Software Engineering Institute

The Vulnerability Response Decision Assistance (VRDA) framework is a decision support and expert system designed to model how organizations individually respond to vulnerability reports. By encoding vulnerability response knowledge in VRDA, organizations can make more consistent decisions and better prioritize their efforts. VRDA is descriptive—it aims to reproduce how an organization actually responds. This paper examines the effectiveness of VRDA in terms of how well it predicts responses. Decision data from three participating organizations was analyzed to determine how well decisions predicted by VRDA compared to decisions made by the organization's expert analysts. An implementation of VRDA called KENGINE was used to collect vulnerability report data, generate decision models, predict responses, and record actual responses. Variations between predicted and actual responses may be caused by lack of sufficient or necessary vulnerability data, bias of expert analysts, poor decision logic, or some other unforeseen reason. Comparisons between different organizations, data sets, and decision models show that VRDA is accurate enough to give practical assistance with vulnerability response, although accuracy varies among individual decisions.