[This was originally published on the OSVDB blog.]
Kenneth Belva of Franklin Technologies United, Inc. announced a paper titled “How It’s Difficult to Ruin a Good Name: An Analysis of Reputational Risk”. The paper was delivered as the keynote address at the FiTech Summit 2005. In his announcement, he states “This paper should be regarded as a starting point for further, positive discussion” and he is right, but this is an excellent first step.
From the paper:
What is the impact of an information security breach both monetarily and on one’s reputation if the breach is publicly disclosed? And, just as important, why does it happen in the way that it does? What are the factors that lead to the results (outcomes)? This becomes especially relevant as most States are beginning to pass laws similar to California’s SB1386.
The title of my presentation — How It’s Difficult to Ruin a Good Name — may have hinted at my conclusion.
Another person commented that this follows an article by Richard Menta titled “A need to know” which goes into breaches, investors and consumer confidence. The article ends:
As an illustration: on February 14, 2005 information aggregator ChoicePoint announced hackers had breached its network and stolen the personal information of up to 500,000 people.
How did Wall Street react? The firm’s shares plummeted 15 percent.
A few years back, a couple of journalists and security professionals brought this same thing up on a mail list, but questioned the impact of vulnerabilities and companies. Would the release of a nasty remote vuln impact a company like Microsoft? Would the release of a vulnerability in a security product affect a security company? How about if that same vulnerability was made into a worm with a destructive payload?
There is sketchy evidence that such vulnerabilities and subsequent worms can affect the value of a company. While I don’t have hard data to say this for sure, it is a project i’ve long since wanted to take up. All it requires is a good timeline of vulnerabilities (OSVDB), a good sense of media/popular opinion of the events (ISN), and access to stock prices over the years (favorite broker). Mapping the bigger vulnerabilities, or the ones that made more press (even if less serious than others), combined with stock prices would make for some interesting research. Bottom line: can Joe Random Hacker release vulnerability information and negatively impact the value of a company?