SlideShare uma empresa Scribd logo

What is Risk? - lightning talk for software testers (2011)

Transferir como PPSX, PDF
Neil Thompson
Neil Thompson

British Computer Society Specialist Interest Group in Software Testing (SIGiST) Jun 2011, London.

TecnologiaNegócios
1 de 17
SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 Thompson information Systems 1 Photo credit: Axel Rouvin,Consulting Ltd Commons. Flickr, Creative
SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 What is Risk? Lightning Talk Neil Thompson Thompson information Systems Consulting Ltd Some of this material courtesy of, or co-developed with, ©Thompson information v1.0 Paul Gerrard and (on another occasion) Testing Solutions Group Systems Consulting Ltd 2
Risk is... Bad Things which may (or SIGiST may not) happen Specialist Interest Group in Software Testing 21 Jun 2011 BAD THINGS WHICH COULD HAPPEN, AND LIKELIHOOD OF EACH N E W S CONSEQUENCE OF EACH BAD THING WHICH COULD HAPPEN ©Thompson • If the bad thing happens, then becomes “Issue” information Systems Consulting Ltd 3
The simple way to “quantify” risk SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 LIKELIHOOD risk EXPOSURE = (“probability”) likelihood of bad thing 3 6 9 x occurring consequence 2 4 6 1 2 3 CONSEQUENCE (impact) if bad thing does occur • This is how most people quantify risk (though true quantification is notoriously difficult) • “Probability” is (properly) a number between 0 & 1` • Adding gives same rank as multiplying, but less differentiation 4
Does risk have any other dimensions? SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 • In addition to likelihood and consequence... • Undetectability: – difficulty of seeing a bad thing if it does happen – eg insidious database corruption • Urgency: – advisability of looking for / preventing some bad things before other bad things – eg lack of requirements stability • Both the above make a risk worse • Any others? 5
Different types of software risk SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 Eg: • supplier may Project deliver late • key staff may leave risk may may cause cause Eg: • configuration management Process may install wrong version of product risk may cause may Eg: cause • specifications may contain Product defects • software may contain faults risk ©Thompson information Systems Consulting Ltd 6
The “iron triangle” is really a tunable SIGiST tetrahedron? Specialist Interest Group in Software Testing 21 Jun 2011 Quality Quality Scope Cost Quality Scope Time Time Cost best pair to Scope Cost fine-tune Risk Time ©Thompson information Systems Consulting Ltd 7
Risk on the Value Flow ScoreCard SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 SIX VIEWPOINTS of what stakeholders want Supplier Process Product Customer Financial Improvement & Infrastructure Objectives WHY we do things Threats to Project Process Product Project Project Process success risk risk risk risk risk risk Measures WHAT (will constitute Targets success) HOW to Initiatives do things well ©Thompson information Systems Consulting Ltd 8
Product Risk dimensions for testing SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 MAGNITUDE = likelihood 125 100 x 75 consequence LIKELIHOOD 50 x (probability) testability of bad thing 5 10 15 20 25 occurring 4 8 12 16 20 3 6 9 12 15 TESTABILITY (how feasible / convenient it is to 2 4 6 8 10 test against this risk) 1 2 3 4 5 CONSEQUENCE (impact) if bad thing does occur • This new three-way view is useful when © Thompson prioritising risks for testing information Systems Consulting Ltd 9
Brief digression: we really mean SIGiST “uncertainty”! Specialist Interest Group in Software Testing 21 Jun 2011 Decision theory, different situations under which decisions are made… Certainty Risk Uncertainty Alternatives A B C A B C A B C unknown! Consequences a b c a1 b1 c1 a1 b1 c1 a2 b2 c2 a2 b2 c2 b3 c3 b3 c3 Probability b4 b4 of each p(a1), p(a2), p(b1), p(b2), p(b3), p(b4), ?, ?, ?, ?, ?, ?, consequence p(c1), p(c2), p(c3) ?, ?, ? known unknown • In software risk, we can only estimate the probabilities! ©Thompson information 10 • And... we don’t really know all the alternatives! Systems Consulting Ltd
