Computers & Security (2005) 24, 409e424

www.elsevier.com/locate/cose

Capital market reaction to defective IT products: The case of computer viruses Anat Hovav a,*, John D’Arcy b a b

MIS Department, Fox School of Business, Temple University, United States Department of Computer and Information Sciences, Towson University, United States

Received 4 October 2004; revised 2 February 2005; accepted 25 February 2005

KEYWORDS Viruses; Defective information technology products; Event study; Market value

Abstract Studies in various industries indicate that market reaction to recall announcements is used as a catalyst to control the creation of substandard products. In the IT industry, flawed software is being blamed for the increasing numbers of computer viruses that plague information systems and the escalating costs to repair these viruses. This paper examines whether the market penalizes firms that produce substandard IT products. We use the event study methodology to assess the impact of public virus announcements on the stock prices of responsible IT vendors between 1988 and 2002. The results show that the market reacts negatively to the production of flawed Information Technology in approximately 50% of the cases. However, this negative market reaction is not statistically significant over extended periods and is limited to announcements involving certain types of defects (i.e., IT products that contain computer viruses). There was no statistically significant negative market reaction for announcements involving IT products that are susceptible to computer viruses. Our analysis implies that unlike in other industries, market forces alone cannot be used as an effective control mechanism for the production of substandard IT products. The study concludes that under these present conditions, IT vendors have little economic incentives to invest in defect-free computing. ª 2005 Elsevier Ltd. All rights reserved.

Introduction Studies published over the last 20 years in various industries indicate that market reaction to recall * Corresponding author. E-mail addresses: [email protected] (A. Hovav), jdarcy@ temple.edu (J. D’Arcy).

announcements is a catalyst that controls the creation of defective products (e.g., Jarrell and Peltzman, 1985; Hoffer et al., 1988; Bromiley and Markus, 1989; Barber and Darrough, 1996; Hingorani et al., 1994; Salin and Hooker, 2001; Thomsen and McKenzie, 2001; Pruitt and Peterson, 1986; Davidson and Worrell, 1992). The degree of impact varies depending on the industry, the severity of

0167-4048/$ - see front matter ª 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2005.02.003

410 the defect, the scope of the problem, and the originator of the recall. Because managers try to set policies that result in increased shareholder value, if the market reacts negatively to the production of substandard products, managers invest in improved production processes and quality control mechanisms. Conversely, if the market does not react to the distribution of substandard products, managers have little reason to improve product quality especially if such improvements require the investment of large funds. In the IT industry, the rapid increase in computer security breaches has led to increased scrutiny of IT vendors and their products. Of particular concern is the increasing number of computer viruses that plague information systems and the escalating costs to repair these viruses.1 Flawed software that contains viruses and software that is susceptible to viruses are being cited as major reasons for computer virus outbreaks. For example, some commentators argued that Microsoft should have born some of the responsibility for the damage caused by the LoveLetter virus, as Microsoft Outlook’s use of the Visual Basic scripting language facilitated the spread of the virus (Cluley, 2000; Anon., 2000). While most of the current criticism is of Microsoft and its products, virus outbreaks are not restricted to any one particular vendor or software package. Despite this growing criticism of Information Technology (IT) vendors, it is unknown to what extent the reported virus attacks have had financial repercussions on these vendors. This paper will examine whether such repercussions exist. IT systems are rarely regarded as ‘‘goods’’ in the eye of the law (Samuelson, 1993). However, software vendors can be exposed to ‘‘product liability’’ legislation for selling products containing computer viruses (Desilets, 1989; Kluth, 1990; Lyman, 1992;

1

In 1989, the Morris worm infected nearly 6200 individual machines (about 7.3% of the Internet’s computers at the time) and caused 8 million hours of lost access (McAfee and Haynes, 1989). By 2000, the LoveLetter worm caused an estimated $100 million in damage and infected approximately 1.27 million computer files worldwide (Hinde, 2000). In 2001, the Code Red worm spread at an unprecedented rate, doubling its infestation rate every 37 min, and eventually infesting over 350,000 hosts (Moore and Voelker, 2001). The Code Red worm caused an estimated $2 billion in damage (Panko, 2003). This trend is expected to continue, as new viruses are being produced in greater numbers (Cluley, 2000). IDG reports that 3855 new viruses were introduced in the first half of 2003, a 17.5 percent increase over the same time period the previous year (McMillan, 2003).

A. Hovav, J. D’Arcy Mykytyn et al., 1995). Moreover, prior work in IT law, Marketing, and Information Systems define IT products that contain viruses or that render viruses as defective products2 (Desilets, 1989; Samuelson, 1993; Mykytyn et al., 1995). Given this definition, one can examine the impact of defective IT products on the market value of producing companies in a similar manner to the impact of defective products on vendors in other industries. Thus the goal of this work is to determine if the market penalizes firms for creating IT products containing viruses or products that render viruses sufficiently so that IT vendors have a financial incentive to invest in securing their wares. In the next section we summarize the literature on defective products and the market response to product recall announcements in various industries. In Section Computer viruses as product defects, we describe the main characteristics of computer viruses and define IT products that either contain computer viruses or that render computer viruses as defective IT products. We hypothesize that the market penalizes IT vendors for computer viruses and that this market penalty is greater for IT-specific vendors than for diversified vendors. We test our hypotheses by examining the impact of virus attack announcements on the market value of responsible IT vendors between 1988 and 2002. In Section Methodology, we detail the methodology used e the event study. In Section Analysis and results, we present and analyze the study’s results. In Section Discussion, we discuss the results, our conclusions, the study’s limitations, and future research.

The impact of defective products on the market value of firms In their seminal work on defective products in the automotive and drug industries, Jarrell and Peltzman (1985) asked: ‘‘What happens to the wealth of shareholders of firms producing defective products?’’ (p. 512). They concluded that product recalls in these industries resulted in a negative impact on shareholder value. Subsequent studies found that

2

An IT product that contains holes (created intentionally or accidentally by the vendor) and vulnerabilities that are subsequently exploited by hackers are defined as IT products that render viruses. The vendor is not responsible for the virus itself but is responsible for the vulnerability that allowed the virus to attack successfully. This concept is further explained in Section Computer viruses as product defects.

Capital market reaction to defective IT products the market reaction varies by time period and regulatory activity (Bromiley and Markus, 1989) and by the severity of the defect (Pruitt et al., 1986). Barber and Darrough (1996) studied automobile recall announcements of American and Japanese companies and found a significant negative market reaction for both. Similarly, research on the impact of product recall announcements in the pharmaceutical, drug, and food industries found that the market penalizes both the causing firm and often its competitors for creating defective products (Hingorani et al., 1994; Salin and Hooker, 2001; Thomsen and McKenzie, 2001). In addition, recalls impact smaller food companies more than larger and more diverse ones (Salin and Hooker, 2001). Mandatory recalls have a larger impact than voluntary recalls (Hingorani et al., 1994; Salin and Hooker, 2001) and highly severe food recalls have a larger impact on stockholder wealth than medium and low severity recalls (Thomsen and McKenzie, 2001). The food, drug, and automotive industries are highly regulated and many of the recall announcements are instigated by government agencies. However, studies of defective products in non-regulated industries found similar results (Pruitt and Peterson, 1986; Davidson and Worrell, 1992). It is therefore clear that the market penalizes companies for producing defective products in both regulated and non-regulated industries. Research has also shown that the market reaction is much greater than the direct cost to repair or replace the defective products (Jarrell and Peltzman, 1985; Bromiley and Markus, 1989; Dranove and Olsen, 1994). The actual cost to repair depends on the industry involved. For example, in the auto industry, the cost per unit is high since the auto manufacturer must cover parts, labor, and owner notification costs (Bromiley and Markus, 1989). In other industries, such as the food and drug industries, the recall may not involve a costly repair or replacement. Instead, companies may re-label a product, send a warning letter to consumers or conduct an advertising campaign (Dranove and Olsen, 1994). In addition to the actual cost of the recall, other costs are incurred. For example:
Legal and settlement cost resulting from liability lawsuits (Jarrell and Peltzman, 1985; Dranove and Olsen, 1994; Barber and Darrough, 1996; Salin and Hooker, 2001; Thomsen and McKenzie, 2001)
Loss of quasi rent normally received from the firm’s ‘‘brand name capital’’ and reputation (Jarrell and Peltzman, 1985; Pruitt and

