Software Development Risk Management Model- a goal-driven approach Shareeful Islam Lehrstuhl fur¨ Software & Systems Engineering Institut fur¨ Informatik Technische Universitat¨ Munchen¨ Technische Universitat¨ M ¨unchen Institut f ¨urInformatik Lehrstuhl fur¨ Software & Systems Engineering Software Development Risk Management Model- a goal-driven approach Shareeful Islam Vollstandiger¨ Abdruck der von der Fakultat¨ fur¨ Informatik der Technischen Uni- versitat¨ Munchen¨ zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften (Dr. rer. nat.) genehmigten Dissertation. Vorsitzender: Univ.-Prof. Dr. Hans Michael Gerndt Prfer der Dissertation: 1. Univ.-Prof. Dr. Dr. h.c. Manfred Broy 2. Univ.-Prof. Dr. Martin Bichler Die Dissertation wurde am 11.11.2010 bei der Technischen Universitat¨ Munchen¨ eingereicht und durch die Fakultat¨ fur¨ Informatik am 25.03.2011 angenommen. Abstract Every software project by its inherent nature is unique and contains significant numbers of uncertainties from various perspectives such as time-to-market, bud- get and schedule estimation, product deployment or maintenance. If failing to control these uncertainties, it imposes potential risks not only during the devel- opment phases but also throughout the life cycle of the product. Software risk management is an effective tool to control these risks and contributes to increase the likelihood of project success. Risk management needs to be integrated as early as possible from a holistic perspective into the development. However a compre- hensive risk management practice is not always possible due to resource problems, more emphasize on budget and schedule constraints and difficulties to concretely estimate the benefit of risk management. This thesis proposes a Goal-driven Software Development Risk Management Model (GSRM) that explicitly integrates into the requirements engineering phase. The in- tegration provides an early warning of potential problems so that both preventive and corrective actions can be undertaken to avoid the causes of project failure. The framework is comprised of four layers, i.e., goal, obstacle, assessment and treat- ment, that support the identification, assessment, treatment and documentation of risks in relation to project-specific goals. GSRM is implemented in active on-going software development projects to empirically evaluate its usefulness, particular advantages and limitations in an industrial context. The results show that goal- driven approach is suitable for risk management and risk management is well in- tegrated into requirements engineering phase. It is not always necessary to rank budget and schedule related goals and risk factors at the highest priority for risk management. At the early stage of the project risk factors related to estimation, project management, project scope, requirements, change management and hu- man (i.e. customer/user and practitioner) and at the later stage risk factors related to user satisfaction and product usage are more frequent and severely affect meet- ing the project goals. If project risk factors are beyond the control of a project manager and project development environment, it is difficult to control the risks. The results conclude that early risk management practice is necessary and GSRM contributes to this direction for a successful project outcome. Zusammenfassung Jedes Software-Entwicklungsprojekt ist einzigartig und gepragt¨ von schwer plan- baren Einflussfaktoren, wie time-to-market oder Budget, aber auch von Einflussen¨ resultierend aus der Integration und der Wartung. Die Beherrschung dieser Ein- flussgroßen¨ ist unabdingbar fur¨ die Minimierung der Risiken wahrend¨ der En- twicklung als auch wahrend¨ des gesamtem Software-Lebenszyklus. Software Risikomanagement stellt ein effektives Mittel zur Risikobeherrschung dar. Haufig¨ ist ein umfassendes Risikomanagement jedoch aufgrund fehlender Ressourcen oder fehlendem Domanenwissen¨ nicht realisierbar. Idealerweise muss Risikoman- agement aber in den gesamten Entwicklungsprozess integriert sein, insbesondere auch in die ersten Phasen der Enwicklung. Der Beitrag der Dissertation ist ein Modellierungsframework zum Risikomanage- ment. Wir schlagen einen zielbasierten Ansatz vor (Engl: Goal-driven Software Development Risk Management Model (GSRM)) und integrieren diesen in die er- ste Phase des Entwicklungprozess, in das Requirements Engineering. Diese In- tegration tragt¨ dazu bei, fruhzeitig¨ potentielle Probleme zu erkennen und diese in Form von korrigierenden Maßnahmen zu umgehen. Das Framework gliedert sich in vier Abstraktionsebenen, i.e., goal,obstacle, assessment and treatment, die eine methodische Handlungsrichtlinie zur Identifikation, Dokumentation und Be- handlung von Risiken in Zusammenhang mit Zielen unterstutzt.