Economics of Risk and

Uncertainty
The Art of War
“The purpose of war is peace.”
“To fight and conquer is not supreme
excellence; supreme excellence is to
subdue the enemy without fighting.”
“In peace prepare for war,
in war prepare for peace.”
Sun Tsû, The Art of War, ~496BCE, Translated by Lionel Giles, 1910
Murphy’s Law in Software
Murphy
1. If anything can go wrong, it will
2. Things go wrong at the worst possible time
3. Everything takes longer than it should
Risk Management
Risk management is concerned with identifying
risks and drawing up plans to minimise their effect
on a project.
A risk is a probability that some adverse
circumstance will occur
– Project risks affect schedule or resources;
– Product risks affect the quality or performance of the
software being developed;
– Business risks affect the organisation developing or
procuring the software.
– Sommerville 2004
Risk defined
• A risk is any threat to the achievement of one or
more of the cardinal aims of the project Ould, 1999

• Risks are negative outcomes that have known or

estimated probability of occurrence based on
experience or some theory
• Uncertainties are negative outcomes that have
unknown probabilities because of lack of experience
or lack of theory Alter & Ginzberg, 1978

Uncertainty is difficult to manage, e.g. can you attach a

probability on an analysis team’s failure to understand user
requirements?
Examples of Software Project Risks
R isk Affects Description
Staff turnover Project E xperienced staff will leave the project before it is finished.
Management change Project T here will be a change of organisational management with
different priorities.
Hardware unavailability Project Hardware that is essential for the project will not be
delivered on schedule.
Requirements change Project and T here will be a larger numberof changes to the
product requirements than anticipated.
Specification delays Project and Specifications of essential interfaces are not available on
product schedule
Size underestimate Project and T he size of thesystem has been underestimated.
product
C AS E tool under- Product C AS E tools which support the project do not perform as
performance anticipated
Technology change Business T he underlying technology on which the system is built is
superseded by new technology.
Product competition Business A competitive product is marketedbefore the system is
completed.
Risks = Some Properties of…
1. Risk concerns future happenings
Will changing today's actions create a different, better, situation
tomorrow?
2. Risk involves change
Changes of mind, opinion, actions, places...

3. Risk involves choice and the

uncertainty that choice entails

Paradoxically, risk is one of the few certainties of

life
Managing Risks
“While it is futile to try to eliminate risk, and
questionable to try to minimise it, it is essential that
the risks taken be the right risks”
Peter Drucker, Management, Heinemann, 1975

“If you know the enemy and know yourself, you

need not fear the result of a hundred battles”
Sun Tzû, The Art of War, ~490BCE

Risk Management:
Identify and Assess the risks and then control
them
Risk management Process
Risk Management Tasks
Risk Assessment
• Risk Identification
• Risk Analysis
• Risk Prioritisation
Risk Control
• Risk Management Planning
• Risk Resolution
• Risk Monitoring
Risk Assessment
First step Identify the risks
Either by
–Source of risk (source analysis)
–Type of Threat (problem analysis)
Risk Identification
Identifying risks may depend on culture, industry practice and compliance.
Common risk identification methods are:
Objectives-based Risk Identification
Any event that may endanger achieving an objective partly or completely is
identified as risk. Objective-based risk identification is at the basis of COSO's
Enterprise Risk Management - Integrated Framework
Scenario-based Risk Identification
Different/Alternative scenarios are created and analysed. Any event that
triggers an undesired scenario alternative is identified as risk.
Taxonomy-based Risk Identification
The taxonomy in taxonomy-based risk identification is a breakdown of
possible risk sources. Taxonomy-based risk identification in software industry
can be found in CMU/SEI-93-TR-6.
Common-risk Checking
Each risk in a predefined list can be checked for application to a particular
situation. An example of known risks in the software industry is the Common
Vulnerability and Exposures list found at http://cve.mitre.org.
Risk Identification
Generic Risks
Common to all projects, covered by standard
development plan techniques
Project-specific Risks
Reflect a particular aspect of a given project.
Addressed by project specific management plans.
The most common project specific risks are
personnel shortfalls, unrealistic schedules and
budgets, inappropriate requirements, shortfalls in
external components and tasks, and technology
shortfalls or unknowns
Major Risks and Uncertainties of
System Development
• Technology risks.
• Development risks
• Requirements risks.
• Estimation risks.
• People risks.
• Organisational risks.
Risks and Risk types
Risk type Possible risks
Technology The database used in the system cannot process as many transactions per second as
expected.
Software components that should be reused contain defects that limit their functionality.
People It is impossible to recruit staff with the skills required.
Key staff are ill and unavailable at critical times.
Required training for staff is not available.
Organisational The organisation is restructured so that different management are responsible for the
project.
Organisational financial problems force reductions in the project budget.
Tools The code generated by CASE tools is inefficient.
CASE tools cannot be integrated.
Requirements Changes to requirements that require major design rework are proposed.
Customers fail to understand the impact of requirements changes.
Estimation The time required to develop the software is underestimated.
The rate of defect repair is underestimated.
The size of the software is underestimated.
Risk Identification- Threats
ITSEC Security Components:
• Loss of Availability (security)
unauthorised withholding of information or resources
• Loss of Integrity (accuracy)
unauthorised modification of information
• Loss of Confidentiality (privacy)
unauthorised disclosure of information
Oversimple? - consider security aspects of:
• Utility - focusing on usefulness of information
• Authenticity - Focusing on information being real and genuine for
intended purpose
• Possession - Focusing on the ownership or control of information
Primary Threats
Threats

Speculative Pure

Deliberate
Accidental
Social

Natural Technical Personnel Social

Hardware Software
Secondary Threats
classified by effects
Secondary Threat Type of Breach
Modification Integrity
Interruption
Removal Availability
Destruction
Disclosure Confidentiality
(of resources)
All Primary threats affect the assets in one or more of the above ways (secondary threats),
causing the indicated security breaches.
 Sources of Risk
Source Risks
Hardware Not installed when needed
Cannot do the job
Does not work as advertised
Installation not prepared in time
Installation requirements (e.g. air
conditioning, room-size, or
electrical) insufficient
Wiring not correct
Hardware delivered incorrectly
Hardware delivered with damage
Software Not installed when needed
Cannot do the job
Does not work as advertised
Contains ‘undocumented features’
that cause compromise on
application requirements
Vendor support inadequate
Resource requirements are over
budgeted, allocated amounts
Source Risks
Group Key person(s) quit, are promoted
elsewhere, go on jury duty,
have long-term illness
Skills level inadequate
Training not in time to benefit the
project
Project
Management Schedule not accurate
Budget not sufficient
Manager change
User
Quits, transfers, is replaced
Not co-operative
Not supportive
Does not spend as much time as
original commitment requested
Computer
Resources Test time insufficient
Test time not same as commitment
Inadequate disk space
Insufficient logon Ids
Insufficient interactive time