Don’t let my Heart bleed! : An event study methodology in Heartbleed vulnerability case.

• Main Authors: Lioupras, Ioannis, Manthou, Eleni
• Format: Others
• Language: English
• Published: Umeå universitet, Institutionen för informatik 2014
• Subjects: software vulnerability; IT risk management; disclosure policies; event study methodology
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:se:umu:diva-90126

Due to the rapid evolution of technology, IT software has become incredibly complex. However the human factor still has a very important role on the application of it, since people are responsible to create software. Consequently, software vulnerabilities represent inevitable drawbacks, found to cost extremely large amounts of money to the companies. “Heartbleed” is a recently discovered vulnerability with no prior investigation that answers questions about the impact it has to the companies affected. This paper focuses on the impact of it on the market value of the companies who participated in the vulnerability disclosure process with the help of an event study methodology. Furthermore our analysis investigates if there is a different affection to the value of the company based on the roles those companies had in the process. Our results suggest that the market did not punish the companies about the existence of vulnerability. However the general negative reaction of the market to the incident reflects the importance of a strategic vulnerability disclosure plan for such cases.