411 Peterson, 1986; Hoffer et al., 1988; Barber and Darrough, 1996; Thomsen and McKenzie, 2001).
Loss of future sales (Pruitt and Peterson, 1986; Dranove and Olsen, 1994; Salin and Hooker, 2001).
Loss of reputation and consumer trust (Jarrell and Peltzman, 1985). In addition, negative market reaction to defective products may be due to the tightening of regulations following major recalls (Dranove and Olsen, 1994; Salin and Hooker, 2001). These stringent regulations might lead to increased costs to develop and approve new products, and thus reduce profitability (Hoffer et al., 1988; Thomsen and McKenzie, 2001). In the IT industry, there has been a rapid increase in computer security breaches and in the financial damage resulting from these breaches. Studies have shown that IS security breaches have both direct and indirect costs to organizations (Coursen, 1997; McAfee and Haynes, 1989) and can have a negative impact on a firm’s market value (Campbell et al., 2003; Ettredge and Richardson, 2003; Hovav and D’Arcy, 2003). The increase in the frequency and severity of security breaches have resulted in a number of articles that criticize IT vendors for producing software that is non-secure, unreliable, and contains vulnerabilities that facilitate security breaches (Thibodeau, 1999; Cluley, 2000; Anon., 2000; Lemos and Kane, 2002; Panko, 2003). The U.S. government is also targeting IT vendors, searching for ways to hold software vendors accountable for the quality of their products, and proposing legislative actions that will make vendors liable for security breaches (Thibodeau, 1999; Patilla, 2002). Despite these increased concerns regarding the quality of Information Technology in general and computer software in particular, we did not find any research that studied the impact of substandard IT products on the shareholder value of IT vendors. In the following sections, we use Kotler and Mantrala’s (1985) definitions of flawed products and Mykytyn et al.’s (1995) definition of error free software to characterize computer products infected with viruses and computer software that renders viruses as flawed (defective) IT products.

Computer viruses as product defects A virus is a small piece of self-replicating computer code that attaches itself to a larger, legitimate

412 program (Montana, 2000). When the legitimate program is executed, the virus runs and modifies the unsuspecting program, causing the computer system to become ‘infected’. Early viruses were static programs that copied themselves from program to program via a physical medium such as a diskette (Nachenberg, 1997). Today’s viruses are significantly more complex, which makes detection and removal more difficult and more costly. For the purposes of this article we use the term viruses to include all types of replicating and damaging illegitimate pieces of code (i.e., viruses, Trojan horses, and worms) as is common in current literature (Desilets, 1989; Wen, 1998; Hinde, 2000; Berghel, 2001; Chen, 2003). The threat of viral attacks was evident in the early 1980s when the ‘‘Elk Cloner’’ bootable virus epidemic started on Apple II computers (Spafford et al., 1989). However, viruses became more notorious in the late 1980s when attacks against IBM PCs, Apple II computers, and Macintosh computers were reported in the popular media (Hayes, 2003). This trend could be partially attributed to the way personal computers (PCs) have developed compared to their predecessors (e.g., mainframe computers and mini computers). The original design of the Intel PC-AT processor (a.k.a., 286) integrated a security mechanism that was inspired by the protection mechanism developed in the MULTICS3 project (Caelli, 2002). However, implementation of the processor in the IBM PC and its associated MS-DOS operating system did not incorporate any security features. Similarly, the security features available in the Intel 8086 processor were completely ignored by Microsoft in their development of the DOS and Windows operating systems (Caelli, 2002). This was done in order to reduce time-to-market and increase adoption by application developers (Anderson, 2001). In addition, none of the proposed MULTICS security mechanisms were implemented in Reduced Instruction Set Computers (RISC), sacrificing security for processing speed (Caelli, 2002). The philosophy of ‘‘we ship it on Tuesday and get it right by version 3’’ (Anderson, 2004, p. 11) led the computing industry to adopt an inferior set of products resulting in security vulnerabilities. This issue has

3

An MIT project that recommended a ring and segmentation structure in order to create a highly secure, time-sharing based operating system (Caelli, 2002).

A. Hovav, J. D’Arcy become increasingly alarming as the use of PCs has evolved from being used primarily for personal purposes to being a vital part of the world’s business infrastructure.

Viruses as product flaws Kotler and Mantrala (1985) define two types of intrinsic product flaws e a performance flaw and a side effect flaw. Based on these two definitions we divide computer viruses into two types. A performance flaw is a feature that interferes with the intended function of the product. For example, defective brakes will interfere with the intended function of an automobile. Correspondingly, when a software package contains a virus, the virus interferes with the intended function of that software. Similar definitions are given in Desilets (1989), Kluth (1990), and Lyman (1992). Desilets (1989) compares software containing viruses to the Tylenol scare. In the Tylenol case (like in most virus attacks), the product defect was due to an act by a third party (rather than due to a defective production process). However, the manufacturer was responsible for not providing safe packaging that could have prevented the defect. With proper inspection and packaging IT vendors can minimize the number of viruses that are embedded in IT products (Desilets, 1989). We label viruses embedded in software or hardware products shipped via a physical medium (e.g., CDROM) or an electronic medium (e.g., e-mail, bulletin boards) as type (I) viruses. A side effect flaw is a feature that ‘‘results in an unanticipated adverse or unwanted effect quite removed from the product’s ability to perform its main functions’’ (Kotler and Mantrala, 1985, p. 29). When a software product has a vulnerability (also known as a ‘‘hole’’) that allows viruses to attack and replicate, the virus may produce an adverse or unwanted effect such as destroy the hard drive or delete files while the product still performs its main functions. For example, the ‘‘holes’’ found in Netscape’s email program did not prevent it from performing its function as an email management tool. However, the side effect result was that a virus infected the inboxes of several Netscape email users (Cringely, 2002). We label viruses that spread as a result of vulnerabilities in IT products as type (II) viruses. The above two definitions refer primarily to mass produced information technology. These definitions do not include every IT defect in existence nor do they include every type of virus ever

Capital market reaction to defective IT products discovered or to be created in the future. However, we believe that the classification of defective products as applied to viruses justifies the use of prior research on defective products as a baseline for our study. In addition, in our sample we found that these two types of flaws cover a large number of the current publicly known viruses.

