Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

White Paper

Effectiveness of the Vulnerability Response Decision Assistance (VRDA) Framework

  • Abstract

    The Vulnerability Response Decision Assistance (VRDA) framework is a decision support and expert system designed to model how organizations individually respond to vulnerability reports. By encoding vulnerability response knowledge in VRDA, organizations can make more consistent decisions and better prioritize their efforts. VRDA is descriptive—it aims to reproduce how an organization actually responds. This paper examines the effectiveness of VRDA in terms of how well it predicts responses. Decision data from three participating organizations was analyzed to determine how well decisions predicted by VRDA compared to decisions made by the organization's expert analysts. An implementation of VRDA called KENGINE was used to collect vulnerability report data, generate decision models, predict responses, and record actual responses. Variations between predicted and actual responses may be caused by lack of sufficient or necessary vulnerability data, bias of expert analysts, poor decision logic, or some other unforeseen reason. Comparisons between different organizations, data sets, and decision models show that VRDA is accurate enough to give practical assistance with vulnerability response, although accuracy varies among individual decisions.

  • Download