ISMA 15 conference: Consumer Metrics for Privacy & Safety – Metrics for the Age of Digitalization
Thomas Fehlmann, and Eberhard Kranich (Euro Project Office)
- Privacy issues
- Is it possible to define trustworthy software metrics for consumers?
Privacy issues – protection against malware, hackers and intruders – becomes more and more an issue when building software. Not only banks and public administrations are vulnerable but anything that runs on software can become a victim of some attack, e.g., ransomware. Purchasers of new software, or software amendments, need to know their level of vulnerability, taking precaution against opening new weak points when installing new software. Users of compromised software-intense products eventually become accountable for damage inflicted on others. Thus, consumers need software metrics that tell them how well their software behaves against attacks.
Similar concerns apply to safety. Before sitting in an autonomous car, a safety index should indicate how fit the car is against unforeseen traffic and weather conditions. Since car software is regularly updated, and maps and other cloud-based instruments adapt to changing environment, thus changing the behavior of the car, safety tests must become repeatable and autonomous. Consumers must be informed with safety metric whether they can trust their car. For robots, or IoT-equipped smart homes, it is quite similar. Consequently, the role of Software Metrics organizations is going to change. Software metrics are no longer an academic discipline but have impact on legal status and economic, cause liability, and are an issue for politics and society. This is how digitalization affects us.
Is it possible to define trustworthy software metrics for consumers? Metrics, that make the degree of exposure of privacy and safety risk visible, comparable, and understandable? Metrics, that are applicable to all kind of software, be it embedded, standard, cloud, or custom? And metrics that work after each software upgrade or download showing whether the system has become more secure, or in contrary, more vulnerable?
Code analysis is no answer. Code is often not available when using cloud services, for instance. Since privacy and security are affected by unwanted functionality only, functional models like those of IFPUG, COSMIC, FiSMA, or NESMA can help. Such models can be created for any system, whatever services it uses and whether or not it is custom build or providing services. Like the SNAP counting rules of IFPUG, you can assign non-functional attributes to the elements of a model, be it data functions, transactions, or data movements. The attributes signify the amount of privacy risk, or safety risk, or any other non-functional attribute that matters for consumers. The evaluation of risk needs agreement between suppliers and consumer organizations. Metrics organizations have the expertise to standardize such evaluation criteria.
This presentation outlines how to define such attributes and how to count them in a model, be it the COSMIC data movement map – suitable for communication among things – or an IFPUG-like transaction map, ideal for web portals. We also provide roadmap towards standardized consumer metrics.
Thomas Fehlmann is a senior expert in software metrics and project cost estimation, a Lean Six Sigma Black Belt for agile software development and promoter of customer-oriented software product design and testing. As a consultant, he has lead a few companies to market dominance even on global levels using QFD and New Lanchester Theory. He runs the Euro Project Office since 1999, is internationally recognized as Quality Function Deployment (QFD) expert where he received the Akao price in 2001, and serves as software metrics expert of SwissICT since 2003. Since 2004, he is Swiss delegate in the International Software Benchmarking Standard Group (ISBSG), and vice-president since 2012. Furthermore, he is an academic member of the Athens Institute for Education & Research since 2016. He started in the 1980 with functional sizing. Since 1990, he has presented at many conferences targeting QFD, Software Quality, Software Engineering, Software Testing, and Software Metrics.
Eberhard Kranich studied mathematics and computer science with a focus on mathematical programming/ optimization, mathematical statistics and complexity of algorithms, and has more than 30 years of industrial experience in oil, food, and automotive industry, and in telecommunications. Together with Thomas Fehlmann he published papers on Six Sigma transfer functions applied to Lean Six Sigma, the Quality Function Deployment methodology and Taguchi methods.