Hypotheses on the financial impact on IT vendors Given that the market penalizes firms that produce defective or substandard non-IT products, we expect that the market will penalize IT vendors who produce either type I or type II viruses. As prior research has shown (Section The impact of defective products on the market value of firms), producing firms suffer intangible costs that are greater than the actual costs to repair the defective products. These costs include loss of brand name capital, damaged reputation, loss of future sales due to customer loss of trust, and loss of ‘‘competitive advantage.’’ Since we expect that IT firms which produce defective software may incur similar intangible costs,4 we selected the market value approach (i.e., shareholder value). This approach places a value on intangible costs by capturing investors’ perceptions. Similarly, a market value approach is expected to capture the financial impact (direct and indirect cost) of a virus attack involving an IT vendor’s products. In addition, the market value approach captures investors’ expectations of future losses that IT vendors will accrue as a result of public virus announcements that involve their products. Therefore, we expect that overall the market will penalize IT vendors for the production of wares embedded with viruses or wares that are vulnerable to viruses (i.e., has ‘‘holes’’). In the next two sections we investigate the financial impact of each virus type.

4

Potential tangible costs incurred by IT vendors include the costs to notify infected users, the costs to repair infected machines either physically or through antivirus updates, the costs to develop and distribute antivirus software updates, the costs to develop and distribute security patches and service pack updates, and the cost of lost business (i.e., revenue) as a result of customer dissatisfaction. These costs can be measured directly and are included in traditional accountingbased performance measures.

413 The financial impact of type (I) viruses

SIDEBAR 1. History of type I viruses The popular belief is that since the mid 1990s most viruses have been distributed via the Internet and attack only Microsoft products. However, embedded viruses, which we defined as type (I) viruses, have been distributed consistently for the last 25 years. In 1988, Aldus infected users with a virus via a diskette the company shipped. Novell in 1991 and Microsoft in 1995 reported similar cases of spreading viruses to customers through infected diskettes. Similar examples are given in Gordon (1994) and Landwehr et al. (1994). In 1998, Corel sent infected CD-ROMs to customers and in 2001 Warner Home Video sent infected DVDs to retail outlets. In 1992, Intel shipped infected computers to its customers. Similarly, in 1999 both IBM and Dell distributed infected machines to clients. In 2001, HP distributed printer drivers infected with a virus by inadvertently uploading them onto its website.

The four main characteristics of type (I) viruses are: 1. Their scope is relatively low; that is, they infect relatively small numbers of users. 2. The cost of recall is relatively high since the responsible vendor has to replace or repair a physical good.5 3. Although IT vendors can minimize the spread of type (I) viruses by implementing more efficient Quality Assurance procedures and better packaging and distribution mechanisms, customers can do little to inspect such products prior to their installation (Lyman, 1992). 4. The responsibility for the damages from a type (I) virus can be placed on the vendor under the theory of strict liability (Lyman, 1992). Given that software or hardware containing viruses can be considered defective ‘‘goods’’ that

5 For example, in the case of IBM the IT vendor had to contact all potentially affected customers and send them an antivirus update CD. In addition, IBM had to contact retailers to ensure that machines in their stores were free of the virus (Deane, 1999). Similarly, Aldus had to replace 5000 infected software packages (Desilets, 1989).

414 will require the vendor to ‘‘recall’’ its products, the following hypothesis is proposed: H1: type (I) virus announcements are associated with negative abnormal stock market returns for responsible IT vendors.

The financial impact of type (II) viruses

SIDEBAR 2. History of type 2 viruses The emergence of the Internet created a new means for spreading computer viruses. Robert Morris, a graduate student at Cornell University, is responsible for the first known viral attack against the Internet (Spafford, 1989). Since the Robert Morris worm, the Internet has been the victim of numerous viral attacks. Viruses such as Jerusalem, Chernobyl, and Michaelangelo have exploited known vulnerabilities in software products. However, not until late in the 1990s did large numbers of organizations suffer financial damage due to the spread of type (II) viruses. Examples include the Melissa virus, which caused an estimated $80 million in damages (Chen and Lindsay, 2000), the LoveLetter worm (i.e., the I Love You virus), which caused an estimated $100 million in damage (Hinde, 2000), and the Code Red worm which caused an estimated $2 billion in damage (Panko, 2003). In addition to these highly publicized cases, type (II) viruses have targeted and infected MacIntosh PC’s, Macromedia’s Flash software, Lotus Notes v3.0 software, Netscape Communicator and email software, Linux operating systems, and Palm handheld operating systems.

Type (II) viruses have the following characteristics: 1. They are usually larger in scope than type (I) viruses; they infect a large number of users typically through a computer network. 2. They take advantage of vulnerabilities in mass produced software such as operating systems, and database and Web server software to infect users. 3. They are highly publicized. 4. The immediate cost to repair a type (II) virus is relatively small for the IT vendor since it mostly involves the creation and the electronic

A. Hovav, J. D’Arcy distribution of patches. The cost to repair these viruses, such as implementing the patch, cleaning machines, and recovering lost data is transferred to the user (Anderson, 2001). 5. To date, there is no legislation that places legal liability on IT vendors for producing vulnerable software that leads to the production of type (II) viruses. Due to the large scope, the publicity involved, and the large reported financial impact of type (II) viruses, we expect that the market will penalize IT vendors for the introduction of vulnerable software that enables these viruses. Hence, the following hypothesis is proposed: H2: type (II) virus announcements are associated with negative abnormal stock market returns for IT vendors that produce vulnerable wares that render these viruses. Effects of company size Salin and Hooker (2001) found that smaller companies show higher losses in stock value than large, diversified companies. Diversified companies with business units in various industries and markets can expect that losses to one business unit due to a product recall are mitigated by potential profits of other business units. Small companies with one or two business units that are focused in a single market have no other sources of income, and thus increase the relative effect of a recall announcement. Similarly, Hovav and D’Arcy (2003) found that Denial-of-Service attacks have a larger financial impact on Internet-specific companies than on diversified companies. Ettredge and Richardson (2003) showed that the spillover effect of Denialof-Service attacks on Internet companies is larger than on non-Internet firms. We expect a similar impact on IT vendors producing defective products. Therefore, the following hypothesis is proposed: H3: Virus announcements are associated with greater negative abnormal stock market returns for IT-specific vendors than for diversified vendors. In the following section we describe the methodology used to test our three hypotheses.

Methodology Event study methodology, commonly employed in the accounting and finance literature (e.g., Brown and Warner, 1985; Pruitt and Peterson, 1986; Etebari et al., 1987; MacKinlay, 1997) is used in this paper. The event study examines the stock market reaction to the public announcement of

Capital market reaction to defective IT products a particular event. According to the semi-strong form of the efficient market hypothesis, the market price of a firm fully reflects all publicly available information (Fama et al., 1969). The logic underlying the hypothesis is that investors in capital markets process publicly available information on firm activities to assess the impact of firm activities, not just on current performance but on the future performance of the firm as well (Subramani and Walden, 2001). If the consensus of investors regarding virus attacks involving defective software is that IT vendors will accrue losses in future periods, investors will react negatively to these public virus announcements. This expectation will be reflected in a negative abnormal stock market return (a risk-adjusted return below the average stock market return for the firm’s stock) around the date of the virus announcement. Abnormal returns thus provide a unique means to associate the impact of a specific event involving a firm on the firm’s expected profitability in future periods (MacKinlay, 1997).