Each step in software lifecycle is SIGiST threatened by risk Specialist Interest Group in Software Testing 21 Jun 2011 validation DEVELOPMENT TEST testing MODEL MODEL simplification Acceptance Test AT REAL Requirements Analysis & Design Execution WORLD verification testing DEV MODEL TEST MODEL (expected) (ver’d / val’d) refinement Functional System Test ST with risk of Specification Analysis & Design Execution distortion REAL WORLD Technical Integration Test IT (desired) Design Analysis & Design Execution after SOFTWARE TESTING: A CRAFTSMAN’S APPROACH SOFTWARE Module Component Test CT Paul Jorgensen (observed) Spec Analysis & Design Execution So: • remember overlapping models programming SOFTWARE ©Thompson information • need both verification & validation with risk of bugs Systems Consulting Ltd 11
Product risks have a cause-effect SIGiST chain Specialist Interest Group in Software Testing 21 Jun 2011 DEVELOPMENT TEST MODEL MODEL simplification REAL Requirements WORLD Consequence: impact of risk becoming issue refinement Functional with risk of Specification Failure: Knock-on an incorrect result distortion Effects Error: amount by which Technical result is incorrect Design Fault: Mistake: an incorrect step, Anomaly: a human action that Module process or data produces an Defect: Spec definition in a an unexpected result incorrect result computer program during testing incorrect results (eg in spec- in specifications (ie executable writing, software) program- coding) programming with risk of bugs SOFTWARE ©Thompson information Likelihood of making mistakes, of defects causing faults, of faults causing failures, etc Systems Consulting Ltd 12
Product Risk factors SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 • Consequence is usually seen in terms of potential impact on the business: – direct financial (loss of profit, regulatory fines etc) – indirect financial (eg reputation damage) – frequency of use of the malfunctioning part/aspect of the system • Likelihood is more associated with technical factors: – complexity of the part/aspect of the system – newness, degree to which changed – historical bugginess – etc etc – and frequency of use, again! © Thompson information Systems Consulting Ltd 13
More about quantification difficulties SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 • In addition to the difficulty assessing all the things which could possibly go wrong, and their likelihoods... • Consequences are also difficult to calculate • And... • Humans often have emotional / irrational biases in matters of risk ©Thompson information Systems Consulting Ltd 14
So, what does all this mean for SIGiST testing? Specialist Interest Group in Software Testing 21 Jun 2011 DEVELOPMENT TEST MODEL MODEL 2. Brainstorm / workshop: REAL Requirements • things which could WORLD 1b. Prioritise: go wrong, whether • test items or not in spec Functional Specification • features to be • their likelihood & tested consequences 1a. Risk-assess: • test basis • the importance Technical elements etc Design TEST CONDITIONS of each • GRADE coverage come from both part/aspect Module 1&2 of the system Spec Consequence: • the likelihood impact of risk becoming issue of risks here SOFTWARE ©Thompson information Likelihood of making mistakes, of defects causing faults, of faults causing failures, etc Systems Consulting Ltd 15
What do I mean by GRADE test SIGiST coverage? Specialist Interest Group in Software Testing 21 Jun 2011 Test Coverage Source: Testing Solutions Group & Effort Even distribution X X Random / spurious priorities Risk-graded Riskiness (but avoid using this as an excuse to omit some things completely!) Also NB, risk information carries through the test process, to prioritise: • defects & anomalies • retests • regression tests ©Thompson information Systems Consulting Ltd 16
References & acknowledgements SIGiST • James Bach: Heuristic Risk-Based Testing, Troubleshooting RBT, Specialist Interest Group in Software Testing 21 Jun 2011 etc (www.satisfice.com) • Paul Gerrard: various presentations & papers (www.gerrardconsulting.com), leading to... • ...Paul Gerrard & Neil Thompson: Risk-Based E-Business Testing (Artech House 2002) • Neil Thompson: Risk Mitigation Trees – Review test handovers with stakeholders (EuroSTAR 2004) • Chris Comey & Testing Solutions Group: Risk Based Assurance & Acceptance (www.testing-solutions.com) Associated topics Decision-making & risk: • Terje Aven: Foundations of Risk Analysis – a Knowledge and Decision-oriented Perspective (Wiley 2003) Wider risk management: • Tom DeMarco & Timothy Lister: Waltzing with Bears – Managing Risk on Software Projects (Dorset House 2003) Psychology & philosophy of risk: • Dan Gardner: Risk – the Science and Politics of Fear (Virgin books 2008) • (Edited by) Tim Lewens: Risk – Philosophical Perspectives (Routledge 2007) ©Thompson Models in testing: information Systems • Paul Jorgensen: Software Testing – a Craftsman’s Approach (CRC Press 1995) Consulting Ltd 17

