1 By the name of the god By the name of the god Risk management Dr. Lo’ai Tawalbeh Dr. Lo’ai Tawalbeh DONE BY: AMNA ISMAIL RASHAN
Dec 18, 2015
1
By the name of the godBy the name of the god
Risk management
Dr. Lo’ai TawalbehDr. Lo’ai Tawalbeh
DONE BY:AMNA ISMAIL RASHAN
2
The elements of risk
1 )asset is anything within an environment that should be protected
2 )Threat: is any potential danger to information, or systems (e.g. fire)
3
The elements of risk
3 )Vulnerability: is a software, hardware, or procedural weakness that may provide an attacker the open
door to enter a system .
4 )Exposure: It means that, if there is a vulnerability and a threat that can exploit it, there is the possibility that a threat event can occur.
4
The elements of risk
5 )Risk: is the possibility that any specific threat will exploit a specific vulnerability to cause harm to an asset .risk = threat + vulnerability.
6 )safeguard: or countermeasure, is anything that removes a vulnerability or protects against one or more specific threats .
Safeguards and counter-measures are the only means by which risk is mitigated or removed.
5
Sources of riskA) Internal:
*Changes in budget
*change of initial requirement
*disruption to day to day operation of the organization
*key staff leaving
*equipment failure.
B) External:
*Hardware/software not delivered
*supplier becomes insolvent
*unauthorised access into systems
*disruption through power/communication
6
Parts of risk
Risk event: the adverse event that results in a risk .
Risk probability: the likelihood or uncertainty of a risk to occur .
Risk impact: the loss or extent of damage caused by a risk.
7
Types of risk
1 .Technical risk
2 .Managerial risk
3 .Operational risk
4 .Environment risk
5 .Testing risk
Types of risk
1 .Technical risk2 .Managerial risk3 .Operational risk4 .Environment risk
5 .Testing risk
(1)Do we really know what the problem is?
(2) Is the problem solvable?
1 .Technical risk2 .Managerial risk3 .Operational risk4 .Environment risk
5 .Testing risk
*Schedule risk; *Financial risk;
*Personnel risk; *Quality risk;
Types of risk
1 .Technical risk2 .Managerial risk3 .Operational risk4 .Environment risk
5 .Testing risk
*Inadequate user education or training; *Software Misuse;
*Inadequate maintenance of the product.
Types of risk
1 .Technical risk2 .Managerial risk3 .Operational risk4 .Environment risk
5 .Testing risk
physical risks that may threaten a particular data center as: Fire, water
Types of risk
1 .Technical risk2 .Managerial risk3 .Operational risk4 .Environment risk
5 .Testing risk
The quality control practitioner plays a key role in addressing the testing of risk
Types of risk
13
Risk Managementis the process of controlling risk and monitoring the effectiveness of the control mechanisms.
The goal of RM:
is to preserve the quality and integrity of a project by reducing cost escalation and project slippage.
14
Risk management process
1 )Identifying the risk;
2 )Assessing the risk's magnitude;
3 )Determining the response to the risk;
4 )Planning for the addressing of, and reporting on, the risk if encountered
15
Risk assessment
The cost potential of the risk's occurrence;
The probability of the risk occurring;
The risk exposure; The cost to respond to the
risk.
16
Risk response
1 )Elimination;
2 )Avoidance;
3 )Mitigation;
4 )Acceptance.
17
Risk Analysis
the process of identifying, estimating, and evaluating risk.
18
Risk AnalysisRisk Analysis
Benefits of RA • Ease of data comprehension. • Identification and prioritization of critical
activities and functions• Identification of areas where policies and
procedures need to be enhanced and implemented Justification of cost of implementation of measures
• Assessment of the preparedness of an organization with respect to the risks.
• Assessment of the security awareness among employees
19
Risk Analysis
1) Software Risk Analysis
2 )Planning Risks and Contingencies
The purpose of software risk analysis: to determine what to test, the testing priority, and
the depth of testing.
20
Risk Analysis Who Should Do the Analysis?
The risk analysis should be done by a team of experts from various groups within the organization include developers, testers, users, customers, marketers, and other interested, willing, and able contributors.
When Should It Be Done?
A risk analysis should be done as early as possible in the software lifecycle. A first cut at a risk analysis can usually be done as soon as the high-level requirements are known.
21
Software Risk Analysis Process
How Should It Be Done Step 1: Form a Brainstorming Team
Step 2: Compile a List of Features
Step 3: Determine the Likelihood
Step 4: Determine the Impact
Step 5: Assign Numerical Values
Step 6: Compute the Risk Priority
Step 7: Review/Modify the Values
Step 8: Prioritize the Features
Step 9: Determine the "Cut Line“
Step 10: Consider Mitigation
22
Software Risk Analysis ProcessHow Should It Be Done Step 1: Form a Brainstorming TeamInclude:
users )such as business analysts) developers testers marketers customer service representatives support personnel and anyone else that has knowledge of the business and/or
product, and is willing and able to participate.
