Premium Essay

Software Risks

In: Computers and Technology

Submitted By gfrimps100
Words 5776
Pages 24
Software Risk Management: Principles and Practices
BARRY W. BOEHM,

Defense Advanced Research Projects Agency

I) Identzhing and

dealing with risks early in development lessens long-tem costs and helps prevent so@are disasters. It is easy t o begin managing risks in your environment.

their early stages, the software field has had its share of project disasters: the software equivalents of the Beauvais Cathedral, the hWlS Titanic, and the “Galloping Gertie” Tacoma Narrows Bridge. The frequency of these software-project disasters is a serious concern: A recent survey of 600 firms indicated that 35 percent of them had at least one runaway software project.’ Most postmortems of these softwareproject disasters have indicated that their problems would have been avoided or strongly reduced if there had been an explicit early concern with identifylng and resolving their high-risk elements. Frequently, these projects were swept along by a tide of optimistic enthusiasm during their early phases that caused them to miss some clear signals of high-risk issues that proved to be their downfall later.

Enthusiasm for new software capabilities is a good thing. But it must be tempered with a concern for early identification and resolution of a project’s high-risk elements so people can get these resolved early and then focus their enthusiasm and energy on the positive aspects of their product. Current approaches to the software process make it too easy for projects to make high-risk commitments that they will later regret: The sequential, document-driven waterfall process model tempts people to overpromise software capabilities in contractually binding requirements specifications before they understand their risk implications. The code-driven, evolutionary development process model tempts people to say, “Here are some neat ideas I’d like to s put into t h ~ system. I’ll...

Similar Documents

Premium Essay

It Software Risk

...IT Software Risk Management What is Risk? In order to manage risks we have to understand what a risk is. In my view the best definition is that given by Larry Krantz. According to Robert Tusler (1996) Larry basically defines a risk as “a combination of constraint and uncertainty”. Every project will face constraints, and also uncertainty. The solution on over coming any type of obstacles is to minimize the risk in the project either by eliminating constraints or by finding and reducing uncertainty. The Internet Company Software System A few years back my company, The Internet Company, decided to set up a new software that would combine all department software’s into one. The ultimate goal of this project was to make sure that information was flowing correctly between the Human Resources Department, Payroll Department, and our company home office software. Like Larry Krantz stated every project is going to face some type of risks. The first step in risk management is to identify the possible risks and to assess the consequences of the risks. This is an important step, as one must identify the project risk inputs. Risk assessment identifies existing risks, analyzes risks, and then orders them in a priority from highest to lowest. Identifying and Prioritizing Risks The main technique that was used in other to identify risk was looking at historical data from one of our subsidiaries that had just completed a similar project. This helped us get a basic idea of what......

Words: 745 - Pages: 3

Premium Essay

Ethan Berman at Riskmetrics Group (a)

...companies and business which requires an efficient and low-cost execution of risk analysis. Their business model was based on short-term software leasing. The company leased clients a CD containing a risk management application priced at $30000 annually per user and was password protected, after that clients paid by the month for the new password. Organizational Structure Since RiskMetrics Group was a new company, that formerly was a subsidiary of J.P Morgan, Berman used FLAT organizational structure. There were pro’s and con’s by using this kind of organizational structure: Competitive Advantage One of the major competitive advantage of RMG is its payment method. They use leasing payment method to attract costumer and make the costumer financial burden lighter. II. TIME LINE Early 90’s The RiskMetrics Group started as an in-house division of J.P. Morgan, the institutional investment bank. Dennis Weatherstone, chair of Morgan in the early 1990s, wanted a simple, concise daily report that measured the company’s proprietary risk at the end of each day. Why? Because the needs for accurate and clear measure of exposure to market volatilities. In the wake of such financial disasters such as Orange County, Barings, Daiwa and Showa Shell, banks and financial service firms recognized the need for accurate, clear measures of exposure to market volatility. The risk management tool known as value-at-risk, or VaR, grew out of this daily report. VaR attempted to answer the......

Words: 4595 - Pages: 19

Premium Essay

Crime

.......... Signature................................................................... Date..................... Supervisor: ............................................................... Signature.................................................................... Date..................... Table of Contents Declaration 2 CHAPTER 1 4 Introduction 4 1.0 Purpose 4 1.1 Roles and Responsibilities 5 1.2 Implementation Readiness Review 6 1.3 Operational Readiness Review 6 1.4 Demonstration of the software 6 CHAPTER 2 7 Plan for hardware procurement 7 2.0 Training 7 2.1 Hardware installation 8 2.2 Software installations 8 2.3 System installation 8 2.3 User /Operator Training 8 CHAPTER 3 9 Implementation 9 3.0 Live Running Trial 9 3.1 Phased Implementation (Modular) 9 3.2 Parallel Run 10 3.3 Direct 10 CHAPTER 4 11 Monitoring the Implementation process 11 4.0 Evaluation & Support 11 4.1 Cost of Software 11 List of Abbreviation 12 References 13 CHAPTER 1 Introduction 1.0 Purpose The Implementation Plan describes how the automated system/application will be installed, deployed and transitioned into an operational system or situation. The plan contains an overview of the system,...