Recomendados

ALIA NLS7 Career Planning Workshop Contributed Slides
ALIA NLS7 Career Planning Workshop Contributed SlidesALIA NLS7 Career Planning Workshop Contributed Slides
ALIA NLS7 Career Planning Workshop Contributed SlidesSue Hutley
 
Bipedestación
BipedestaciónBipedestación
BipedestaciónAlejandro Ch
 
Honda Civic Coupe USC Presentation
Honda Civic Coupe USC PresentationHonda Civic Coupe USC Presentation
Honda Civic Coupe USC PresentationHaha Siu
 
Tissues
TissuesTissues
Tissuesaviralgupta14
 
Presentatie Han Mesters - Cultuur 2.1
Presentatie Han Mesters - Cultuur 2.1Presentatie Han Mesters - Cultuur 2.1
Presentatie Han Mesters - Cultuur 2.1MaartenSchuth
 
Thriller seqeunce pitch
Thriller seqeunce pitchThriller seqeunce pitch
Thriller seqeunce pitchcharwolfefilm
 
The Case History of Noronha Advogados - Brazil's Global Law Firm
The Case History of Noronha Advogados - Brazil's Global Law FirmThe Case History of Noronha Advogados - Brazil's Global Law Firm
The Case History of Noronha Advogados - Brazil's Global Law FirmNoronha Noad
 
Streaming architecture zx_dec2015
Streaming architecture zx_dec2015Streaming architecture zx_dec2015
Streaming architecture zx_dec2015Zhenzhong Xu
 

Recomendados

ALIA NLS7 Career Planning Workshop Contributed Slides
ALIA NLS7 Career Planning Workshop Contributed SlidesALIA NLS7 Career Planning Workshop Contributed Slides
ALIA NLS7 Career Planning Workshop Contributed SlidesSue Hutley
 
Bipedestación
BipedestaciónBipedestación
BipedestaciónAlejandro Ch
 
Honda Civic Coupe USC Presentation
Honda Civic Coupe USC PresentationHonda Civic Coupe USC Presentation
Honda Civic Coupe USC PresentationHaha Siu
 
Tissues
TissuesTissues
Tissuesaviralgupta14
 
Presentatie Han Mesters - Cultuur 2.1
Presentatie Han Mesters - Cultuur 2.1Presentatie Han Mesters - Cultuur 2.1
Presentatie Han Mesters - Cultuur 2.1MaartenSchuth
 
Thriller seqeunce pitch
Thriller seqeunce pitchThriller seqeunce pitch
Thriller seqeunce pitchcharwolfefilm
 
The Case History of Noronha Advogados - Brazil's Global Law Firm
The Case History of Noronha Advogados - Brazil's Global Law FirmThe Case History of Noronha Advogados - Brazil's Global Law Firm
The Case History of Noronha Advogados - Brazil's Global Law FirmNoronha Noad
 
Streaming architecture zx_dec2015
Streaming architecture zx_dec2015Streaming architecture zx_dec2015
Streaming architecture zx_dec2015Zhenzhong Xu
 
TCI_DangerousDegrees_print
TCI_DangerousDegrees_printTCI_DangerousDegrees_print
TCI_DangerousDegrees_printRichard Plumpton
 
Directing report
Directing reportDirecting report
Directing reportRochelle Allyza Latayan
 
Sejutakaos Presentation (MY)
Sejutakaos Presentation (MY)Sejutakaos Presentation (MY)
Sejutakaos Presentation (MY)danielpamungkas80
 
02. TCI Carbon
02. TCI Carbon02. TCI Carbon
02. TCI CarbonRichard Plumpton
 
Yii Framework - Do we really need another php framework?
Yii Framework - Do we really need another php framework?Yii Framework - Do we really need another php framework?
Yii Framework - Do we really need another php framework?Joachim Eckert
 
Computer lab Under Construction
Computer lab Under ConstructionComputer lab Under Construction
Computer lab Under ConstructionSt. Joseph School
 
Preparation for Fortnue
Preparation for FortnuePreparation for Fortnue
Preparation for FortnueDr Nahin Mamun
 
Absolute Lies
Absolute LiesAbsolute Lies
Absolute LiesDr Nahin Mamun
 
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...Neil Thompson
 
13. TCI Climate Smart Super 2013
13. TCI Climate Smart Super 201313. TCI Climate Smart Super 2013
13. TCI Climate Smart Super 2013Richard Plumpton
 
Assets for Bangladeshi People
Assets for Bangladeshi PeopleAssets for Bangladeshi People
Assets for Bangladeshi PeopleDr Nahin Mamun
 
Bangladesh Growth Map
Bangladesh Growth MapBangladesh Growth Map
Bangladesh Growth MapDr Nahin Mamun
 
Risk and Testing (2003)
Risk and Testing (2003)Risk and Testing (2003)
Risk and Testing (2003)Neil Thompson
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
The Science of Software Testing - Experiments, Evolution & Emergence (2011)
The Science of Software Testing - Experiments, Evolution & Emergence (2011)The Science of Software Testing - Experiments, Evolution & Emergence (2011)
The Science of Software Testing - Experiments, Evolution & Emergence (2011)Neil Thompson
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of AusterityPeter Wood
 