23
Software Risk Analysis ProcessHow Should It Be Done Step 2: Compile a List of Features
Compile an inventory of features, attributes, or business functions for the entire system .
Global attributes include:
Accessibility, availability, compatibility, maintainability, performance, reliability ,
scalability, security, and usability.
24
Software Risk Analysis ProcessHow Should It Be Done Step 3: Determine the Likelihood
Assign an indicator for the relative likelihood of failure.
25
Table 2: Likelihood of Failure for ATM Features/Attributes
ATM SoftwareLikelihood
FeaturesAttributes
Withdraw cashHigh
Deposit cashMedium
Check account balanceLow
Transfer fundsMedium
Purchase stampsHigh
Make a loan paymentLow
UsabilityMedium
PerformanceLow
SecurityMedium
26
Software Risk Analysis ProcessHow Should It Be Done Step 4: Determine the Impact
What would be the impact on the user if this feature or attribute failed to
operate correctly?
Table 3: Impact of Failure for ATM Features/Attributes
ATM Software Likelihood Impact
Features Attributes
Withdraw cash HighHigh
Deposit cash MediumHigh
Check account balance LowMedium
Transfer funds MediumMedium
Purchase stamps HighLow
Make a loan payment LowMedium
UsabilityMediumHigh
PerformanceLowMedium
SecurityMediumHigh
28
Software Risk Analysis ProcessHow Should It Be Done Step 5: Assign Numerical Values
Brainstorming team should assign numerical values for H, M, and L for both likelihood and impact.
Usually assign a value of 3 for H, 2 for
M, and 1 for L.
29
Software Risk Analysis ProcessHow Should It Be Done Step 6: Compute the Risk Priority
The values assigned to the likelihood of failure and the impact of failure should be added together.
30
Table 4: Summed Priorities for ATM Features/Attributes
ATM Software Likelihood Impact Priority
Features Attributes
Withdraw cash HighHigh6
Deposit cash MediumHigh5
Check account balance
LowMedium3
Transfer funds MediumMedium4
Purchase stamps HighLow4
Make a loan payment LowMedium3
UsabilityMediumHigh5
PerformanceLowMedium3
SecurityMediumHigh5
31
Software Risk Analysis ProcessHow Should It Be Done
Step 7: Review/Modify the Values
Values of the likelihood of failure for each feature may be modified based on additional information or analyses that may be available .
32
Software Risk Analysis ProcessHow Should It Be Done
Step 8: Prioritize the Features
The brainstorming team should reorganize their list of features and attributes in order of risk priority.
Table 5: Sorted Priorities for ATM Features/Attributes
ATM Software Likelihood Impact Priority
Features Attributes
Withdraw cash HighHigh6
Deposit cash MediumHigh5
UsabilityMediumHigh5
SecurityMediumHigh5
Transfer funds MediumMedium4
Purchase stamps
HighLow4
Make a loan payment
LowMedium3
Check account balance
LowMedium3
PerformanceLowMedium3
34
Software Risk Analysis ProcessHow Should It Be Done
Step 9: Determine the "Cut Line“
To indicate the line below which features will not be tested )if any) or tested less .
In order to do that, it's necessary to estimate the amount of testing that is possible with
the available time and resources.
35
Table 6 "Cut Line" for ATM Features/Attributes
ATM Software Likelihood Impact Priority
Features Attributes
Withdraw cash HighHigh6To Be Tested
Deposit cash MediumHigh5
UsabilityMediumHigh5
Transfer funds MediumMedium4
Purchase stamps HighLow4
SecurityLowHigh4
Make a loan payment
LowMedium3Not to Be Tested (or tested less)
Check account balance
LowMedium3
PerformanceLowMedium3
36
Software Risk Analysis ProcessHow Should It Be Done Step 10: Consider Mitigation
The mitigation activities may require action by developers, users, testers, or others.
Risk mitigation helps reduce the likelihood of a failure, but does not affect the impact.
Table 7: Mitigated List of Priorities for ATM Features/Attributes
ATM Software Likelihood Impact Priority Mitigation
Features Attributes
Withdraw cash HighHigh6Code inspection
Deposit cash MediumHigh5Early prototype
UsabilityMediumHigh5Early user feedback
SecurityMediumHigh5
Transfer funds MediumMedium4
Purchase stamps HighLow4
Make a loan payment
LowMedium3
Check account balance
LowMedium3
PerformanceLowMedium3
38
22 ) )Planning Risks and Planning Risks and ContingenciesContingencies
Purpose: To determine the best contingencies in
the event that one of the planning risks occurs.
This is important because the scope and nature of a project almost always change as the project progresses.
The planning risks help us to do the "What if…" and develop contingencies.
3939