Data collection A procedure for sample selection similar to the method used by Subramani and Walden (2001), Im et al. (2001), and Dos Santos et al. (1993) was followed in this study. We collected data on software that either contained or created viruses by using a search of business news articles in the Lexis-Nexis database. The search consisted of all public announcements of virus attacks between January 1, 1988 and June 30, 2002 using the search terms ‘‘virus’’ and ‘‘viruses’’. We selected January 1988 as a starting point since this is when viruses became widely seen (Hayes, 2003) and therefore more likely to draw the attention of investors. Once all announcements were collected, we identified the causing vendor (see Appendix B for examples of virus announcements). We examined the stock value of the vendor that was identified in the announcement as the responsible or causing vendor. Any other vendor that might have been involved but was not part of the public announcement was not included in the sample. This rule was used in accordance with the semi-strong form of the efficient market hypothesis (Fama et al., 1969), which states that publicly available information will have affect on the market value of a publicly traded company. The initial list contained 110 announcements. That list was refined and evaluated based on the following criteria: 1. Only announcements involving firms publicly traded on either the New York Stock Exchange

415 (NYSE) or the NASDAQ stock exchange were included. 2. Announcements that might be confounded by other key firm announcements such as mergers, acquisitions, earnings, stock splits, dividends, etc. within five days of the virus attack announcement were excluded. 3. To remove event date uncertainty (Dyckman et al., 1984), we triangulated our Lexis-Nexis search results with additional Web searches and information from financial publications. For individual firms’ stock market data, we relied on the database of the Center for Research in Security Prices (CRSP). Only those virus attack announcements where stock return data for the responsible firm are available in the CRSP database were included. This procedure yielded a sample of ninety-two (92) virus attack announcements (events) over the period 1988e2002 for which we had usable stock returns available. A potential bias may be introduced by this sample due to the large number of announcements involving Microsoft. Dyckman et al. (1984) and Hoffer et al. (1988) assert that when a single firm is involved in a large number of announcements, it is difficult to isolate the effect of a given event from other announcements. The researchers suggest eliminating overlapping incidents involving a single vendor in an effort to create ‘‘clean windows’’ for the event study analysis. Therefore, we conducted a two phase study. In the first phase we examined all events (n Z 92). In phase II, we eliminated all announcements in which Microsoft was the responsible vendor. This sample included thirty-eight (38) virus attack announcements (events) over the period 1988e2002 for which we had usable stock returns available.

Statistical methodology The impact of announcements of virus attacks on common stock prices of the responsible companies is then computed using event study methods as described in Dos Santos et al. (1993). The event of interest in this study is the public announcement of a virus attack by either the responsible firm or some other media outlet. If an announced virus attack contains new information, it should cause the markets to revalue the firm. Determining whether these announcements affect a firm’s stock price requires that we estimate what the firm’s stock price would have been had there been no announcement. To make this determination, and to control for overall market effects, the

416

A. Hovav, J. D’Arcy

return of the stock is regressed against the return of a market index. This procedure yields the following regression, which is commonly referred to as the market model. The market model is based on the capital asset pricing model (CAPM), the most widely used method to estimate the returns on a firm’s stock (Brealey and Myers, 1996): Rit Zai Cbi Rmt C3it ;

ð1Þ

where Rit is the return of stock i on day t: Rit Z (Priceit  Priceit  1)/Priceit  1. Similarly, Rmt indicates the market return on day t, the average of returns of all firms included in the market index. We used the Standard and Poor’s 500 as the index of the market. The S&P 500 is a capitalizationweighted index based on a broad cross-section of the market and is commonly employed in prior event studies (Campbell et al., 1997; Subramani and Walden, 2001). Daily returns on the S&P 500 market index were obtained from CRSP database. The 3it is a random error term for stock i on day t, and the ai and bi are firm-dependent coefficients to be estimated. The market model is estimated for each firm in the sample using 200 daily returns. The estimation period starts 201 days before the announcement date and ends 2 days before the announcement date. The length of the estimation period we use is consistent with prior studies of capital market responses for IT firms (Dos Santos et al., 1993; Im et al., 2001). The estimated parameters and the realized returns on the S&P 500 market index are used to predict normal returns around the event period. For this study, we define five separate event periods: (1) the day of the virus attack announcement, t Z 0; (2) the day of the announcement, t Z 0, to one trading day after the announcement, t C 1; (3) the day of the announcement, t Z 0, to five trading days after the announcement, t C 5; (4) the day of the announcement, t Z 0, to 10 days after the announcement, t C 10 and (5) the day of the announcement, t Z 0, to 25 days after the announcement, t C 25. The coefficient estimates from regression (1) and the realized returns from the S&P 500 market index are used to predict normal returns for the five event periods: [0, 0], [0, 1], [0, 5], [0, 10] and [0, 25]. Prediction errors during the event periods, i.e., deviations of realized returns from normal returns, are estimates of abnormal returns (AR). These estimated abnormal returns are unbiased estimates (expressed in return form) of changes in the market value of a firm during the event period, which are attributed to investors’ reaction to the information contained it the event (Dos Santos et al., 1993). The assumptions of the methodology

are that the abnormal returns are the result of the virus attack announcement and not a random event occurring on the same day (Subramani and Walden, 2001). The abnormal return for the common stock of a firm i on event day t is computed as h

ARit ZRit ðahi Cbi Rmt Þ

ð2Þ

h bi

ahi

and represent the ordinary least where squares parameter estimates obtained by regressing Rit over Rmt over the 200 day estimation period prior to the event, and ARit refers to abnormal returns of firm i on day t. For event period [0, 1], the cumulative two-day abnormal return computed over days 0 and 1, where 0 is the day of the announcement, and day 1 is the day after the announcement day, is computed as: 1 X CARi Z ARit ð3Þ tZ0

Thus, for a sample of N firms, the average two-day announcement effect is equal to CARZ

N 1X CARi N iZ1

ð4Þ

We followed the same procedure, modifying Eqs. (3) and (4), to calculate the cumulative abnormal returns for the six [0, 5], 11 [0, 10], 26-day [0, 25] event periods used in the study. Event period [0, 0] contained only one day (the day of the announcement) and therefore the procedure in formula (3) was not necessary. The statistical significance of the abnormal returns for the sample is assessed by constructing a Z-statistic similar to the one developed in Loderer and Mauer (1992). Specifically, we first compute the standardized abnormal return to stock i on event day t as: ARit SARit Zpffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi; VarðARit Þ

ð5Þ

where 2

3

 6 7 1 ðRmt  Rm Þ 6 7 C 2 VarðARit ÞZs2i 61C 7 4 P 200 25 ðRmt  R m Þ 2

ð6Þ

tZ201

and where s2i is the residual return variance from the estimation of the market model over the 200 days before the announcement period: Rm is the mean return on the market index over the estimation period; and Rmt is the return on the market index on the day t in the estimation interval.

Capital market reaction to defective IT products The performance of each stock over the time interval defined by [t1, t2] is measured by the cumulative standardized abnormal return, which is defined as CSARi Z

t2 X

SARit pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi t2  t1 C1 tZt1

ð7Þ

Assuming that daily abnormal returns are normal and independent through time, SARit and CSARi have a student-t distribution with 199 degrees of freedom. The Z-statistic used to assess the statistical significance of the abnormal return over the event interval [t1, t2], for a sample of N stocks is therefore equal to pffiffiffiffi ZZ NðCSARÞ; ð8Þ where CSARZ

N 1X CSARi N iZ1

ð9Þ

Under the null hypothesis of zero expected abnormal returns, Z is approximately unit normally distributed (see, e.g., Loderer and Mauer, 1992).