1 Introduction The task of identifying risks in an.docx
1 Introduction The task of identifying risks in an.docx1 Introduction The task of identifying risks in an.docx
1 Introduction The task of identifying risks in an.docxoswald1horne84988
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxjessiehampson
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersMike Murray
 
Planificación del proyecto análisis de riesgo
Planificación del proyecto análisis de riesgoPlanificación del proyecto análisis de riesgo
Planificación del proyecto análisis de riesgoProColombia
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Mining and analyzing social media hicss 45 tutorial – part 2
Mining and analyzing social media hicss 45 tutorial – part 2Mining and analyzing social media hicss 45 tutorial – part 2
Mining and analyzing social media hicss 45 tutorial – part 2Dave King
 

Mais conteúdo relacionado

Destaque

TCI_DangerousDegrees_print
TCI_DangerousDegrees_printTCI_DangerousDegrees_print
TCI_DangerousDegrees_printRichard Plumpton
 
Sejutakaos Presentation (MY)
Sejutakaos Presentation (MY)Sejutakaos Presentation (MY)
Sejutakaos Presentation (MY)danielpamungkas80
 
Yii Framework - Do we really need another php framework?
Yii Framework - Do we really need another php framework?Yii Framework - Do we really need another php framework?
Yii Framework - Do we really need another php framework?Joachim Eckert
 
Computer lab Under Construction
Computer lab Under ConstructionComputer lab Under Construction
Computer lab Under ConstructionSt. Joseph School
 
Preparation for Fortnue
Preparation for FortnuePreparation for Fortnue
Preparation for FortnueDr Nahin Mamun
 
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...Neil Thompson
 
13. TCI Climate Smart Super 2013
13. TCI Climate Smart Super 201313. TCI Climate Smart Super 2013
13. TCI Climate Smart Super 2013Richard Plumpton
 
Assets for Bangladeshi People
Assets for Bangladeshi PeopleAssets for Bangladeshi People
Assets for Bangladeshi PeopleDr Nahin Mamun
 

Destaque (12)

TCI_DangerousDegrees_print
TCI_DangerousDegrees_printTCI_DangerousDegrees_print
TCI_DangerousDegrees_print
 
Directing report
Directing reportDirecting report
Directing report
 
Sejutakaos Presentation (MY)
Sejutakaos Presentation (MY)Sejutakaos Presentation (MY)
Sejutakaos Presentation (MY)
 
02. TCI Carbon
02. TCI Carbon02. TCI Carbon
02. TCI Carbon
 
Yii Framework - Do we really need another php framework?
Yii Framework - Do we really need another php framework?Yii Framework - Do we really need another php framework?
Yii Framework - Do we really need another php framework?
 
Computer lab Under Construction
Computer lab Under ConstructionComputer lab Under Construction
Computer lab Under Construction
 
Preparation for Fortnue
Preparation for FortnuePreparation for Fortnue
Preparation for Fortnue
 
Absolute Lies
Absolute LiesAbsolute Lies
Absolute Lies
 
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
 
13. TCI Climate Smart Super 2013
13. TCI Climate Smart Super 201313. TCI Climate Smart Super 2013
13. TCI Climate Smart Super 2013
 
Assets for Bangladeshi People
Assets for Bangladeshi PeopleAssets for Bangladeshi People
Assets for Bangladeshi People
 
Bangladesh Growth Map
Bangladesh Growth MapBangladesh Growth Map
Bangladesh Growth Map
 

Semelhante a What is Risk? - lightning talk for software testers (2011)

Risk and Testing (2003)
Risk and Testing (2003)Risk and Testing (2003)
Risk and Testing (2003)Neil Thompson
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
The Science of Software Testing - Experiments, Evolution & Emergence (2011)
The Science of Software Testing - Experiments, Evolution & Emergence (2011)The Science of Software Testing - Experiments, Evolution & Emergence (2011)
The Science of Software Testing - Experiments, Evolution & Emergence (2011)Neil Thompson
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of AusterityPeter Wood
 
1 Introduction The task of identifying risks in an.docx
1 Introduction The task of identifying risks in an.docx1 Introduction The task of identifying risks in an.docx
1 Introduction The task of identifying risks in an.docxoswald1horne84988
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxjessiehampson
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersMike Murray
 
Planificación del proyecto análisis de riesgo
Planificación del proyecto análisis de riesgoPlanificación del proyecto análisis de riesgo
Planificación del proyecto análisis de riesgoProColombia
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Mining and analyzing social media hicss 45 tutorial – part 2
Mining and analyzing social media hicss 45 tutorial – part 2Mining and analyzing social media hicss 45 tutorial – part 2
Mining and analyzing social media hicss 45 tutorial – part 2Dave King
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
44 Introduction Identifying and assessing risks is.docx
44 Introduction Identifying and assessing risks is.docx44 Introduction Identifying and assessing risks is.docx
44 Introduction Identifying and assessing risks is.docxblondellchancy
 
