395. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). doi: 10.1007/978-3-030-01701-9_21

Understanding the hidden cost of software vulnerabilities: Measurements and predictions

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this