Why do software projects go wrong - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Why do software projects go wrong

Description:

Why do software projects go wrong? Inadequate understanding of customer needs ... Inexperienced or incapable personnel. Ineffective testing misses serious defects ... – PowerPoint PPT presentation

Number of Views:199
Avg rating:3.0/5.0
Slides: 25
Provided by: rmac2
Category:

less

Transcript and Presenter's Notes

Title: Why do software projects go wrong


1
Why do software projects go wrong?
  • Inadequate understanding of customer needs
  • Poor requirements documents
  • Poor requirements management
  • Poor or no architecture/design
  • Code first and ask questions later
  • Poorly understood legacy design/code
  • No peer reviews to catch problems early
  • Inexperienced or incapable personnel
  • Ineffective testing misses serious defects

2
Risk Management
  • Risk assessment is not a single process, but a
    systematic approach to organizing and analysing
    scientific knowledge and information that
    supports a risk decision. NRC (1994)
  • Risk management is a systematic process for the
    identification, assessment, control and
    communication of risks to life, property, or
    other valued objects.

3
  • A risk is a probability that some adverse
    circumstance will occur
  • Project risks affect schedule or resources
  • Product risks affect the quality or performance
    of the software being developed
  • Business risks affect the organisation developing
    or procuring the software.

4
  • Risk Analysis involves the identification and
    assessment of the levels of risk, calculated from
    the
  • Values of assets
  • Threats to the assets
  • Their vulnerabilities and likelihood of
    exploitation
  • Risk Management involves the identification,
    selection and adoption of security measures
    justified by
  • The identified risks to assets
  • The reduction of these risks to acceptable levels

5
Classification of software risks
  • Software Project Risks
  • Resource constraints, external interfaces,
    supplier relationships, nonperforming vendors,
    internal politics, interteam/intergroup
    coordination problems, inadequate funding.
  • Software Process Risks
  • Undocumented software process, lack of effective
    peer reviews, no defect prevention, poor design
    process, poor requirements management,
    ineffective planning.
  • Software Product Risks
  • Lack of domain expertise, complex design, poorly
    defined interfaces, poorly understood legacy
    system(s), vague or incomplete requirements.

6
Software risks
7
The Risk Management Process
Identify risks
Analyze risks
Learn about risks
Risk Knowledge Base
Plan for risks
Resolve risks
Track risks
8
The risk management process
  • Risk identification
  • Identify project, product and business risks
  • Risk analysis
  • Assess the likelihood and consequences of these
    risks
  • Risk planning
  • Draw up plans to avoid or minimise the effects of
    the risk
  • Risk monitoring
  • Monitor the risks throughout the project

9
Benefits of RM
  • Better control of uncertainty
  • Clarification of the project objectives
  • Proactive action plans against risks
  • Effective mitigation by the prioritization of
    risks
  • Decrease in the costs that are caused by risks

10
Risk Assessment Control
  • Risk Assessment
  • Identification what are the risks? Make a
    list!(Or borrow one for ideas)
  • Analysis assess risk likelihood and impact
    find possible alternatives
  • Prioritization which risks to focus on? Sort
    risks by impact
  • ...

11
Risk identification
  • Technology risks.
  • People risks.
  • Organisational risks.
  • Requirements risks.
  • Estimation risks.

12
Risk Identification
  • Look for risks
  • In all of the major areas of the project -
    resources, tools, process, and product
  • In management areas - cost, schedule, level of
    effort
  • In the Classic Mistakes and Fundamentals
  • In every area your customer cares about!

13
Problems of Measuring Risk
  • Businesses normally wish to measure in money, but
  • Many of the entities do not allow this
  • Valuation of assets
  • Value of data and in-house software - no market
    value
  • Value of goodwill and customer confidence
  • Likelihood of threats
  • How relevant is past data to the calculation of
    future probabilities?
  • The nature of future attacks is unpredictable
  • The actions of future attackers are unpredictable
  • Measurement of benefit from security measures
  • Problems with the difference of two approximate
    quantities
  • How does an extra security measure affect a 10-5
    probability of attack?