Analysis and results Overall, 50% of the responsible firms showed negative abnormal returns on the day of the announcement, 55.4% of the companies had negative abnormal returns the day following the announcement and 56.5% had negative abnormal returns five days after the day of the announcement. This result indicates that overall the market penalizes some firms for producing defective IT products. In addition, there is evidence that the market penalizes firms for extended periods as 44.6% of the firms showed negative abnormal returns 10 days after the day of announcement and 46.7% still showed negative abnormal returns 25 days after the attack announcement. To test the significance of the market reaction we calculated the CSAR for the entire sample (n Z 92). Table 1 lists the Z value for all periods. The standardized Z values are not statistically significant for any of the event windows. To further refine our results we eliminated Microsoft from our sample (see Section Data collection). Table 2 lists the Z values for the remaining sample (n Z 38). The above results show that virus announcements are associated with negative abnormal stock market returns for IT vendors who distribute or

417 Table 1 (n Z 92)

Summary of CSAR for the entire sample CSAR [0, 0]

CSAR [0, 1]

CSAR [0, 5]

CSAR CSAR [0, 10] [0, 25]

Z value 0.3864 0.2263 0.0490 0.0453 0.1866 P value 0.6504 0.4105 0.4805 0.5181 0.5740

cause the spread of these viruses for all five event windows. However, none of the Z values is significant. To test hypothesis 1, we calculated the CSAR for all firms responsible for type (I) virus attacks. Table A1 in Appendix A, lists the Z-tests for the five event windows. From the table it is clear that type (I) virus announcements are associated with negative abnormal stock market returns for responsible vendors. However, only the Z-test for the [0, 0] window was significant (a Z 0.07). Two of the firms in the sample were not IT vendors. We removed these firms from the sample and recalculated the CSAR for the remaining vendors. Table A2 in Appendix A lists the Z-test for the five event windows of the reduced sample. From the table it is clear that type (I) virus announcements are associated with negative abnormal stock market returns for responsible IT vendors thus supporting our first hypothesis (H1) at a Z 0.05. However, the negative returns are not sustained over extended periods, as indicated in Table A2; the negative CSAR is not statistically significant beyond the first day after the announcement. To test hypothesis 2, we calculated the CSAR for all firms responsible for type (II) attacks. Table A3 in Appendix A lists the Z-test for the five event windows. From the table it is clear that type (II) virus announcements are not associated with abnormal stock market returns for the responsible IT vendors. Although all Z-tests are negative, none is statistically significant. Eliminating telecommunication firms (such as AT&T and MCI) did not change the overall results. The above results do not support our second hypothesis (H2). Generally, it appears that the market does not penalize

Table 2 Summary of CSAR for the non-microsoft sample (n Z 38) CSAR [0, 0]

CSAR [0, 1]

CSAR [0, 5]

CSAR [0, 10]

CSAR [0, 25]

Z value 0.0640 0.6305 0.2594 0.3869 0.0597 P value 0.4745 0.2642 0.3977 0.3494 0.4762

418

A. Hovav, J. D’Arcy

Table 3

Summary of t-test

Table 4

Window

t-Test

Significance

[0, [0, [0, [0, [0,

2.3701 1.7157 1.3345 0.7317 1.5257

0.0117* 0.0476* 0.0954 0.2347 0.0681

0] 1] 5] 10] 25]

Summary of results

Supported

Significant

Comments

H1

Supported

a Z 0.05

H2

Not supported

H3

Supported

The results are only significant for IT vendors Type (II) virus announcements are not associated with abnormal stock market returns for the responsible IT vendors True for zero, one and five days after the announcements. The reverse is true for the [0, 25] window

*Significant for a Z 0.05.

vendors for the creation of vulnerable wares that render the creation of type (II) viruses. To test hypothesis 3, we divided our sample into IT-focused companies and diverse companies. Tables A4 and A5 in Appendix A list the Z-tests for all five event windows for each group. We used a t-test analysis to compare the abnormal returns between the two groups for each event window. Table 3 summarizes the t-test results. Table 3 shows that in the short-term virus announcements are associated with greater negative abnormal stock market returns for IT-specific vendors than for diversified vendors thus supporting our third hypothesis (H3). This is in agreement with prior research in the food industry (Salin and Hooker, 2001) and with prior research that shows that the market penalizes Internet-specific companies for security breaches more than diverse companies (Ettredge and Richardson, 2003; Hovav and D’Arcy, 2003). However, in the long term ([0, 25]) that trend is reversed, contradictory to our hypothesis. Virus announcements are associated with greater negative abnormal stock market returns for diversified vendors than for IT-specific companies. These results might be due to the fact that it is more likely that large diversified companies experience other publicly announced negative events over a period of 25 days resulting in negative market reaction, while IT-focused companies are less likely to have additional events during that window. Table 4 summarizes our results.

Discussion In many industries (e.g., food, drug, and auto) market reaction to recall announcements is used as a catalyst to control the creation of defective products. It is the goal of managers to set policies that result in increased shareholder value. If the market reacts negatively to the production of substandard products, managers will invest in improved production processes and quality control. Conversely, if the market does not react to

a Z 0.05

the distribution of substandard products, managers have little reason to improve product quality especially if such improvements require the investment of large funds. This paper is the first known study that analyzes the market reaction to the distribution of substandard and defective IT products. The results of our study indicate that the market reaction to the production of substandard IT products is mixed. The market reacts negatively to the spread of viruses in slightly over half the cases. Yet, the overall impact on the responsible IT vendors (CSAR) is not significant. This mixed reaction could be due to the complex structure of the IT industry. For example, after a large viral attack, an increased number of companies and individuals may invest in preventive products (such as virus detection programs, firewalls, and network management tools) resulting in large financial gains for some IT vendors. The market reaction to the spread of embedded viruses (type (I)) is more significant than its reaction to the production of defective software that renders viruses (type (II)). This reaction could be due to one of the following: (1) customers believe that embedded viruses are easy to eliminate and thus feel that IT vendors should be more responsible and show more due diligence in inspecting and cleaning products before they are shipped; (2) the cost to inspect and remove embedded viruses is relatively low and thus is expected to have minimal impact on the net profit of the IT vendor; and (3) packaged IT products are considered goods. Therefore, customers have a legal recourse to recover damages due to embedded

Capital market reaction to defective IT products virus attacks. Hence one can assume that the market can be used as a means to reduce the number of embedded virus incidents. The lack of negative reaction to type (II) viruses might be due to one of the following: (1) the cost to repair a type (II) virus is small. However, the cost of redesigning such products (improving the quality of the production process) is very high in direct costs and production delay (Blumenthal, 1999; Anderson, 2001). For example, the direct cost to create a more secure Windows Server 2003 is estimated at $200 million. In addition, there are indirect costs resulting from major delays in the delivery of the new product (Schultz, 2002); (2) to date, there is no legislation that places legal liability on IT vendors for the production of vulnerable software (or hardware) that renders type (II) viruses, thereby limiting the legal recourse available to infected users; and (3) there is little demand from users to improve software quality. IT vendors are expected to produce fast and cheap products rather than a more secure system (Blumenthal, 1999; Anderson, 2001). The above results indicate that the market cannot be used as an effective control mechanism in the case of type (II) viruses. Prior research stipulates that IT vendors have little incentive to invest in improved products since their users do not demand such improvements (Blumenthal, 1999). Our results support that assertion and show that IT vendors have little financial incentive to invest in product improvements since the ‘‘market’’ does not demand it. Given the increased risk caused by virus attacks, some other mechanism to improve IT product quality might be necessary. Alternative approaches to the market could be regulatory in nature (e.g., HIPAA, California’s Database Breach Notification Security Act e SB 1386), self-regulations such as the Trusted Computing Platform Alliance, an industry consortium formed by IBM, Microsoft, Intel, HP, and Compaq which includes nearly 200 hardware and software vendors, or some contractual arrangements demanded by large customers. For example, some companies are demanding liability clauses in contracts with vendors, holding the vendors responsible for any security breach connected to their software (Mead, 2003). However, an opposing view suggests that liability is not the appropriate tool for reducing software vulnerabilities since many manufacturers would get out of the business if they were faced with liability suits, leaving few remaining software manufacturers to service a large marketplace (Mead, 2003).

