An enhanced risk identification and assessment model to improve software risk management / Ahdieh Sadat Khatavakhotan

Ahdieh Sadat, Khatavakhotan (2017) An enhanced risk identification and assessment model to improve software risk management / Ahdieh Sadat Khatavakhotan. PhD thesis, University of Malaya.

	PDF (The Candidate's Agreement) Restricted to Repository staff only Download (1758Kb)
Preview	PDF (Thesis PhD) Download (5Mb) | Preview

Abstract

In software development, inability to define software requirements correctly, underestimating project cost and schedule often result in project failure. These causes are indeed among the risks that are often overlooked or underestimated and their negative impact should they occur. Although there are many risk identification and assessment (RI&RA) process models available today, these models have some weaknesses such as the inability to identify the potential risks and assessing their impact accurately. Hence, this research proposes an enhanced risk identification and assessment model, E-RIAM to address those weaknesses. E-RIAM incorporates five main enhancements that makes it able to: i) identify a maximum of 20 potential major and moderate risks in each software development phase; ii) identify a maximum of 20 potential common major and moderate risks in the entire project; iii) prepare a list of potential software risks of each development phase; iv) provide a risk database that stores the potential, most serious, and common software risks; and v) A Dynamic Verifier Core (DVC) team (i.e., a risk team with more than 20 years of experience in software risk management) to verify the list of risks that had been identified and assessed by the risk analysts. A support tool, Res-DVC, was also developed to facilitate the RI&A processes. To evaluate whether E-RIAM can improve the efficiency of the RI&A processes, two case studies were carried out on 40 medium-sized software projects to collect the data needed for the evaluation process. Two independent groups comprising one control group (i.e., Risk Team 1 and Risk Team 2 of the two case studies) and one treatment group (i.e., DVC1 and DVC2 of the two case studies) was used. Two hypotheses were formulated to evaluate E-RIAM. Hypothesis 1 tests the efficiency of the risk identification process, while hypothesis 2 tests the accuracy of the risk assessment process. Hypothesis 1 was tested using Wilcoxon Signed Ranks Test. The results of the test show that E-RIAM can affect significant improvement to the risk identification process. Two approaches were used to test hypothesis 2. The first approach compares the severity level (i.e., major, moderate, and minor) of the identified, and materialised risks which had been assessed by the risk teams against the severity level of the corresponding risks (i.e., data given by the software company). The total number of matching risks distributed according to the three severity levels were compiled and analysed. The outcomes show that the DVC teams were able to identify and assess more risks correctly when compared to the number of risks that were identified and assessed by the risk teams. The second approach compares and analyses the total number of risks that had materialised in both the case studies (i.e., data given by the software company), but failed to be identified by both the risk teams and DVC teams. The results show that the DVC teams were able to identify and assess more risks correctly than the risk teams.

Actions (For repository staff only : Login required)