Microsoft Word - Contents-SG-1.doc Abstract—Despite various methods that exist in software risk management, software projects have a high rate of failure. When complexity and size of the projects are...

Microsoft Word - Contents-SG-1.doc
Abstract—Despite various methods that exist in software risk
management, software projects have a high rate of failure. When
complexity and size of the projects are increased, managing software
development becomes more difficult. In these projects the need for
more analysis and risk assessment is vital. In this paper, a
classification for software risks is specified. Then relations between
these risks using risk tree structure are presented. Analysis and
assessment of these risks are done using probabilistic calculations.
This analysis helps qualitative and quantitative assessment of risk of
failure. Moreover it can help software risk management process.
This classification and risk tree structure can apply to some software
tools.
Keywords—Risk analysis, Risk assessment, Risk classification,
Risk tree.
I. INTRODUCTION
OFTWARE Project Management (SPM) has become a
critical task. It involves the management of all issues
involved in the development of software project namely scope
and objective identification, evaluation, planning, project
development methods, software effort and cost estimation,
activity planning, monitoring and control, risk management
and resource allocation [1, 2, 3].
Software projects face many risks in their lifecycle. Risk is
any potential situation or event that could negatively affect a
project's ability. A risk is an exposure to loss or injury or a
factor, thing, element, or course that involves uncertain
danger [4, 19, 20]. Project Risk Management Institute has
developed guidelines for risk management. These guidelines
include risk management planning, risk identification,
qualitative risk analysis, quantitative risk analysis, risk
esponse planning and risk monitoring and tracking. For each
step, it defines inputs, tools, techniques and outputs [21].
Software risk management is a part of SPM. It is very
important for software projects. Software risk management
steps were presented by Ba
y Boehm [5] and possess two
primary steps. The first one is risk assessment and the second
is risk control. Risk assessment involves risk identification,
isk analysis and risk prioritization. Risk identification
produces a list of the project risk items using several

H. Hoodat is Master of Science student in department of computer
engineering, Qazvin Azad University, Iran (e-mail: h_hoodat@ qazviniau.ac.ir).
H. Rashidi is assistant professor in department of computer engineering,
Qazvin Azad University, Iran (e-mail: XXXXXXXXXX).
techniques [6, 7, 8]. Risk analysis assesses the loss probability
and loss magnitude for each identified risk and risk
prioritization produces a ranked ordering of the risk items
identified and analyzed. Various methods exist for risk
analysis [3]. The risk management cycle represents basic
activities, processes and main flows of information between
them [9]. But in this paper, we concentrate on risk analysis
and assessment.
This paper is organized as follows: in section II software
isk management is discussed. In section III classifications of
software risks are presented. In section IV, the structure of
isk tree and its probabilistic calculations is introduced. In
section V risk tree structures for software engineering risks
are presented. The conclusions are given in section VI.
II. SOFTWARE RISK MANAGEMENT
There are many concepts about software risk management
[6, 7, 8, 9]. But in this section some cases and processes that
serve in software risk management which is required for our
structure have been discussed.
A. Risk Index
As risks are identified, they can be categorized by impact
(I) and likelihood of occu
ence (LO). When these two factors
are multiplied, risks can be characterized as high, medium, or
low. Risk prioritized within a risk index (RI) by a single
measure that determines its importance to the project and the
elative visibility, response and reporting required. This index
is necessary for prioritization of risk [6, 19].
B. Risk Analysis
There are a few well-known types of risk analysis that can
e used [21]. In software engineering, risk analysis is used to
identify the high-risk elements of a project. It provides ways
of documenting the impact of risk mitigation strategies. Risk
analysis has also been shown to be important in the software
design phase to evaluate criticality of the system, where risks
are analyzed and necessary countermeasures are introduced
[13]. The purpose of risk analysis is to understand risk better
and to verify and co
ect attributes. A successful analysis
includes essential elements like problem definition, problem
formulation, data collection [14].
C. Risk Assessment
Risk assessment incorporates risk management and risk
analysis. Many risk assessment methodologies exist [15] that
Classification and Analysis of Risks in Software
Engineering
Hooman Hoodat, and Hassan Rashidi
S
World Academy of Science, Engineering and Technology
International Journal of Computer, Electrical, Automation, Control and Information Engineering Vol:3, No:8, 2009
2044International Scholarly and Scientific Research & Innovation XXXXXXXXXXscholar.waset.org/1999.4/9245
In
te
n
at
io
na
l S
ci
en
ce
I
nd
ex
, C
om
pu
te