¨ Die Integration der Ziele fuhrt¨ insbesondere zu nachvollziehbaren und reproduzierbaren Spezi- fikationsdokumenten. Die Tragfahigkeit¨ des Ansatzes wird in Fallstudien unter Einbeziehung laufender Software-Entwicklungsprojekte hinsichtlich Anwendbarkeit und seiner Vor- und Nachteile evaluiert. Die Ergebnisse werden sowohl die Integrationsfahigkeit¨ des Ansatzes in das Requirements Engineering, als auch seine Anwendbarkeit aufzeigen. Wir werden Beobachtungen darlegen, dass das Risikomanagement unmittelbar durch die fehlende Einbindung des Projektmanagers in Projektinhalte erschwert wird, und dass der Projektkontext, wie auch die Projektkomplexitat¨ die Risiken gleichermaßen beeinflussen, unabhangig¨ von der ursprunglichen¨ Risikoeinschatzung¨ des Projektes. Wir schließen die Arbeit mit einer Zusammenfassung der Ergebnisse, stellen die Relevanz eines fruhzeitigen¨ Risikomanagements dar und belegen, wie wir mit dem Beitrag dieser Dissertation dieses Risikomanagement unterstutzen.¨ Acknowledgments It is very difficult to manage a funded PhD research from Bangladesh specifically in the field of software engineering. I am very grateful to the scholarship agency DAAD(German Academic Exchange Service) for giving me an opportunity to pur- sue my PhD study in a country like Germany. I would like to thank Prof. Manfred Broy for giving me the opportunity to work in a challenging and competitive re- search environment and support me in all aspects during the course of the disser- tation. His support and critical comments made this work much better. I also want to thank Prof. Dr. Martin Bichler for co-supervising this thesis and providing me time to discuss the updated status of the thesis. I would like to thank Siv Hilde Houmb, Telenor GBD& R, & SecureNOK Ltd., Norway for her continuous support throughout the work on my dissertation. She helped me all the way to complete this dissertation from her long experienced as a risk expert in the industry. I would also like to thank Axel van Lamsweerde and Robert Darimont for their valuable suggestion to work with KAOS goal modeling language for risk manage- ment and permit me to use KAOS goal modeling tools Objectiver version 2. During my research work, I had collaborations with Jan Jurjens¨ from Technis- che Universitat¨ Dortmund & Fraunhofer-Institute for Software- and Systems- Engineering (ISST) , Haris Mouratidis from University of East London, Kurt Schneider and Eric Knauss from Leibniz Universitat¨ Hannover and Stefan Wag- ner and Daniel Mendez-Fernandez from Technische Universitat¨ Munchen.¨ And with whom I published several research papers in the direction of this disserta- tion. Jan Jurjens¨ also gave me useful insights about how to do research and how to write papers. I would like to thank all of them. There are several persons that read (parts of) my dissertation and provided me very useful comments: Alarico Campetelli, Dmitriy Golubitskiy, Daniel Ratiu Maximilian Irlbeck , Philipp Neubeck from TUM Germany, Siv Hilde Houmb from SecureNOK Ltd. Norway. Thanks all of you. My stay at the chair was made much easier by: Silke Muller,¨ Eleni Nikolaou-Weiss, Marina Franke, Philipp Neubeck who solved my problems all the time when I appeared in front of them. Thanks all of you. Above all, I want to thank my parents, brother, especially my wife and our little son Maheer to support me while I was struggling to do my research and for giving me the greatest joy of my life. At the end, I would also like to thank all the faculty members and stuff of Institute of Information Technology(IIT), University of Dhaka, Bangladesh for a wonderful time and every support before starting my PhD work. Contents 1 Introduction1 1.1 Background and Motivation........................1 1.2 Problem Domain..............................2 1.2.1 Overall Goals of the Thesis....................3 1.2.2 Research Question.........................3 1.3 Research Contribution...........................4 1.4 The Approach................................5 1.5 Empirical Evaluation............................6 1.6 Structure of the Thesis...........................7 2 Fundamentals and Related Work 11 2.1 Basic Concepts................................ 11 2.1.1 Software Risk............................ 12 2.1.2 Risk Event and Likelihood..................... 12 2.2 Risk Management in Software Project.................. 13 2.2.1 Principals of Software Risk Management............ 14 2.2.2 Risk Management Frameworks.................. 15 2.2.3 Risk Management Standards................... 17 2.2.4 Current Practice of Risk Assessment............... 18 2.3 Study results on software risk management............... 19 2.3.1 Risk Factors............................. 19 2.3.2 Risk Factors in Global Software Development........