14
Risk Levels
  • Precise monetary values give a false precision
  • Better to use levels, e.g.
  • High, Medium, Low
  • High major impact on the organisation
  • Medium noticeable impact (material in auditing
    terms)
  • Low can be absorbed without difficulty
  • 1 - 10
  • Express money values in levels, e.g.
  • For a large University Department a possibility
    is
  • High
  • Medium
  • Low

15
Risk Analysis Steps
  • Decide on scope of analysis
  • Set the system boundary
  • Identification of assets business processes
  • Identification of threats and valuation of their
    impact on assets (impact valuation)
  • Identification and assessment of vulnerabilities
    to threats
  • Risk assessment

16
Risk Analysis Defining the Scope
  • Draw a context diagram
  • Decide on the boundary
  • It will rarely be the computer!
  • Make explicit assumptions about the security of
    neighbouring domains
  • Verify them!

17
Risk Analysis - Identification of Assets
  • Types of asset
  • Hardware
  • Software purchased or developed programs
  • Data
  • People who run the system
  • Documentation manuals, administrative
    procedures, etc
  • Supplies paper forms, magnetic media, printer
    liquid, etc
  • Money
  • Intangibles
  • Goodwill
  • Organisation confidence
  • Organisation image

18
Risk Analysis Impact Valuation
  • Identification and valuation of threats - for
    each group of assets
  • Identify threats, e.g. for stored data
  • Loss of confidentiality
  • Loss of integrity
  • Loss of completeness
  • Loss of availability (Denial of Service)
  • For many asset types the only threat is loss of
    availability
  • Assess impact of threat
  • Assess in levels, e.g H-M-L or 1 - 10
  • This gives the valuation of the asset in the face
    of the threat

19
Risk Analysis Process Analysis
  • Every company or organisation has some processes
    that are critical to its operation
  • The criticality of a process may increase the
    impact valuation of one or more assets identified
  • So
  • Identify critical processes
  • Review assets needed for critical processes
  • Revise impact valuation of these assets

20
Risk Analysis Vulnerabilities 1
  • Identify vulnerabilities against a baseline
    system
  • For risk analysis of an existing system
  • Existing system with its known security measures
    and weaknesses
  • For development of a new system
  • Security facilities of the envisaged software,
    e.g. Windows NT
  • Standard good practice, e.g. BS 7799
    recommendations of good practice

21
Risk Analysis Vulnerabilities 2
  • For each threat
  • Identify vulnerabilities
  • How to exploit a threat successfully
  • Assess levels of likelihood - High, Medium, Low
  • Of attempt
  • Expensive attacks are less likely (e.g.
    brute-force attacks on encryption keys)
  • Successful exploitation of vulnerability
  • Combine them

22
Responses to Risk
  • Responses to risk
  • Avoid it completely by withdrawing from an
    activity
  • Accept it and do nothing
  • Reduce it with security measures

23
Stages and Risks
  • Feasibility
  • Misunderstanding of the nature of problems,
    opportunities or technology and the poor
    estimation of benefits and costs.
  • Analysis
  • Lack of understanding as to the detailed
    activities required to provide a solution.
  • Design
  • Misinterpretation of the work done during the
    analysis or faulty analysis.

24
Stages and Risks
  • Specification
  • Incomplete work. Previous errors in analysis and
    design.
  • Production
  • Inappropriate development tools. Bugs in the
    development tools. Staff do not know how to use
    the tools adequately.

25
Stages and Risks
  • Testing
  • The system is too big to adequately test in a
    timeframe that is perceived as being appropriate.
    Inappropriate test data or routines used.
  • Commissioning
  • Not enough attention given by users. Done too
    fast.
  •  Risk continues into the post commissioning era
Write a Comment
User Comments (0)
About PowerShow.com