419

Limitations and future research Similar to other event studies, our study has its limitations. While a concerted attempt was made to control for confounding variables (Section Data collection), the removal of confounding events from our sample was essentially a subjective process. Therefore it is possible that some potential confounding variables were not removed. The imputation of abnormal returns to events is based on the assumption that markets are efficient and that the events (virus announcements) were a surprise to investors (Subramani and Walden, 2001). Given the publicity that large-scale virus outbreaks (e.g., Melissa, Code Red, Blaster) have received, it is possible that investors now anticipate that such attacks are likely to occur in the normal course of business and therefore incorporate the associated risk into stock prices prior to a public announcement of a virus. Further research is needed to understand investors’ risk assessments of virus attacks and why the market does not react to virus attacks that reportedly cost billions of dollars to recover. Our sample was limited to one type of defect (viruses) and to one category of products (mass produced technologies). It is unclear if the same results pertain to other types of defects and other types of IT products (such as customized systems). Future research can look at the market reaction to the announcement of various types of Information Systems defects. Current research shows relationships between regulatory activities and market reaction in industries such as food, drugs, and automotive. Market reaction results in increases in regulatory activity and tightened enforcement increases market reaction. The impact of recent initiatives by legislators such as HIPAA and the Database Breach Notification Security Act e SB 1386 has not been studied thus far. Similarly, industry initiatives such as the Trusted Computing Platform Alliance might also have an impact on the economics of the IT industry and on capital market reactions. Thus, an in-depth study of the economics of virus attacks that takes into consideration various initiatives and various participants6 is needed. Finally, our sample consisted of only publicly traded companies and therefore the results cannot be applied to privately held companies and notfor-profit organizations.

6

For example, companies that produce virus detection products are likely to gain during a major outbreak offsetting losses by other IT vendors.

420

A. Hovav, J. D’Arcy

Summary Announcements of defective products and product recalls have had a negative financial impact on vendors in various industries. Our study illustrates that unlike in other industries, the market hardly penalizes IT vendors for the creation of substandard products. The study introduces two types of defective IT products: products with

embedded viruses (type I) and products with vulnerabilities that render viruses (type II). The results show that the market penalizes vendors for the introduction of type (I) viruses but not for type (II). It is unclear what the reasons for this market reaction are. Further research is needed to understand the economic implications of IT product quality on the IT industry and on its various constituents.

Appendix A Table A1

Z values for type (I) virus attacks (n Z 15)

Company

CSAR [0, 0]

CSAR [0, 1]

CSAR [0, 5]

CSAR [0, 10]

CSAR [0, 25]

Aldus Corp. Novell Intel SunGard Data Systems Inc. ANZ Bank AOL Compaq Apple Corel Corporation IBM Dell Computer AOL Autodesk Inc. Hewlett Packard Warner Home Video Average

1.2346 1.1747 0.6286 0.6177 0.3032 0.8800 0.5225 0.2695 0.1887 0.2713 0.4650 0.8906 0.0009 0.4232 0.2259 0.3713

1.0262 0.1952 0.2717 0.2966 0.1364 0.1530 0.1609 0.0003 0.3772 0.1241 0.3031 0.5964 0.1617 0.3759 0.2755 0.2400

0.0917 0.1108 0.0066 0.1482 0.3775 0.1999 0.1240 0.0914 0.4471 0.4820 0.4562 0.0323 0.4080 0.1653 0.3325 0.0491

0.0559 0.0742 0.0171 0.1530 0.1334 0.0593 0.1817 0.0158 0.2653 0.4517 0.3076 0.1504 0.0187 0.3203 0.1497 0.0660

0.1517 0.2380 0.1652 0.1063 0.0346 0.0257 0.2446 0.1702 0.1673 0.2854 0.3041 0.1248 0.0801 0.0682 0.1851 0.0023

Z value P value

1.4380 0.0752

0.9296 0.1763

0.1900 0.4246

0.2554 0.3992

0.0090 0.4964

Table A2

Z values for type (I) virus attacks IT vendors only (n Z 13)

Company

CSAR [0, 0]

CSAR [0, 1]

CSAR [0, 5]

CSAR [0, 10]

CSAR [0, 25]

Aldus Corp. Novell Intel SunGard Data Systems Inc. AOL Compaq Apple Corel Corporation IBM Dell Computer AOL Autodesk Inc. Hewlett Packard Average

1.2346 1.1747 0.6286 0.6177

1.0262 0.1952 0.2717 0.2966

0.0917 0.1108 0.0066 0.1482

0.0559 0.0742 0.0171 0.1530

0.1517 0.2380 0.1652 0.1063

0.8800 0.5225 0.2695 0.1887 0.2713 0.4650 0.8906 0.0009 0.4232 0.4691

0.1530 0.1609 0.0003 0.3772 0.1241 0.3031 0.5964 0.1617 0.3759 0.2453

0.1999 0.1240 0.0914 0.4471 0.4820 0.4562 0.0323 0.4080 0.1653 0.1113

0.0593 0.1817 0.0158 0.2653 0.4517 0.3076 0.1504 0.0187 0.3203 0.0979

0.0257 0.2446 0.1702 0.1673 0.2854 0.3041 0.1248 0.0801 0.0682 0.0089

Z value P value

1.6914 0.0454

0.8843 0.1883

0.4011 0.3442

0.3530 0.3620

0.0320 0.5128

Capital market reaction to defective IT products

421

Table A3

Z values for type (II) virus attacks (n Z 23)

Company

CSAR [0, 0]

CSAR [0, 1]

CSAR [0, 5]

CSAR [0, 10]

CSAR [0, 25]

AOL AOL AOL AOL AOL Apple Apple Apple AT&T Handspring Lotus Macromedia Macromedia McAfee Associates MCI Netscape Netscape Netzero Palm Pioneer Red Hat Sun Microsystems Inc. Yahoo Average

0.6951 0.7498 0.7060 0.7177 0.2439 0.5792 2.2316 0.3681 0.9784 1.7477 0.6611 1.2173 0.7628 0.4341 0.0453 0.9341 0.2070 1.1838 0.4153 2.1594 1.8669 0.1153 1.1003 0.1852

0.5094 0.0604 0.6268 0.1609 0.1621 0.0577 1.0286 0.2068 0.0744 0.8401 0.3490 0.2293 0.5963 1.3907E-05 0.0801 0.2194 0.0123 0.9120 0.0945 0.1822 1.0486 0.2368 0.3120 0.0052

0.4245 0.4995 0.0788 0.1262 0.0479 0.1974 0.0643 0.1281 0.0229 0.2760 0.2230 0.3589 0.0721 0.0168 0.1150 0.4878 0.0396 0.6409 0.1873 0.0206 0.1481 0.2929 0.2541 0.0435

0.5043 0.0666 0.1647 0.0063 0.1427 0.1302 0.0545 0.1034 0.3844 0.1776 0.0588 0.1151 0.1072 0.0504 0.0901 0.1386 0.1304 2.1317 0.3150 0.0758 0.2037 0.1216 0.1880 0.0588

0.2529 0.1356 0.0175 0.0396 0.1161 0.1493 0.1855 0.0675 0.4642 0.1566 0.1428 0.0647 0.1560 0.0520 0.0366 0.0178 0.0701 0.1431 0.2077 0.0295 0.1393 0.1218 0.1261 0.0161

