ISSRE 2006 - Exploring the Robustness of Risk Reduction Strategies

Exploring the Robustness of Risk Reduction Strategies

Julian D. C. Richardson, Daniel Port and Martin S. Feather

The 17th IEEE International Symposium on Software Reliability Engineering (ISSRE 2006) -- Government Track
Raleigh, North Carolina, USA, 7-10 November 2006

Abstract

Risks permeate the development and operation of many complex software systems. Nearly all risk reduction activities incur cost, and the sum total cost of all potentially applicable activities typically far exceeds the resources available. Hence there is the need to judiciously pick from among those activities to arrive at a cost-effective selection.

A risk reduction strategy could be as simple as a fixed set of activities, the same set applied to all software systems (the effort to perform these will typically depend on the size and complexity of the software). A refinement of this is to have an escalating series of such fixed sets, increasing in thoroughness (and cost), and pick the one to use based on an initial assessment of the system's criticality and risk.

Yet more sophisticated selection strategies have been proposed that hinge upon models that estimate software-specific risk prevalence and the cost and effectiveness of the available activities at reducing risks.

A key question for risk reduction strategies which are based on models of cost, risk and effectiveness: how robust are they in the face of uncertainties in the underlying data on which they are based? That is, will they yield near-optimal risk-reduction recommendations even if the inputs are inaccurate? Recently, we have addressed this question experimentally. Initial results show that strategic methods are indeed robust in the face of such uncertainty.

START Conference Manager (V2.52.6)

Maintainer: mark.sherriff@ncsu.edu