Analytics for software development
Analytics for software developmentAnalytics for software development
Analytics for software developmentThomas Zimmermann
 
Risk-Based Testing - Designing & managing the test process (2002)
Risk-Based Testing - Designing & managing the test process (2002)Risk-Based Testing - Designing & managing the test process (2002)
Risk-Based Testing - Designing & managing the test process (2002)Neil Thompson
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec MattersInnoTech
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis WebinarJody Keyser
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsFernando Reiser
 

Semelhante a What is Risk? - lightning talk for software testers (2011) (20)

Risk and Testing (2003)
Risk and Testing (2003)Risk and Testing (2003)
Risk and Testing (2003)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
The Science of Software Testing - Experiments, Evolution & Emergence (2011)
The Science of Software Testing - Experiments, Evolution & Emergence (2011)The Science of Software Testing - Experiments, Evolution & Emergence (2011)
The Science of Software Testing - Experiments, Evolution & Emergence (2011)
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
 
1 Introduction The task of identifying risks in an.docx
1 Introduction The task of identifying risks in an.docx1 Introduction The task of identifying risks in an.docx
1 Introduction The task of identifying risks in an.docx
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docx
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
 
Planificación del proyecto análisis de riesgo
Planificación del proyecto análisis de riesgoPlanificación del proyecto análisis de riesgo
Planificación del proyecto análisis de riesgo
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
Mining and analyzing social media hicss 45 tutorial – part 2
Mining and analyzing social media hicss 45 tutorial – part 2Mining and analyzing social media hicss 45 tutorial – part 2
Mining and analyzing social media hicss 45 tutorial – part 2
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
44 Introduction Identifying and assessing risks is.docx
44 Introduction Identifying and assessing risks is.docx44 Introduction Identifying and assessing risks is.docx
44 Introduction Identifying and assessing risks is.docx
 
Analytics for software development
Analytics for software developmentAnalytics for software development
Analytics for software development
 
Risk-Based Testing - Designing & managing the test process (2002)
Risk-Based Testing - Designing & managing the test process (2002)Risk-Based Testing - Designing & managing the test process (2002)
Risk-Based Testing - Designing & managing the test process (2002)
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Adapt or Go extinct
Adapt or Go extinctAdapt or Go extinct
Adapt or Go extinct
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec Matters
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis Webinar
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
 

Mais de Neil Thompson

Six schools, three cultures of testing: future-proof by shifting left, down, ...
Six schools, three cultures of testing: future-proof by shifting left, down, ...Six schools, three cultures of testing: future-proof by shifting left, down, ...
Six schools, three cultures of testing: future-proof by shifting left, down, ...Neil Thompson
 
Test Data, Information, Knowledge, Wisdom: past, present & future of standing...
Test Data, Information, Knowledge, Wisdom: past, present & future of standing...Test Data, Information, Knowledge, Wisdom: past, present & future of standing...
Test Data, Information, Knowledge, Wisdom: past, present & future of standing...Neil Thompson
 
From 'Fractal How' to Emergent Empowerment (2013 article)
From 'Fractal How' to Emergent Empowerment (2013 article)From 'Fractal How' to Emergent Empowerment (2013 article)
From 'Fractal How' to Emergent Empowerment (2013 article)Neil Thompson
 
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...Neil Thompson
 
'Best Practices' & 'Context-Driven' - Building a bridge (2003)
'Best Practices' & 'Context-Driven' - Building a bridge (2003)'Best Practices' & 'Context-Driven' - Building a bridge (2003)
'Best Practices' & 'Context-Driven' - Building a bridge (2003)Neil Thompson
 
Risk Mitigation Trees - Review test handovers with stakeholders (2004)
Risk Mitigation Trees - Review test handovers with stakeholders (2004)Risk Mitigation Trees - Review test handovers with stakeholders (2004)
Risk Mitigation Trees - Review test handovers with stakeholders (2004)Neil Thompson
 
ROI at the bug factory - Goldratt & throughput (2004)
ROI at the bug factory - Goldratt & throughput (2004)ROI at the bug factory - Goldratt & throughput (2004)
ROI at the bug factory - Goldratt & throughput (2004)Neil Thompson
 
Feedback-focussed process improvement (2006)
Feedback-focussed process improvement (2006)Feedback-focussed process improvement (2006)
Feedback-focussed process improvement (2006)Neil Thompson
 
Thinking tools - From top motors through s'ware proc improv't to context-driv...
Thinking tools - From top motors through s'ware proc improv't to context-driv...Thinking tools - From top motors through s'ware proc improv't to context-driv...
Thinking tools - From top motors through s'ware proc improv't to context-driv...Neil Thompson
 
