Software Engineering Project Management

Estimating, Planning and Risk

Reading Notes on Estimating Planning and Risk

Estimation

The Mythical Man Months, a book by Brooks (1975), provided a first study on project estimation. This book provides the following ecquation.

TC = Tp+Td+Tt+Ts

T is the total time allowed for the project

  • Tc = Time to complete the project.
  • Tp = Planning time (T/3).
  • Td = development time (T/6).
  • Tt = Testing time (T/6).
  • Ts = System test time (T/4).

Brooks (1975) also provides other 2 equations

  • Tc = MMn/N+(MMc/2)*N - Shows the time to completion equation, based on MMc = average no. of months effort per (programming) pair, MMn = no. of months effort required without communications overhead. This equation assumes you already know the number of developers (N) you will employ.
  • Nopt = 1.41*(MMn/MMc)½ - To calculate the optimum number of developers, use this equation.

COCOMO

Constructive Cost Model by Boehm (1981), it is based in number of lines of code

Presents 3 categories

Organic, semi detached , and embedded

Organic: Small teams, in-house, work on well defined projects
Semi detached: Depending on complexity or approach, it is intermediate to organic and embedded.
Embedded: Software and hardware complexity, operates within defined constraints

COCOMO is rarely used today.

Expert Judgement method

By far the most used estimation method. Based on previous experience, they produce estimates.

For new projects, it assumes an in-house set of developers, as well as the similarity with previous projects and how successful the previous project was.

Risk Management Frameworks

Open FAIR - a framework produced by the Open Group
The Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE). Framework standard created at Carnegie Mellon University (CMU)

The Process to Manage Risk

Campbell (2016) recommends the production of a risk register that collects and collates risks from as wide a variety of sources as possible, such as gathering data from:

  • Risk notification mailboxes (will need to be qualified and quantified)
  • Threat workshops
  • Business impact assessments
  • Gap analysis
  • Security audits

After gathering risks, the next step is to analyse them. I understand that quantitative assessment could ignore risks that can not be quantified due to their subjective nature. So, both types of assessments are required. Qualitative (minor. Medium, major)

After analysis, the next phase is the risk mitigation. This is where each Risk is classified as being in one of four categories:

Eliminate(i.e. should it be removed or avoided altogether).

Tolerate (where Risk is recorded but no other action is taken, usually due to a cost-benefit analysis).

Reduce (where the impact of a risk is minimised by preventative action).

Transfer (where the cost of mitigation and or impact of a risk is shared between multiple stakeholders).

Once a risk has been classified, there are a number of mitigation mechanisms available. Primarily, these consist of the following:

Physical controls (CCTV), procedural controls (training), and technical controls (firewalls). These three all together can make Preventative Controls.

References

Brooks, F.P. (1975) The Mythical Man-Month - Essays in Software Engineering (Anniversary Edition). Addison- Wesley.

Campbell, T. (2016). Practical Information Security Management. 1st ed. APRESS.