Understanding the Hidden Cost of Software Vulnerabilities: Measurements and Predictions

  • Afsah Anwar
  • Aminollah Khormali
  • DaeHun Nyang
  • Aziz Mohaisen
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 254)


Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities.

In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.


Vulnerability economics Prediction National vulnerability database 



This work is supported in part by NSF grant CNS-1809000 and NRF grant NRF-2016K1A1A2912757. Part of this work has been presented as a poster at ACM AsiaCCS 2018 [38].


  1. 1.
    Wang, A., Mohaisen, A., Chang, W., Chen, S.: Delving into internet DDoS attacks by botnets: characterization and analysis. In: Proceedings of the 45th International Conference on Dependable Systems and Networks (DSN), Rio de Janeiro, Brazil, pp. 379–390 (2015)Google Scholar
  2. 2.
    Wang, A., Mohaisen, A., Chang, W., Chen, S.: Measuring and analyzing trends in recent distributed denial of service attacks. In: Proceedings of the 17th International Workshop on Information Security Applications (WISA), pp. 15–28 (2016)CrossRefGoogle Scholar
  3. 3.
    Spaulding, J., Nyang, D., Mohaisen, A.: Understanding the effectiveness of typosquatting techniques. In: Proceedings of the 5th ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies, p. 9 (2017)Google Scholar
  4. 4.
    Tassey, G.: The economic impacts of inadequate infrastructure for software testing. National Institute of Standards and Technology, RTI Project, vol. 7007, no. 011 (2002)Google Scholar
  5. 5.
    Strasburg, J., Bunge, J.: Loss swamps trading firm, knight capital searches for partner as tab for computer glitch hits \$440 million. Wall Street Journal (2012).
  6. 6.
    Berr, J.: “WannaCry” ransomware attack losses could reach \(\$\)4 billion”, May 2017.
  7. 7.
    The cost impact of major virus attacks since 1995.
  8. 8.
    Geppert, L.: Lost radio contact leaves pilots on their own. IEEE Spectr. 41(11), 16–17 (2004)CrossRefGoogle Scholar
  9. 9.
    Jarrell, G., Peltzman, S.: The impact of product recalls on the wealth of sellers. J. Polit. Econ. 93(3), 512–536 (1985)CrossRefGoogle Scholar
  10. 10.
    Hovav, A., D’arcy, J.: Capital market reaction to defective it products: the case of computer viruses. Comput. Secur. 24(5), 409–424 (2005)CrossRefGoogle Scholar
  11. 11.
    Romanosky, S., Hoffman, D., Acquisti, A.: Empirical analysis of data breach litigation. J. Empir. Leg. Stud. 11(1), 74–104 (2014)CrossRefGoogle Scholar
  12. 12.
    Spanos, G., Angelis, L.: The impact of information security events to the stock market: a systematic literature review. Comput. Secur. 58, 216–229 (2016)CrossRefGoogle Scholar
  13. 13.
    Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans. Softw. Eng. 33(8), 544–557 (2007)CrossRefGoogle Scholar
  14. 14.
    Goel, S., Shawky, H.A.: Estimating the market impact of security breach announcements on firm values. Inf. Manag. 46(7), 404–410 (2009)CrossRefGoogle Scholar
  15. 15.
    Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11(3), 431–448 (2003)CrossRefGoogle Scholar
  16. 16.
    Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. Int. J. Electron. Commer. 9(1), 70–104 (2004)CrossRefGoogle Scholar
  17. 17.
    Bose, I., Leung, A.C.M.: Do phishing alerts impact global corporations? A firm value analysis. Decis. Support. Syst. 64, 67–78 (2014)CrossRefGoogle Scholar
  18. 18.
    Li, F., Paxson, V.: A large-scale empirical study of security patches. In: Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS), Dallas, TX, October–Novvember 2017, pp. 2201–2215 (2017)Google Scholar
  19. 19.
    Nguyen, V.H., Massacci, F.: The (un)reliability of NVD vulnerable versions data: an empirical experiment on Google chrome vulnerabilities. In: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Sydney, Australia, pp. 493–498, March 2013Google Scholar
  20. 20.
    Christey, S., Martin, B.: Buying into the bias: why vulnerability statistics suck. BlackHat, Las Vegas, Technical report, vol. 1 (2013)Google Scholar
  21. 21.
    Romanosky, S., Telang, R., Acquisti, A.: Do data breach disclosure laws reduce identity theft? J. Policy Anal. Manag. 30(2), 256–286 (2011)CrossRefGoogle Scholar
  22. 22.
    Gordon, L.A., Loeb, M.P., Zhou, L.: The impact of information security breaches: has there been a downward shift in costs? J. Comput. Secur. 19(1), 33–56 (2011)CrossRefGoogle Scholar
  23. 23.
    Kar, A.: Stock prediction using artificial neural networks. Department of Computer Science and Engineering, IIT Kanpur (1990)Google Scholar
  24. 24.
    Farhang, S., Laszka, A., Grossklags, J.: An economic study of the effect of android platform fragmentation on security updates, arXiv preprint arXiv:1712.08222 (2017)
  25. 25.
    National Vulnerability Database (NVD).
  26. 26.
    Symbol lookup from Yahoo! finance.
  27. 27.
    CVE - common vulnerabilities and exposures (CVE).
  28. 28.
    Common weakness enumeration.
  29. 29.
    Common vulnerability scoring system SIG.
  30. 30.
  31. 31.
    Elman, J.L.: Finding structure in time. Cogn. Sci. 14(2), 179–211 (1990)CrossRefGoogle Scholar
  32. 32.
    Horne, B.G., Giles, C.L.: An experimental comparison of recurrent neural networks. In: Proceedings of the Advances in Neural Information Processing Systems 7, [NIPS Conference], pp. 697–704 (1994)Google Scholar
  33. 33.
    Moré, J.J.: The levenberg-marquardt algorithm: implementation and theory. In: Watson, G.A. (ed.) Numerical Analysis. LNM, vol. 630, pp. 105–116. Springer, Heidelberg (1978). Scholar
  34. 34.
    Box, G.E., Pierce, D.A.: Distribution of residual autocorrelations in autoregressive-integrated moving average time series models. J. Am. Stat. Assoc. 65(332), 1509–1526 (1970)MathSciNetCrossRefGoogle Scholar
  35. 35.
    Menn, J.: Exclusive: Microsoft responded quietly after detecting secret database hack in 2013, October 2017.
  36. 36.
    A social science approach to information security.
  37. 37.
    Violino, B.: Data breaches rising because of lack of cybersecurity acumen, December 2017.
  38. 38.
    Anwar, A., Khormali, A. Mohaisen, A.: POSTER: understanding the hidden cost of software vulnerabilities: measurements and predictions. In: Proceedings of the 13th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Incheon, Korea, June 2018Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Afsah Anwar
    • 1
  • Aminollah Khormali
    • 1
  • DaeHun Nyang
    • 2
  • Aziz Mohaisen
    • 1
  1. 1.University of Central FloridaOrlandoUSA
  2. 2.Inha UniversityIncheonRepublic of Korea

Personalised recommendations