Measuring the Cost of Software Vulnerabilities

Afsah Anwar; Aminollah Khormali; Jinchun Choi; Hisham Alasmary; Sung Choi; Saeed Salem; DaeHun Nyang; David Mohaisen

Research Article

Measuring the Cost of Software Vulnerabilities

Download1832 downloads

Cite: BibTeX Plain Text

@ARTICLE{10.4108/eai.13-7-2018.164551,
    author={Afsah Anwar and Aminollah Khormali and Jinchun Choi and Hisham Alasmary and Sung J. Choi and Saeed Salem and DaeHun Nyang and David Mohaisen},
    title={Measuring the Cost of Software Vulnerabilities},
    journal={EAI Endorsed Transactions on Security and Safety},
    volume={7},
    number={23},
    publisher={EAI},
    journal_a={SESA},
    year={2020},
    month={5},
    keywords={Vulnerability Economics, Stock Return Prediction, NVD},
    doi={10.4108/eai.13-7-2018.164551}
}

Afsah Anwar
Aminollah Khormali
Jinchun Choi
Hisham Alasmary
Sung J. Choi
Saeed Salem
DaeHun Nyang
David Mohaisen
Year: 2020
Measuring the Cost of Software Vulnerabilities
SESA
EAI
DOI: 10.4108/eai.13-7-2018.164551

Afsah Anwar¹^,*, Aminollah Khormali¹, Jinchun Choi^1,2, Hisham Alasmary^1,3, Sung J. Choi¹, Saeed Salem⁴, DaeHun Nyang⁵, David Mohaisen¹

1: University of Central Florida, Orlando, FL 32816, USA
2: Inha University, Incheon, Republic of Korea
3: King Khalid University, Abha, Saudi Arabia
4: North Dakota State University, Fargo, ND, USA
5: Ewha Womans University, Seoul, Republic of Korea

*Contact email: afsahanwar@knights.ucf.edu

Abstract

Enterprises are increasingly considering security as an added cost, making it necessary for those enterprises to see a tangible incentive in adopting security measures. Despite data breach laws, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramiﬁcations of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. We perform a high-ﬁdelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the nonlinear autoregressive neural network with exogenous factors (NARX) Neural Network model to estimate the eﬀect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better prediction performance. Our analysis also shows that the eﬀect of vulnerabilities on vendors varies, and greatly depends on the speciﬁc software industry. Whereas some industries are shown statistically to be aﬀected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not aﬀected at all.

Keywords: Vulnerability Economics, Stock Return Prediction, NVD

Received: 2020-03-24
Accepted: 2020-05-06
Published: 2020-05-12
Publisher: EAI

: http://dx.doi.org/10.4108/eai.13-7-2018.164551

Copyright © 2020 Afsah Anwar et al., licensed to EAI. This is an open access article distributed under the terms of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.