an
d
In
fo
m
at
io
n
E
ng
in
ee
i
ng
V
ol
:3
, N
o:
8,
2
00
9
w
as
et
.o
g
P
u
lic
at
io
n
92
45
http:
waset.org/publication/Classification-and-Analysis-of-Risks-in-Software-Engineering/9245
http:
scholar.waset.org/1999.4/9245
focus on different types of risks. Risk assessment requires
co
ect descriptions of the target system and all security
features. For assessment to be useful, a risk referent level
must be defined. For most software projects; performance,
cost, support and schedule also represent risk referent levels
[6, 8].
III. RISK CLASSIFICATION
The primary purpose of classifying risk is to get a
collective viewpoint on a group of factors, which will help the
managers to identify the group that contributes the maximum
isk. A scientific way of approaching risks is to classify them
ased on risk attributes. Risk classification is an economical
way of analyzing risks and their causes by grouping similar
isks together into classes [21].
Software risks can be internal or external. The internal
isks come from risk factors within the organization. The
external risks come from out of the organization and are
difficult to control. Software risks can be grouped into project
isks, process risks, and product risks. This classification
system can be easily applied to internal risks [16, 17, 18].
Risks can be divided into three general types [22]: project,
usiness, and technical risks. Also, software development risk
can be classified into three classes: product engineering,
development environment and program constraint. Another
type of software risk can be grouped into scheduling risks and
quality risks. In addition, risks can be categorized into
performance risks, cost risks support risks and schedule risks
[6]. In general, there are many risks in the software
engineering. It is very difficult or impossible to identify all of
them.
A. Classifying Software Risks
In this section software engineering project risks are
categorized. Software project risks can affect requirements,
scheduling, cost, quality and business. Therefore,
classification on the basis of these groups can be done. Tables
I to V represent these classifications. These risks are gotten
through studies and experiences in projects.

TABLE I
SOFTWARE REQUIREMENT RISKS
Lack of analysis for change of
equirements
Change extension of
equirements
Lack of report for requirements Poor definition of requirements
Ambiguity of requirements Change of requirements
Inadequate of requirements Impossible requirements
Invalid requirements

TABLE II
SOFTWARE COST RISKS
Lack of good estimation in projects Unrealistic schedule
The hardware does not work well Human e
ors
Lack of testing Lack of monitoring
Complexity of architecture Large size of architecture
Extension of requirements change The tools does not work well
Personnel change Management change
Technology change Environment change
Lack of reassessment of
management cycle

TABLE III
SOFTWARE SCHEDULING RISKS
Inadequate budget Change of requirements
Extension of requirements change Human e
ors
Inadequate knowledge about tools
Inadequate knowledge about
techniques
Long-term training for personnel
Lack of employment of manager
experience
Lack of enough skill Lack of good estimation in projects
Lack of accurate system domain
definition
Lack of goals specification
Difficulty of implementation Disagreement between members
Lack of tools Shortage of personnel
Tools failure Technology change
Lack of agreement between
customer and developer
Slow management cycle
Supply budget in inappropriate
time
Environment change
Lack of a good guideline

TABLE IV
SOFTWARE QUALITY RISKS
Inadequate documentation Lack of project standard
Lack of design documentation Inadequate budget
Human e
ors Unrealistic schedule
Extension of requirements change
Poor definition of
equirements
Lack of enough skill Lack of testing
Lack of good estimation in
projects
Inadequate knowledge
about techniques
Lack of employment of manager
experience
Lack of accurate system
domain definition
The simulator is to be destroyed Lack of reassessment
Inadequate knowledge about
programming language
Inadequate knowledge
about tools
The hardware does not work well
Lack of analysis for change
of requirements
The tools do not work well Loss technical equipment
Lack of stability between
personnel
Personnel change
Weakness of management Lack of commitment
Disagreement between members Ambiguity of requirements
Complexity of architecture Incomplete requirements
Lack of roles and responsibilities
definition
Inadequate training of
personnel
Management change Technology change
Lack of collaboration between
developer
Environment change
Lack of a good guideline

TABLE V
SOFTWARE BUSINESS RISKS
The products that no one want them
The products that are not suitable with total strategy
The products that sellers do not know how to sell them
Failure in total budget
Failure in commitment
Failure in management because of change in different people
IV. RISK TREE
Risk tree analysis and assessment can simply be described
as an analytical technique. It is a graphical model of various
combinations of risks that result in the occu
ence of the
predefined undesired event. To analyze using risk tree, it is