Holistic Test Analysis & Design (2007)
Holistic Test Analysis & Design (2007)Holistic Test Analysis & Design (2007)
Holistic Test Analysis & Design (2007)Neil Thompson
 
Value Flow ScoreCards - For better strategies, coverage & processes (2008)
Value Flow ScoreCards - For better strategies, coverage & processes (2008)Value Flow ScoreCards - For better strategies, coverage & processes (2008)
Value Flow ScoreCards - For better strategies, coverage & processes (2008)Neil Thompson
 
Value Flow Science - Fitter lifecycles from lean balanced scorecards (2011)
Value Flow Science - Fitter lifecycles from lean balanced scorecards (2011)Value Flow Science - Fitter lifecycles from lean balanced scorecards (2011)
Value Flow Science - Fitter lifecycles from lean balanced scorecards (2011)Neil Thompson
 
Memes & Fitness Landscapes - analogies of testing with sci evol (2011)
Memes & Fitness Landscapes - analogies of testing with sci evol (2011)Memes & Fitness Landscapes - analogies of testing with sci evol (2011)
Memes & Fitness Landscapes - analogies of testing with sci evol (2011)Neil Thompson
 
Testing as Value Flow Mgmt - organise your toolbox (2012)
Testing as Value Flow Mgmt - organise your toolbox (2012)Testing as Value Flow Mgmt - organise your toolbox (2012)
Testing as Value Flow Mgmt - organise your toolbox (2012)Neil Thompson
 

Mais de Neil Thompson (14)

Six schools, three cultures of testing: future-proof by shifting left, down, ...
Six schools, three cultures of testing: future-proof by shifting left, down, ...Six schools, three cultures of testing: future-proof by shifting left, down, ...
Six schools, three cultures of testing: future-proof by shifting left, down, ...
 
Test Data, Information, Knowledge, Wisdom: past, present & future of standing...
Test Data, Information, Knowledge, Wisdom: past, present & future of standing...Test Data, Information, Knowledge, Wisdom: past, present & future of standing...
Test Data, Information, Knowledge, Wisdom: past, present & future of standing...
 
From 'Fractal How' to Emergent Empowerment (2013 article)
From 'Fractal How' to Emergent Empowerment (2013 article)From 'Fractal How' to Emergent Empowerment (2013 article)
From 'Fractal How' to Emergent Empowerment (2013 article)
 
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
Value-Inspired Testing - renovating Risk-Based Testing, & innovating with Eme...
 
'Best Practices' & 'Context-Driven' - Building a bridge (2003)
'Best Practices' & 'Context-Driven' - Building a bridge (2003)'Best Practices' & 'Context-Driven' - Building a bridge (2003)
'Best Practices' & 'Context-Driven' - Building a bridge (2003)
 
Risk Mitigation Trees - Review test handovers with stakeholders (2004)
Risk Mitigation Trees - Review test handovers with stakeholders (2004)Risk Mitigation Trees - Review test handovers with stakeholders (2004)
Risk Mitigation Trees - Review test handovers with stakeholders (2004)
 
ROI at the bug factory - Goldratt & throughput (2004)
ROI at the bug factory - Goldratt & throughput (2004)ROI at the bug factory - Goldratt & throughput (2004)
ROI at the bug factory - Goldratt & throughput (2004)
 
Feedback-focussed process improvement (2006)
Feedback-focussed process improvement (2006)Feedback-focussed process improvement (2006)
Feedback-focussed process improvement (2006)
 
Thinking tools - From top motors through s'ware proc improv't to context-driv...
Thinking tools - From top motors through s'ware proc improv't to context-driv...Thinking tools - From top motors through s'ware proc improv't to context-driv...
Thinking tools - From top motors through s'ware proc improv't to context-driv...
 
Holistic Test Analysis & Design (2007)
Holistic Test Analysis & Design (2007)Holistic Test Analysis & Design (2007)
Holistic Test Analysis & Design (2007)
 
Value Flow ScoreCards - For better strategies, coverage & processes (2008)
Value Flow ScoreCards - For better strategies, coverage & processes (2008)Value Flow ScoreCards - For better strategies, coverage & processes (2008)
Value Flow ScoreCards - For better strategies, coverage & processes (2008)
 
Value Flow Science - Fitter lifecycles from lean balanced scorecards (2011)
Value Flow Science - Fitter lifecycles from lean balanced scorecards (2011)Value Flow Science - Fitter lifecycles from lean balanced scorecards (2011)
Value Flow Science - Fitter lifecycles from lean balanced scorecards (2011)
 