0.0249 0.4901

0.2085 0.4174

0.2818 0.3890

0.0774 0.4691

Z value P value

Table A4

0.8883 0.8128

Z values for IT-focused companies (n Z 29)

Company

CSAR [0,0]

CSAR [0, 1]

CSAR [0, 5]

CSAR [0, 10]

CSAR [0, 25]

Aldus Corp. AOLa AOLa AOLa AOLa Apple Apple Apple Apple Autodesk Inc. Compaq Corel Corporation Dell Computer Hewlett Packard IBM Intel Lotus Macromedia Macromedia McAfee Associates Netscape Netscape Netzero

1.2346 0.6951 0.7498 0.8800 0.7060 0.5792 0.2695 2.2316 0.3681 0.0009 0.5225 0.1887 0.4650 0.4232 0.6437 0.6286 0.6611 1.2173 0.7628 0.4341 0.9341 0.2070 1.1838

1.0262 0.5094 0.0604 0.1530 0.6268 0.0577 0.0003 1.0286 0.2068 0.1617 0.1609 0.3772 0.3031 0.3759 0.0423 0.2717 0.3490 0.2293 0.5963 1.3907E-05 0.2194 0.0123 0.9120

0.0917 0.4245 0.4995 0.1999 0.0788 0.1974 0.0914 0.0643 0.1281 0.4080 0.1240 0.4471 0.4562 0.1653 0.3446 0.0066 0.2230 0.3589 0.0721 0.0168 0.4878 0.0396 0.6409

0.0559 0.5043 0.0666 0.0593 0.1647 0.1302 0.0158 0.0545 0.1034 0.0187 0.1817 0.2653 0.3076 0.3203 0.4958 0.0171 0.0588 0.1151 0.1072 0.0504 0.1386 0.1304 2.1317

0.1517 0.2529 0.1356 0.0257 0.0175 0.1493 0.1702 0.1855 0.0675 0.0801 0.2446 0.1673 0.3041 0.0682 0.3237 0.1652 0.1428 0.0647 0.1560 0.0520 0.0178 0.0701 0.1431

(continued on next page)

422

A. Hovav, J. D’Arcy

Table A4 (continued) Company

CSAR [0, 0]

CSAR [0, 1]

CSAR [0, 5]

CSAR [0, 10]

CSAR [0, 25]

Novell Palm Red Hat Sun Microsystems Inc. SunGard Data Systems Inc. Yahoo Average

1.1747 0.4153 1.8669 0.1153 0.6177

0.1952 0.0945 1.0486 0.2368 0.2966

0.1108 0.1873 0.1481 0.2929 0.1482

0.0742 0.3150 0.2037 0.1216 0.1530

0.2380 0.2077 0.1393 0.1218 0.1063

1.1003 0.1844

0.3120 0.1343

0.2541 0.0853

0.1880 0.0693

0.1261 0.0231

Z value P value

1.1365 0.1279

0.8276 0.2039

0.5255 0.2996

0.4270 0.3347

0.1425 0.5567

a

The AOL events listed in this table occurred while AOL was an Internet Service Provider classifying it as an IT-focused company.

Table A5

Z values for diverse companies (n Z 9)

Company

CSAR [0, 0]

CSAR [0, 1]

CSAR [0, 5]

CSAR [0, 10]

CSAR [0, 25]

ANZ Bank AOLa AOLa AOLa AT&T Handspring MCI Pioneer Warner Home Video Average

0.3032 0.8906 0.7177 0.2439 0.9784 1.7477 0.0453 2.1594 0.2259 0.5503

0.1364 0.5964 0.1609 0.1621 0.0744 0.8401 0.0801 0.1822 0.2755 0.0008

0.3775 0.0323 0.1262 0.0479 0.0229 0.2760 0.1150 0.0206 0.3325 0.0971

0.1334 0.1504 0.0063 0.1427 0.3844 0.1776 0.0901 0.0758 0.1497 0.0418

0.0346 0.1248 0.0396 0.1161 0.4642 0.1566 0.0366 0.0295 0.1851 0.1154

1.6508 0.9506

0.0023 0.5009

0.2911 0.6145

0.1254 0.4501

0.3463 0.3646

Z value P value a

The AOL events listed in this table occurred after AOL had merged with Time-Warner creating a large diversified company.

Appendix B Example of a type I virus announcement Copyright 1997 Associated Press All Rights Reserved Associated Press

SECTION: Business News LENGTH: 180 words HEADLINE: Compaq personal computer found to have virus

Compaq’s Presario 2210 desktop was infected during its production phase in Taiwan, and the problem paralyzes the computer’s CD-ROM drive, said Kazunori Tachibana, a spokesman for Compaq K.K., the company’s Japanese division. So far 300 units have been sold in Japan, and among those, 30e40 have been discovered to have the virus, he said. The company is planning a complete recall of the faulty model, but it has announced plans to distribute a floppy disk that will kill the virus. It also has offered full refunds on any affected units sold up to now.

DATELINE: TOKYO BODY: Some units of a low-priced personal computer launched in Japan by U.S. computer giant Compaq have been found to be infected by a virus, a company spokesman said Thursday.

The Taiwanese company contracted to assemble the model used an infected floppy disk to detect manufacturing defects in newly made units, and this apparently caused the glitch, Tachibana said.

Capital market reaction to defective IT products The Presario 2210, priced at about 130,000 yen, or $1060, is designed to appeal to people who are unfamiliar with personal computers.

Example of a type II virus announcement Copyright 2002 John Fairfax Publications Pty Ltd Australian Financial Review January 10, 2002

SECTION: Computers, Pg. 35 LENGTH: 128 words HEADLINE: Virus arrives in a flash BODY: A new front has opened in the war against computer viruses after one of the leading security software providers was sent a virus transported not be e-mailed but by a popular internet developer’s tool. The virus was sent to the software developer Sophos in Macromedia Flash technology, which is more commonly used by web developers to add sophisticated effects. Sophos said the virus was neither particularly damaging nor easy to spread. ‘‘The threat is someone will develop a new, more powerful variant of the virus we have now’’ said Sophos’ managing director, Mr. Stuart Palmer. However, Macromedia, the U.S. company which develops the Flash technology, said the development was not that serious and that the virus could be spread only by playing a Flash file.

References Anon. Return to sender. Economist 2000;355:82e3. Anderson R. Why information security is hard e an economic perspective. In: Proceedings of the Seventeenth Computer Security Applications Conference. IEEE Computer Society Press; 2001. p. 358e65. Anderson R. Cryptography and competition policy issues with ‘‘trusted computing’’. Computer Security Journal 2004; 20(1):1e13. Barber BM, Darrough MN. Product liability and firm value: the experience of American and Japanese automakers, 1973e1992. Journal of Political Economy 1996;104(5): 1084e99. Berghel H. The code red worm. Communications of the ACM 2001;44(12):15e9.

