MSDN Magazine - January 2009 - (Page 44) Figure 5 Expected Value Risk Analysis Risk A B C D Probability 0.70 0.20 0.40 0.10 Loss $1,000 $3,000 $2,000 $9,000 Exposure $700 $600 $800 $900 tion process among several people by assigning different people to different taxonomy questions. On the negative side, using taxonomies for risk identification can be very time consuming. Also, taxonomies are, by their nature, generic and so they cannot identify risks that are specific to your software system unless you put in the effort to discover these specific risks. Compared to taxonomy-based risk identification, an advantage of a scenario-based approach is that it tends to be less generic and forces you from the beginning to be more definite. On the other hand, scenario-based risk identification is somewhat more art than science and you can easily miss a key scenario. Specification-based risk identification is usually the least generic, most specific approach. However, a specification-based approach will yield results only as good as your specification documents. When used together, the three approaches give you a good chance of accurately identifying your software risks. Risk Analysis Risk analysis is the process of combining the probability (or likelihood) of a risk event with the monetary loss (or negative effect) that occurs if the event happens, to produce a value that can be used to compare and prioritize the risk against other risks. In this section, I present two older approaches to risk analysis (the expected value technique and the categorical technique), and one new approach called PERIL. Let’s look at the expected value technique first. Take a look at the example shown in Figure 5. Suppose you have identified four risk events. Let’s call them Risk A, Risk B, Risk C, and Risk D. You assign probabilities to each risk event. A probability is a number between 0.00 (meaning impossible) and 1.00 (meaning certainty) that indicates how likely the event is. Next, you assign a monetary loss value to each risk event, which is the cost to you if the risk event occurs. Now for each risk event you simply multiply the risk’s probability and the risk’s loss to get the risk exposure. Using this method, risk exposure is just a form of expected value. Obviously, there are several major problems with the expected value approach. How can you estimate risk probabilities? How can you estimate a risk loss? In some situations you may have good historical data or experience to base your estimates upon, but this is generally a rare situation when creating software. Based on my experience, the expected value approach to risk analysis is often not feasible in a software development environment. Because it is difficult or even impossible in many software development environments to estimate the probability of a risk event or its associated loss, a common alternative is to use categorical scales for both risk probability and risk loss. This is the categorical technique. An example will make the idea clear. Suppose you have 44 msdn magazine identified four risks, A, B, C, and D. Now instead of guessing at a probability and a loss for each risk, you generate a categorical risk exposure table like the one shown in the top part of Figure 6. As you can see, I have a total of nine categories of risk exposure. There are three categories of risk probability—Low, Medium, and High. There are three categories of loss—also Low, Medium, and High. The cross product of probability category and loss category yields nine risk exposure categories, from Low-Low (low probability of a low loss) through High-High (high probability of high loss). Now I can look at each of my four risk events, assign a Low, Medium, or High probability, and then a Low, Medium, or High loss, to yield a nine-point risk exposure. The idea is that it is often more reasonable to assign a probability value of “Low” instead of an exact numeric value like 0.05 for example. The hypothetical data in the table in the bottom part of Figure 6 suggest that Risk B has the highest exposure and may warrant more attention or resources (including testing) than Risk A, which has the lowest exposure. Although a categorical risk analysis approach somewhat eases the problem