Memes & Fitness Landscapes - analogies of testing with sci evol (2011)
Memes & Fitness Landscapes - analogies of testing with sci evol (2011)Memes & Fitness Landscapes - analogies of testing with sci evol (2011)
Memes & Fitness Landscapes - analogies of testing with sci evol (2011)
 
Testing as Value Flow Mgmt - organise your toolbox (2012)
Testing as Value Flow Mgmt - organise your toolbox (2012)Testing as Value Flow Mgmt - organise your toolbox (2012)
Testing as Value Flow Mgmt - organise your toolbox (2012)
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

What is Risk? - lightning talk for software testers (2011)

  • 1. SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 Thompson information Systems 1 Photo credit: Axel Rouvin,Consulting Ltd Commons. Flickr, Creative
  • 2. SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 What is Risk? Lightning Talk Neil Thompson Thompson information Systems Consulting Ltd Some of this material courtesy of, or co-developed with, ©Thompson information v1.0 Paul Gerrard and (on another occasion) Testing Solutions Group Systems Consulting Ltd 2
  • 3. Risk is... Bad Things which may (or SIGiST may not) happen Specialist Interest Group in Software Testing 21 Jun 2011 BAD THINGS WHICH COULD HAPPEN, AND LIKELIHOOD OF EACH N E W S CONSEQUENCE OF EACH BAD THING WHICH COULD HAPPEN ©Thompson • If the bad thing happens, then becomes “Issue” information Systems Consulting Ltd 3
  • 4. The simple way to “quantify” risk SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 LIKELIHOOD risk EXPOSURE = (“probability”) likelihood of bad thing 3 6 9 x occurring consequence 2 4 6 1 2 3 CONSEQUENCE (impact) if bad thing does occur • This is how most people quantify risk (though true quantification is notoriously difficult) • “Probability” is (properly) a number between 0 & 1` • Adding gives same rank as multiplying, but less differentiation 4
  • 5. Does risk have any other dimensions? SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 • In addition to likelihood and consequence... • Undetectability: – difficulty of seeing a bad thing if it does happen – eg insidious database corruption • Urgency: – advisability of looking for / preventing some bad things before other bad things – eg lack of requirements stability • Both the above make a risk worse • Any others? 5
  • 6. Different types of software risk SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 Eg: • supplier may Project deliver late • key staff may leave risk may may cause cause Eg: • configuration management Process may install wrong version of product risk may cause may Eg: cause • specifications may contain Product defects • software may contain faults risk ©Thompson information Systems Consulting Ltd 6
  • 7. The “iron triangle” is really a tunable SIGiST tetrahedron? Specialist Interest Group in Software Testing 21 Jun 2011 Quality Quality Scope Cost Quality Scope Time Time Cost best pair to Scope Cost fine-tune Risk Time ©Thompson information Systems Consulting Ltd 7
  • 8. Risk on the Value Flow ScoreCard SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 SIX VIEWPOINTS of what stakeholders want Supplier Process Product Customer Financial Improvement & Infrastructure Objectives WHY we do things Threats to Project Process Product Project Project Process success risk risk risk risk risk risk Measures WHAT (will constitute Targets success) HOW to Initiatives do things well ©Thompson information Systems Consulting Ltd 8
  • 9. Product Risk dimensions for testing SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 MAGNITUDE = likelihood 125 100 x 75 consequence LIKELIHOOD 50 x (probability) testability of bad thing 5 10 15 20 25 occurring 4 8 12 16 20 3 6 9 12 15 TESTABILITY (how feasible / convenient it is to 2 4 6 8 10 test against this risk) 1 2 3 4 5 CONSEQUENCE (impact) if bad thing does occur • This new three-way view is useful when © Thompson prioritising risks for testing information Systems Consulting Ltd 9
  • 10. Brief digression: we really mean SIGiST “uncertainty”! Specialist Interest Group in Software Testing 21 Jun 2011 Decision theory, different situations under which decisions are made… Certainty Risk Uncertainty Alternatives A B C A B C A B C unknown! Consequences a b c a1 b1 c1 a1 b1 c1 a2 b2 c2 a2 b2 c2 b3 c3 b3 c3 Probability b4 b4 of each p(a1), p(a2), p(b1), p(b2), p(b3), p(b4), ?, ?, ?, ?, ?, ?, consequence p(c1), p(c2), p(c3) ?, ?, ? known unknown • In software risk, we can only estimate the probabilities! ©Thompson information 10 • And... we don’t really know all the alternatives! Systems Consulting Ltd