423 Blumenthal M. The politics and policies of enhancing trustworthiness for information systems. Communication Law & Policy 1999;4(4):513e55. Brealey RA, Myers SC. Principles of corporate finance. New York, NY: The McGraw-Hill Companies, Inc.; 1996. Bromiley P, Markus A. The deterrent to dubious corporate behavior: profitability, probability, and safety recalls. Strategic Management Journal 1989;10(3):233e50. Brown SJ, Warner JB. Using daily stock returns: the case of event studies. Journal of Financial Economics 1985;14:3e31. Caelli WJ. Trusted.or.trustworthy: the search for a new paradigm for computer and network security. Computers & Security 2002;21(5):413e9. Campbell JY, Lo AW, MacKinlay AC. Event study analysis. Chapter 4. In: The Econometrics of Financial Markets. Princeton, NJ: Princeton University Press; 1997. p. 149e80. Campbell K, Gordon LA, Loeb MP, Zhou L. The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security 2003;11(3):431e48. Chen CY, Lindsay G. Viruses, attacks, and sabotage: it’s a computer crime wave. Fortune 2000;141:484e7. Chen TM. Trends in viruses and worms. The Internet Protocol Journal 2003;6(3):23e33. Cluley G. Trends in virus writing and anti-virus technology. Available from: http://www.securitywatch.com/TRE/ 092100.html; 2000. Coursen S. The financial impact of viruses. Information Systems Security 1997;6(1):64e70. Cringely R. Pirate adventures. InfoWorld 2002;24(38):12. Davidson WN, Worrell DL. The effect of product recall announcements on shareholder wealth. Strategic Management Journal 1992;13(6):467e73. Deane J. IBM Says Some Aptivas Hit by Virus. ZDNet News. Available from: http://zdnet.com.com/2100-11-514258. html; 1999. Desilets R. Software vendors’ exposure to products liability for computer viruses. Computer/Law Journal 1989;9(1):509e26. Dos Santos BL, Peffers K, Mauer DC. The impact of information technology investment announcements on the market value of the firm. Information Systems Research 1993;4(1):1e24. Dranove D, Olsen C. The economic side effects of dangerous drug announcements. Journal of Law & Economics 1994; 37(2):323e48. Dyckman T, Philbrick D, Stephan J. A comparison of event study methodologies using daily stock returns: a simulation approach. Journal of Accounting Research 1984;22:1e30. Etebari A, Horrigan JO, Landwehr JL. To be or not to be e reaction of stock returns to sudden deaths of corporate chief executive officers. Journal of Business Finance & Accounting 1987;14(2):255e79. Ettredge M, Richardson VJ. Information transfer among internet firms: the case of hacker attacks. Journal of Information Systems 2003;17(2):71e82. Fama E, Fisher L, Jenson MC, Richard R. The adjustment of stock prices to new information. International Economic Review 1969;10:1e21. Gordon S. Technologically enabled crime: shifting paradigms for the year 2000. International Federation for Information Processing Sec 94 Technical Committee 11, Curacao, Netherlands, Antilles; 1994. Hayes F. The story so far. Computerworld 2003;37:26e7. Hinde S. Love conquers all? Computers & Security 2000;19(5): 408e20. Hingorani A, Shastri KA, Shastri K. Product regulation and stock prices: the case of the U.S. food and drug administration. Journal of Economics of Business 1994;1(2):163e78.

424 Hoffer GE, Pruitt SW, Reilly RJ. The impact of product recalls on the wealth of sellers: a reexamination. The Journal of Political Economy 1988;96(3):663e70. Hovav A, D’Arcy J. The impact of denial-of-service announcements on the market value of firms. Risk Management and Insurance Review 2003;6(2):97e121. Im KS, Dow KE, Grover V. A reexamination of IT investment and the market value of the firm: an event study methodology. Information Systems Research 2001;12(1): 103e17. Jarrell G, Peltzman S. The impact of product recalls on the wealth of sellers. The Journal of Political Economy 1985; 93(3):512e36. Kotler P, Mantrala MK. Flawed products: consumer responses and marketer strategies. Journal of Consumer Marketing 1985;2(3):27e37. Kluth DJ. The computer virus threat: a survey of current criminal statutes. Hamline Law Review 1990;13(2):297e312. Landwehr CE, Bull AR, McDermott JP, Choi WS. A taxonomy of computer program security flaws. ACM Computing Surveys 1994;26(3):211e54. Lemos R, Kane M. Security is a top priority. Available from: http: //news.com.com/2100-1001-816880.html; 2002. Loderer C, Mauer DC. Corporate dividends and seasoned equity issues: an empirical investigation. Journal of Finance 1992; 47(1):201e25. Lyman S. Civil remedies for the victims of computer viruses. Computer/Law Journal 1992;11(1):607e35. MacKinlay CA. Event studies in economics and finance. Journal of Economic Literature 1997;35(1):13e39. McAfee J, Haynes C. Computer Viruses, Worms, Data Diddlers, Killer Programs, & Other Threats To Your System. New York, NY: St. Martins Press; 1989. McMillan R. Bugbear, Sobig Top viruses so far in 2003. Available from: http://infojobs.com/article/03/07/01Hnbug_1. html?security; 2003. Mead N. International Liability Issues for Software Quality: Special Report CMU/SEI-2003-SR-001. CERT Research Center, Pittsburgh, PA; 2003. Montana JC. Viruses and the law: why the law is ineffective. The Information Management Journal 2000;34(4):57e60. Moore D, Voelker G.M. Inferring Internet Denial-of-Service Activity. Proceedings of the 10th USENIX Security Symposium. Washington, D.C.; 2001. Mykytyn K, Mykytyn PP, Sircar S. Redefining the customer in quality management software development: important legal considerations. Journal of Systems Management 1995;46(3): 56e69. Nachenberg C. Computer virus e Antivirus coevolution. Communications of the ACM 1997;40(1):46e51.

A. Hovav, J. D’Arcy Panko RR. Slammer: the first blitz worm. Communications of the Association for Information Systems 2003;11:207e18. Patilla JC. Security: time to take names, lay blame. Available from: www.eweek.com; February 25, 2002. Pruitt SW, Peterson DR. Security price reactions around product recall announcements. The Journal of Financial Research 1986;9(2):113e22. Pruitt SW, Reilly RJ, Hoffer GE. Security market anticipation of consumer preference shifts: the case of automobile recalls. Quarterly Journal of Business & Economics 1986;25(4): 14e29. Salin V, Hooker NH. Stock market reaction to food recalls. Review of Agricultural Economics 2001;23(1):33e46. Samuelson P. Liability for electronic defective information. Communications of the ACM 1993;36(1):21e6. Schultz E. Security views. Computers & Security 2002;21(5): 385e91. Spafford E. Crisis and aftermath. Communications of the ACM 1989;32(6):678e87. Spafford E, Heaphy KA, Ferbrache DJ. Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats. Arlington, VA: ADAPSO; 1989. Subramani M, Walden E. The impact of e-commerce announcements on the market value of firms. Information Systems Research 2001;12(2):135e54. Thibodeau P. Government seeks vendor accountability. Computerworld 1999;33:14e5. Thomsen MR, McKenzie AM. Market incentives for safe foods: an examination of shareholder losses from meat and poultry recalls. American Journal of Agricultural Economics 2001; 82(3):526e38. Wen HJ. Internet computer virus protection policy. Information Management & Computer Security 1998;6(2):66e71. Anat Hovav is an Assistant Professor at Temple University in Philadelphia, Pennsylvania. Her research interests include electronic scholarship, Internet standards adoption and Information Systems security. Dr. Hovav holds a Ph.D. in Management Information Systems from Claremont University. She also has over 15 years of industry experience in project management, Information Systems management and strategic planning. John D’Arcy is an Assistant Professor in the Department of Computer and Information Sciences at Towson University. His research interests include information systems security, ethical use of IT in organizations, and virtual teams. John holds an M.B.A. in Management Information Systems from LaSalle University. He also worked for Ford Motor Company in the areas of Finance and Information Systems.