Words: 2216 - Pages: 9

Premium Essay

Calculate the Window of Vulnerability

...discovered and recognized to pose a security risk. The discovery date is not publicly known until the public disclosure of the respective vulnerability. Exploit Time -is the earliest date an exploit for a vulnerability is available. We qualify any hacker-tool, virus, data, or sequence of commands that take advantage of a vulnerability as an exploit. Disclosure Time –is the first date a vulnerability is described on a channel where the disclosed information on the vulnerability is (a) freely available to the public, (b) published by trusted and independent channel and (c) has undergone analysis by experts such that risk rating information is included. Patch Time - is the earliest date the vendor or the originator of the software releases a fix, workaround, or a patch that provides protection against the exploitation of the vulnerability. Fixes and patches offered by third parties are not considered as a patch. A patch can be as simple as the instruction from the vendor for certain configuration changes. Note that the availability of other security mechanisms such as signatures for intrusion prevention systems or anti-virus tools are not considered as a patch in this analysis. Unfortunately, the availability of patches usually lags behind the disclosure of a vulnerability. The time between each of these areas or, the vulnerability’s lifecycle is divided into 3 risk areas. These areas are shown and explained below. Black Risk (exogenous) During the time from......

Words: 603 - Pages: 3

Premium Essay

No Paper

...technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.[2] This practice generally refers to software vulnerabilities in computing systems. A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack. Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs. In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and......

Words: 741 - Pages: 3

Premium Essay

Information Security Strategy and Architecture

...INFORMATION SECURITY STRATEGY AND ARCHITECTURE The path for risk management and the security panels consumed by a corporation are offered by information security strategy and architecture, which is very important to any companies and organizations. The security architecture would need to define the way that obligation would be accomplished in the numerous regions of the corporate. Furthermore, the security architecture must report past activities that have affected the company’s information properties. These incidences designate areas that may need larger safekeeping controls. Fresh intimidations may compel differences in the security design and supplementary controls. The safekeeping design must also integrate with the current technology substructure and postulate assistance in inaugurating the appropriate risk controls needed for the corporate to accomplish its business firmly. Its purpose is significant in proposing risk management for the foundation and for organizing the controls that diminish that hazard. A safety package is not an occurrence management guides those particulars what transpires if a security break is noticed. It takes a usual method that labels in what way part of corporation is tangled in the package. A decent safety package delivers the immense copy in what way to retain corporation's facts protected. It designates in what way the package regularly will be re-evaluated and rationalized, and when we will measure compliance with the program.......

Words: 1510 - Pages: 7

Premium Essay

Basis

...Sarbanes-Oxley Act (SOX) – Passed in 2002, the SOX requires publicly traded companies to submit accurate and reliable financial reporting. This law does not require securing private information, but it does require security controls to protect the confidentiality and integrity of the reporting itself. Gramm-Leach-Bliley Act (GLBA) – Passed in 1999, the GLBA requires all types of financial institutions to protect customers’ private financial information. Health Insurance Portability and Accountability Act (HIPAA) – Passed in 1996, the HIPAA requires health care organizations to secure patient information. Children’s Internet Protection Act (CIPA) – Passed in 2000, CIPA requires public schools and public libraries to use an Internet safety policy. The policy must address the following: * Children’s access to inappropriate matter on the internet. * Children’s security when using e-mail, chat rooms, and other electronic communications. * Restricting hacking and other unlawful activities by children online. * Disclosing and distributing personal information about children without permission. * Restricting children’s access to harmful material. Family Education Rights and Privacy Act (FERPA) – Passed in 1974, FERPA protects the private data of students and their school records. Federal Information Security Management Act (FISMA) – Passed in 2002, the FISMA requires federal civilian agencies to provide security controls over resources that support federal......