of assigning difficult or impossibleto-determine probabilities and loss information, the technique introduces new problems. Notice that I arbitrarily use three categories for both probability and loss. This is a very coarse approach. But suppose I decide to improve my risk analysis by using five categories for both the probability factor and the loss factor: Very Low, Low, Medium, High, and Very High. Now I would end up with a total of 25 risk exposure categories—(Very Low + Very Low) through (Very High + Very High). How would I rank or compare these 25 exposure values? Just how does a (Very Low + High) risk exposure compare to a (High + Medium) exposure? If multiple people are evaluating your categorical risk exposure data, would they interpret the exposure data in the same way? To address the problems with a purely categorical risk analysis approach, several years ago I developed a technique I call Project Exposure using Ranked Impact and Likelihood (PERIL). The essence of the idea is to use categories (as in the categorical approach) but convert them into a quantitative scale so they can be easily combined (as in the expected value approach) to produce numeric exposure metrics. Figure 6 Categorical Risk Analysis Probability High Med Low Risk A B C D Loss High High+High Med+High Low+High Probability Low High Medium Medium Loss Medium High Medium High Med High+Med Med+Med Low+Med Low High+Low Med+Low Low+Low Exposure Low+Medium High+High Medium+Medium Medium+High Test Run
Table of Contents Feed for the Digital Edition of MSDN Magazine - January 2009 Toolbox CLR Inside Out Basic Instincts Cutting Edge Test Run First Look Geneva Framework Silverlight Windows Mobile Service Station Security Briefs Extreme ASP.NET Foundations .NET Matters { End Bracket } MSDN Magazine - January 2009 MSDN Magazine - January 2009 - (Page Intro) MSDN Magazine - January 2009 - (Page Cover1) MSDN Magazine - January 2009 - (Page Cover2) MSDN Magazine - January 2009 - (Page 1) MSDN Magazine - January 2009 - (Page 2) MSDN Magazine - January 2009 - (Page 3) MSDN Magazine - January 2009 - (Page 4) MSDN Magazine - January 2009 - (Page 5) MSDN Magazine - January 2009 - (Page 6) MSDN Magazine - January 2009 - (Page 7) MSDN Magazine - January 2009 - (Page 8) MSDN Magazine - January 2009 - Toolbox (Page 9) MSDN Magazine - January 2009 - Toolbox (Page 10) MSDN Magazine - January 2009 - Toolbox (Page 11) MSDN Magazine - January 2009 - Toolbox (Page 12) MSDN Magazine - January 2009 - Toolbox (Page 13) MSDN Magazine - January 2009 - Toolbox (Page 14) MSDN Magazine - January 2009 - CLR Inside Out (Page 15) MSDN Magazine - January 2009 - CLR Inside Out (Page 16) MSDN Magazine - January 2009 - CLR Inside Out (Page 17) MSDN Magazine - January 2009 - CLR Inside Out (Page 18) MSDN Magazine - January 2009 - CLR Inside Out (Page 19) MSDN Magazine - January 2009 - CLR Inside Out (Page 20) MSDN Magazine - January 2009 - Basic Instincts (Page 21) MSDN Magazine - January 2009 - Basic Instincts (Page 22) MSDN Magazine - January 2009 - Basic Instincts (Page 23) MSDN Magazine - January 2009 - Basic Instincts (Page 24) MSDN Magazine - January 2009 - Basic Instincts (Page 25) MSDN Magazine - January 2009 - Basic Instincts (Page 26) MSDN Magazine - January 2009 - Basic Instincts (Page 27) MSDN Magazine - January 2009 - Basic Instincts (Page 28) MSDN Magazine - January 2009 - Basic Instincts (Page 29) MSDN Magazine - January 2009 - Basic Instincts (Page 30) MSDN Magazine - January 2009 - Cutting Edge (Page 31) MSDN Magazine - January 2009 - Cutting Edge (Page 32) MSDN Magazine - January 2009 - Cutting Edge (Page 33) MSDN Magazine - January 2009 - Cutting Edge (Page 34) MSDN Magazine - January 2009 - Cutting Edge (Page 35) MSDN Magazine - January 2009 - Cutting Edge (Page 36) MSDN Magazine - January 2009 - Cutting Edge (Page 37) MSDN Magazine - January 2009 - Cutting Edge (Page 38) MSDN Magazine - January 2009 - Test Run (Page 39) MSDN Magazine - January 2009 - Test Run (Page 40) MSDN Magazine - January 2009 - Test Run (Page 41) MSDN Magazine - January 2009 - Test Run (Page 42) MSDN Magazine - January 2009 - Test Run (Page 43) MSDN Magazine - January 2009 - Test Run (Page 44) MSDN Magazine - January 2009 - Test Run (Page 45) MSDN Magazine - January 2009 - Test Run (Page 46) MSDN Magazine - January 2009 - Test Run (Page 47) MSDN Magazine - January 2009 - Test Run (Page 48) MSDN Magazine - January 2009 - Test Run (Page 49) MSDN Magazine - January 2009 - First Look (Page 50) MSDN Magazine - January 2009 - First Look (Page 51) MSDN Magazine - January 2009 - First Look (Page 52) MSDN Magazine - January 2009 - First Look (Page 53) MSDN Magazine - January 2009 - First Look (Page 54) MSDN Magazine - January 2009 - First Look (Page 55) MSDN Magazine - January 2009 - First Look (Page 56) MSDN Magazine - January 2009 - First Look (Page 57) MSDN Magazine - January 2009 - First Look (Page 58) MSDN Magazine - January 2009 - First Look (Page 59) MSDN Magazine - January 2009 - First Look (Page 60) MSDN Magazine - January 2009 - First Look (Page 61) MSDN Magazine - January 2009 - First Look (Page 62) MSDN Magazine - January 2009 - First Look (Page 63) MSDN Magazine - January 2009 - Geneva Framework (Page 64) MSDN Magazine - January 2009 - Geneva Framework (Page 65) MSDN Magazine - January 2009 - Geneva Framework (Page 66) MSDN Magazine - January 2009 - Geneva Framework (Page 67) MSDN Magazine - January 2009 - Geneva Framework (Page 68) MSDN Magazine - January 2009 - Geneva Framework (Page 69) MSDN Magazine - January 2009 - Geneva Framework (Page 70) MSDN Magazine - January 2009 - Geneva Framework (Page 71) MSDN Magazine - January 2009 - Geneva Framework (Page 72) MSDN Magazine - January 2009 - Geneva Framework (Page 73) MSDN Magazine - January 2009 - Geneva Framework (Page 74) MSDN Magazine - January 2009 - Silverlight (Page 75) MSDN Magazine - January 2009 - Silverlight (Page 76) MSDN Magazine - January 2009 - Silverlight (Page 77) MSDN Magazine - January 2009 - Silverlight (Page 78) MSDN Magazine - January 2009 - Silverlight (Page 79) MSDN Magazine - January 2009 - Silverlight (Page 80) MSDN Magazine - January 2009 - Silverlight (Page 81) MSDN Magazine - January 2009 - Silverlight (Page 82) MSDN Magazine - January 2009 - Silverlight (Page 83) MSDN Magazine - January 2009 - Silverlight (Page 84) MSDN Magazine - January 2009 - Silverlight (Page 85) MSDN Magazine - January 2009 - Silverlight (Page 86) MSDN Magazine - January 2009 - Silverlight (Page 87) MSDN Magazine - January 2009 - Windows Mobile (Page 88) MSDN Magazine - January 2009 - Windows Mobile (Page 89) MSDN Magazine - January 2009 - Windows Mobile (Page 90) MSDN Magazine - January 2009 - Windows Mobile (Page 91) MSDN Magazine - January 2009 - Windows Mobile (Page 92) MSDN Magazine - January 2009 - Service Station (Page 93) MSDN Magazine - January 2009 - Service Station (Page 94) MSDN Magazine - January 2009 - Service Station (Page 95) MSDN Magazine - January 2009 - Service Station (Page 96) MSDN Magazine - January 2009 - Service Station (Page 97) MSDN Magazine - January 2009 - Service Station (Page 98) MSDN Magazine - January 2009 - Security Briefs (Page 99) MSDN Magazine - January 2009 - Security Briefs (Page 100) MSDN Magazine - January 2009 - Security Briefs (Page 101) MSDN Magazine - January 2009 - Security Briefs (Page 102) MSDN Magazine - January 2009 - Extreme ASP.NET (Page 103) MSDN Magazine - January 2009 - Extreme ASP.NET (Page 104) MSDN Magazine - January 2009 - Extreme ASP.NET (Page 105) MSDN Magazine - January 2009 - Extreme ASP.NET (Page 106) MSDN Magazine - January 2009 - Extreme ASP.NET (Page 107) MSDN Magazine - January 2009 - Extreme ASP.NET (Page 108) MSDN Magazine - January 2009 - Foundations (Page 109) MSDN Magazine - January 2009 - Foundations (Page 110) MSDN Magazine - January 2009 - Foundations (Page 111) MSDN Magazine - January 2009 - Foundations (Page 112) MSDN Magazine - January 2009 - Foundations (Page 113) MSDN Magazine - January 2009 - Foundations (Page 114) MSDN Magazine - January 2009 - Foundations (Page 115) MSDN Magazine - January 2009 - .NET Matters (Page 116) MSDN Magazine - January 2009 - .NET Matters (Page 117) MSDN Magazine - January 2009 - .NET Matters (Page 118) MSDN Magazine - January 2009 - .NET Matters (Page 119) MSDN Magazine - January 2009 - { End Bracket } (Page 120) MSDN Magazine - January 2009 - { End Bracket } (Page Cover3) MSDN Magazine - January 2009 - { End Bracket } (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.