Accession Number:

AD1147213

Title:

Effectiveness of the Vulnerability Response Decision Assistance (VRDA) Framework

Descriptive Note:

[Technical Report, Technical Paper]

Corporate Author:

CARNEGIE-MELLON UNIV PITTSBURGH PA

Personal Author(s):

Report Date:

2009-08-01

Pagination or Media Count:

43

Abstract:

The Vulnerability Response Decision Assistance VRDA framework is a decision support and expert system designed to model how organizations individually respond to vulnerability reports. By encoding vulnerability response knowledge in VRDA, organizations can make more consistent decisions and better prioritize their efforts. VRDA is descriptiveit aims to reproduce how an organization actually responds. This paper examines the effectiveness of VRDA in terms of how well it predicts responses. Decision data from three participating organizations was analyzed to determine how well decisions predicted by VRDA compared to decisions made by the organizations expert analysts. An implementation of VRDA called KENGINE was used to collect vulnerability report data, generate decision models, predict responses, and record actual responses. Variations between predicted and actual responses may be caused by lack of sufficient or necessary vulnerability data, bias of expert analysts, poor decision logic, or some other unforeseen reason. Comparisons between different organizations, data sets, and decision models show that VRDA is accurate enough to give practical assistance with vulnerability response, although accuracy varies among individual decisions.

Subject Categories:

  • Administration and Management
  • Computer Systems

Distribution Statement:

[A, Approved For Public Release]