Words: 1342 - Pages: 6

Premium Essay

Apple Inc. Understanding Client's Business

...materiality, but also to determine the client’s business risks and their potential translation to the financial statements. Every industry has inherent risks and there are many factors that contribute to the increase of these risks as described in AU-C §315.A18; however, Computer and Software industry has been well known as a “leader” of high risk industries ranking No. 1 on “Restatement Activity Across Industries” study published by the Center for Audit Quality in Financial Restatement Trends in the United States: 2013 – 2012 report. High technology industry is exceptionally competitive as it demands constant innovation, change, and differentiation. Participants are pressured to “move quickly or move out”; classic example is Blackberry that was once the leader in the smartphone business, but quickly perished as its competitors took over. From a financial reporting standpoint, this industry is particularly controversial because of the profusion of its intangible assets, research and development expenditures, and revenue recognition complexity, and perhaps after Blackberry, going concern principle. The leading company in this risky industry today is Apple, Inc. By operating in the Computer and Software industry, Apple is prone to the inherent business risks related to its industry, and some to the company itself, and is therefore, from an audit standpoint, a high business risk company. There are three business risks related to Apple in particular that contribute...

Words: 931 - Pages: 4

Premium Essay

Security Risk Management Plan

...SECURITY RISK MANAGEMENT PLAN Prepared by Jeremy Davis Version control Project title | Security Risk Management Plan Draft | Author | Jeremy Davis | VC | 1.0 | Date | 25/10/10 | Contents Executive summary 4 Project purpose 5 Scope of Risk management 5 Context and background 5 Assumptions 5 Constraints 5 Legislation/Standards/Policies 6 Risk management 6 Identification of risk 7 Analysis of risk 8 Risk Category 9 Review of Matrix 9 Action plan 9 Testing Procedures 11 Maintenance 11 Scheduling 11 Implementation 12 Training 12 Milestones 12 Monitoring and review 13 Definition 13 Authorisation 14 Reference 15 Executive summary A Security Risk Management Plan (SRMP) helps CBS by providing specific guidelines and rules to ensure risk management is considered and included. It provides guidelines for its implementation that can minimise the threats by planning, policies, processes and procedures that can help your business get everything back to normal as soon as possible. This SRMP was designed for the guidelines for its implementation of risk management in CBS and in its operations in order to ensure its security and safety of its staff and assets. Throughout this SRMP it identifies threats, procedures, policies, responsible person and etc which will provide you and your staff information to prepare you with the worst disaster event. Every business these days has a SRMP in case of any events which may occur,...

Words: 2028 - Pages: 9

Premium Essay

Adware

...Caleb Olumuyiwa N/T 2580 Introduction To Information Security Week 2 A ssigment Define Key Terms. Adware | A software program that collects infor- mation about Internet usage and uses it to present targeted advertisements to users. Asset | Any item that has value to an organization or a person. Attack | An attempt to exploit a vulnerability of a computer or network component Backdoor | An undocumented and often unauthor- ized access method to a computer resource that bypasses normal access controls. Black-hat hacker | A computer attacker who tries to break IT security for the challenge and to prove technical prowess. Cookie | A text file sent from a Web site to a Web browser to store for later use. Cookies contain details gleaned from visits to a Web site Cracker | A computer attacker who has hostile intent, possesses sophisticated skills, and may be interested in financial gain. Dictionary attack | An attack method that takes all the words from a dictionary file and attempts to log on by entering each dictionary entry as a password. Disclosure | 1. Any instance of an unauthorized user accessing protected information. 2. Refers, under HIPAA, to how a covered entity shares PHI with other organizations. Ethical hacker | An information security or network professional who uses various penetration test tools to uncover or fix vulnerabilities. Also called a white-hat hacker. Firewall | A program or dedicated hardware device that inspects network traffic passing......

Words: 1378 - Pages: 6

Premium Essay

Some Cable

...that a vulnerability is found and known to pose a security risk. 2. Exploit Time is the earliest date an exploit for a vulnerability is available. 3. Disclosure Time is the time to make security information available to the public in a standardized, understandable format. The publishing channel must satisfy the following requirements: a. Free Access: the information must be made to the public free of charge. b. Independence: the information must be published by a widely accepted and independent source. c. Validation: the vulnerability has been analyzed by security experts & includes risk rating information. 4. Patch Time is the earliest date the vendor or the originator of the software releases a fix, workaround, or a patch that provides protection against the exploitation of the vulnerability. The time between each of these areas or, the vulnerability’s lifecycle is divided into three risk areas. Black Risk - during the time from discovery to disclosure, only a closed group is aware of the vulnerability. Gray Risk - during the time from disclosure to patch the user of the software waits for the vendor to issue a patch. White Risk - the time from patch availability to patch implementation, duration of this period is under direct control of the user of the software. Taking all of this into consideration, the Black-Risk would be 1 day, the Gray-Risk would be 3 days, and the White-Risk would last 7 days. Barring any unforeseen issues,......