  • 11. Each step in software lifecycle is SIGiST threatened by risk Specialist Interest Group in Software Testing 21 Jun 2011 validation DEVELOPMENT TEST testing MODEL MODEL simplification Acceptance Test AT REAL Requirements Analysis & Design Execution WORLD verification testing DEV MODEL TEST MODEL (expected) (ver’d / val’d) refinement Functional System Test ST with risk of Specification Analysis & Design Execution distortion REAL WORLD Technical Integration Test IT (desired) Design Analysis & Design Execution after SOFTWARE TESTING: A CRAFTSMAN’S APPROACH SOFTWARE Module Component Test CT Paul Jorgensen (observed) Spec Analysis & Design Execution So: • remember overlapping models programming SOFTWARE ©Thompson information • need both verification & validation with risk of bugs Systems Consulting Ltd 11
  • 12. Product risks have a cause-effect SIGiST chain Specialist Interest Group in Software Testing 21 Jun 2011 DEVELOPMENT TEST MODEL MODEL simplification REAL Requirements WORLD Consequence: impact of risk becoming issue refinement Functional with risk of Specification Failure: Knock-on an incorrect result distortion Effects Error: amount by which Technical result is incorrect Design Fault: Mistake: an incorrect step, Anomaly: a human action that Module process or data produces an Defect: Spec definition in a an unexpected result incorrect result computer program during testing incorrect results (eg in spec- in specifications (ie executable writing, software) program- coding) programming with risk of bugs SOFTWARE ©Thompson information Likelihood of making mistakes, of defects causing faults, of faults causing failures, etc Systems Consulting Ltd 12
  • 13. Product Risk factors SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 • Consequence is usually seen in terms of potential impact on the business: – direct financial (loss of profit, regulatory fines etc) – indirect financial (eg reputation damage) – frequency of use of the malfunctioning part/aspect of the system • Likelihood is more associated with technical factors: – complexity of the part/aspect of the system – newness, degree to which changed – historical bugginess – etc etc – and frequency of use, again! © Thompson information Systems Consulting Ltd 13
  • 14. More about quantification difficulties SIGiST Specialist Interest Group in Software Testing 21 Jun 2011 • In addition to the difficulty assessing all the things which could possibly go wrong, and their likelihoods... • Consequences are also difficult to calculate • And... • Humans often have emotional / irrational biases in matters of risk ©Thompson information Systems Consulting Ltd 14
  • 15. So, what does all this mean for SIGiST testing? Specialist Interest Group in Software Testing 21 Jun 2011 DEVELOPMENT TEST MODEL MODEL 2. Brainstorm / workshop: REAL Requirements • things which could WORLD 1b. Prioritise: go wrong, whether • test items or not in spec Functional Specification • features to be • their likelihood & tested consequences 1a. Risk-assess: • test basis • the importance Technical elements etc Design TEST CONDITIONS of each • GRADE coverage come from both part/aspect Module 1&2 of the system Spec Consequence: • the likelihood impact of risk becoming issue of risks here SOFTWARE ©Thompson information Likelihood of making mistakes, of defects causing faults, of faults causing failures, etc Systems Consulting Ltd 15
  • 16. What do I mean by GRADE test SIGiST coverage? Specialist Interest Group in Software Testing 21 Jun 2011 Test Coverage Source: Testing Solutions Group & Effort Even distribution X X Random / spurious priorities Risk-graded Riskiness (but avoid using this as an excuse to omit some things completely!) Also NB, risk information carries through the test process, to prioritise: • defects & anomalies • retests • regression tests ©Thompson information Systems Consulting Ltd 16
  • 17. References & acknowledgements SIGiST • James Bach: Heuristic Risk-Based Testing, Troubleshooting RBT, Specialist Interest Group in Software Testing 21 Jun 2011 etc (www.satisfice.com) • Paul Gerrard: various presentations & papers (www.gerrardconsulting.com), leading to... • ...Paul Gerrard & Neil Thompson: Risk-Based E-Business Testing (Artech House 2002) • Neil Thompson: Risk Mitigation Trees – Review test handovers with stakeholders (EuroSTAR 2004) • Chris Comey & Testing Solutions Group: Risk Based Assurance & Acceptance (www.testing-solutions.com) Associated topics Decision-making & risk: • Terje Aven: Foundations of Risk Analysis – a Knowledge and Decision-oriented Perspective (Wiley 2003) Wider risk management: • Tom DeMarco & Timothy Lister: Waltzing with Bears – Managing Risk on Software Projects (Dorset House 2003) Psychology & philosophy of risk: • Dan Gardner: Risk – the Science and Politics of Fear (Virgin books 2008) • (Edited by) Tim Lewens: Risk – Philosophical Perspectives (Routledge 2007) ©Thompson Models in testing: information Systems • Paul Jorgensen: Software Testing – a Craftsman’s Approach (CRC Press 1995) Consulting Ltd 17