Eliminating The Occurrence of Magic From Quantitative Risk Assessments
One internationally known British scientist once wrote that without quantitative assessments there is no real knowledge. Although it would be a logical mistake, however, to reverse this assertion and claim that by adapting a particular measurement methodology to an attribute, one can garner serious insights into its internal structure. Numbers and metrics alone do not create, except for the accuracy of the model, any magic or paranormal abilities in their users.
In methods such as Failure Mode and Effect Analysis and the Сost of Exposure (COE), one can obtain values known as the risk priority numbers and then use them to make decisions about testing. These values help to establish a sequence of the overall set of all identified risk events. In other words, you get an idea of the relative importance of each risk.
However, if you hide risk priority numbers, it becomes difficult to draw any thoughtful conclusions.
Elements of risk priority numbers, especially assessments of business priorities and probabilities, are based largely on experience, intuition and professional knowledge. Even the probability values that might be subjected to actuarial analysis are rarely based on statistically valid data collected across a large number of projects. Even if you have such data, simply due to the fundamental novelty of each project, the extent of extrapolation will be limited. Insurance companies extrapolate the risks associated with cigarettes smoking towards other forms of tobacco consumption, such as cigar smoking. However, we cannot extrapolate the types of errors observed in implementation of the client-server system to the risk levels related to implementation of the same system as a web application. Does quality of your software products suffer?? Have you tried a variety of things to improve it but nothing has changed for the better? If you answered “Yes” to these questions it means that it is time to ask Ukrainian providers of quality assurance service for help.
The bottom line is that quantitative risk assessments, despite useful models for ordering risks, are still inaccurate approximations. Precautious testers should make sure that other stakeholders, especially those who first use the methodology, understand the limitations of meaning in quantitative estimates.