Words: 289 - Pages: 2

Premium Essay

Weekly Summary

...Security Monitoring Activities Any company that considers data an asset must realize the importance of risk management. Managing risk helps a company identify vulnerabilities and allows actions to be taken to reduce or stop these vulnerabilities. Risk management is also helpful in the attainment of goals and higher profits by attempting to eliminate any risk that may cost the company extra money to rectify. This paper will discuss security monitoring activities that must be addressed for both internal information technology (IT) and electronic commerce (e-commerce) applications of an organization. The recommended course of action will also be discussed when potential risks have been identified. According to Bejtlich (2004), security monitoring is defined as the collection, analysis, and escalation of indicators and warnings to detect and respond to intrusions. Security monitoring is an important part of risk management for internal applications such as payroll, human resources, and inventory. Security monitoring should also be used in the risk management of external applications like sales and marketing. Security Monitoring Process Security monitoring should be considered and used as a routine task to monitor and analyze the use of the network. Failure to use security monitoring would indicate that an organization believes there are no credible risks to the network. This thought process could possibly lead to disastrous results for the organization......

Words: 1068 - Pages: 5

Premium Essay

International Guidance

...Memorandum To: Mr. Thomas Stearns, Project Manager, International Guidance and Controls From: Date: October 2, 2012 RE: Software Project for CARV Command and Guidance System _____________________________________________________________________ I have recently received and reviewed your memorandum regarding your issue with the Confined Aquatic Recovery Vehicle project. I have considered three options and their ability to save your company as much money as possible while completing this project in a timely manner. The three alternatives I considered were to immediately invest in hardware, to stay on your current path with the software developments only or to wait and reevaluate your situation in five months. Each of these scenarios has their benefits and risks and I would like to explain each of these in more detail. The intangible costs of your company’s reputation have also been considered and evaluated given that this is a concern of yours and a damaged reputation can dramatically effect your success. Analysis and Results: I have used a descriptive decision tree to analyze your situation. Using a decision tree to evaluate and depict your issue allowed me to weigh the different possible outcomes with their associated consequences and probabilities. There are three separate attachments I will be referring to throughout the discussion of my results. I used the probabilities given in your memorandum with the various costs associated with each option and......

Words: 894 - Pages: 4

Premium Essay

Aero Business Plan

...Aero Business Contingency Plan The risk register that was created for Aero identified eight risks that could affect the completion of Aero’s IT security software product that two of its developers are working on. The register identifies these risks and notes the responses that Aero should handle in order to lower the damage done to the company’s finances, relationships and employee wellbeing. This product and its release to US government agencies as well as international businesses is essential to Aero’s budget forecasts for the next year. The two developers who are working on the software live in the DC area and need constant communication as well as access to the internet to conduct coding of the software. Because they are both in the same location, it would be wise for Aero to establish a business contingency plan, or BCP. Should a natural disaster occur, Aero’s employees on the project as well as its US government based customers would be greatly affected. A BCP will address continuity of business and Aero growth in the event of a natural disaster. The areas of business continuity to be analyzed are • Pre-incident adjustments • Ethical use and protection of sensitive data • Ethical use and protection of customer data • Communication plan • Post-incident continuity Pre-Incident Adjustments The following functions are necessary for Aero to finish the coding of their software and release it on time, selling it to government entities. • Two......

Words: 1536 - Pages: 7

Premium Essay

Lab 5 Assessment Questions & Answers

...awareness & training policy impact an organization’s ability to mitigate risks, threats, and vulnerabilities? Security awareness training is a formal process for educating employees about computer security. A good security awareness program should educate employees about corporate policies and procedures for working with information technology (IT).  Employees should receive information about who to contact if they discover a security threat and be taught that data as a valuable corporate asset. 2. Why do you need a security awareness & training policy if you have new hires attend or participate in the organization’s security awareness training program during new hire orientation? An employee security awareness program can alleviate the problem of employee security breaches by clarifying why security is important. 3. What is the relationship between an Acceptable Use Policy (AUP) and a Security Awareness & Training Policy? An acceptable use policy (AUP) is a document that outlines a set of rules to be followed by users or customers of a set of computing resources, which could be a computer network, website or large computer system. Security awareness training is a formal process for educating employees about corporate policies and procedures for working with information technology. 4. Why is it important to prevent users from engaging in downloading or installing applications and software found on the Internet? There are hundreds of malicious......

Words: 717 - Pages: 3