Determining how much software assurance is enough? A value-based approach

A classical problem facing many software projects is how to determine when to stop testing and release the product for use. On the one hand, we have found that risk analysis helps to address such "how much is enough?" questions, by balancing the risk exposure of doing too little with the risk exposure of doing too much. In some cases, it is difficult to quantify the relative probabilities and sizes of loss in order to provide practical approaches for determining a risk-balanced "sweet spot" operating point. However, we have found some particular project situations in which tradeoff analysis helps to address such questions. In this paper, we provide a quantitative approach based on the COCOMO II cost estimation model and the COQUALMO qualify estimation model. We also provide examples of its use under the differing value profiles characterizing early startups, routine business operations, and high-finance operations in marketplace competition situation. We also show how the model and approach can assess the relative payoff of value-based testing compared to value-neutral testing based on some empirical results. Furthermore, we propose a way to perform cost/schedule/reliability tradeoff analysis using COCOMO II to determine the appropriate software assurance level in order to finish the project on time or within budget.

[1]  Laurie A. Williams,et al.  Pair Programming Illuminated , 2002 .

[2]  Somesh Jha,et al.  Software Design as an Investment Activity: A Real Options Perspective , 1998 .

[3]  Barry Boehm,et al.  Characteristics of software quality , 1978 .

[4]  M. Shaw,et al.  The Potential for Synergy Between Certification and Insurance , 2002 .

[5]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[6]  Donald J. Reifer,et al.  Making the Software Business Case , 2001 .

[7]  Ellis Horowitz,et al.  Software Cost Estimation with COCOMO II , 2000 .

[8]  Barry W. Boehm,et al.  Value-Based Software Engineering: A Case Study , 2003, Computer.

[9]  Barry Boehm,et al.  Using the Spiral Model and MBASE to Generate New Acquisition Process Models: SAIV, CAIV, and SCQAIV , 2002 .

[10]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[11]  Miss A.O. Penney (b) , 1974, The New Yale Book of Quotations.

[12]  Stefan Biffl,et al.  Value-Based Management of Software Testing , 2006, Value-Based Software Engineering.

[13]  Ian Thomas,et al.  Business-Driven Product Planning Using Feature Vectors and Increments , 2002, IEEE Softw..

[14]  M. Shaw,et al.  Software Risk Management and Insurance , 2001 .

[15]  Brian Randell,et al.  Fundamental Concepts of Computer System Dependability , 2001 .

[16]  Neil Thompson,et al.  Risk Based E-Business Testing , 2002 .

[17]  David A. Bader,et al.  A Framework for Measuring Supercomputer Productivity , 2004, Int. J. High Perform. Comput. Appl..

[18]  Barry Boehm,et al.  Determining Software Quality Using COQUALMO , 2003 .

[19]  Barry W. Boehm,et al.  The ROI of software dependability: The iDAVE model , 2004, IEEE Software.