iii
ENHANCEMENT OF VECTOR METHOD BY ADAPTING OCTAVE FOR RISK ANALYSIS IN LEGACY SYSTEM MIGRATION
AIDA HAKEMI
A project report submitted in fulfillment of the requirements for the award of the degree of
Master of Computer Science (Information Security)
Faculty of Computing Universiti Teknologi Malaysia
v
vi
ACKNOWLEDGEMENT
First and foremost, I would like to express my utmost gratitude to my supervisor, Dr..Imran Ghani for being a dedicated mentor as well as for his valuable and constructive suggestions that enabled this project to run smoothly.
vii
ABSTRACT
Risk is involved in all phases of the software life cycle, and due to these risks, software can face various problems that can cause the different negative outcomes and sometimes in extreme cases failure of the software. Most of these risks lie in the migration of legacy software process. These risks can cause to create many problems, and in the worst case they can cause to failure of migration project. This project explores different types of risk analysis methods like CRAMM, CORAS, OCTAVE and VECTOR. After comparing of all these methods the author choose two suitable of these methods (OCTAVE and VECTOR). With using these two methods the project also suggests the enhanced EOV method for risk analysis in migration of legacy software.
viii
ABSTRAK
ix
TABLE OF CONTENTS
CHAPTER TITTLE PAGE
DECLARATION ii
DEDICATION iii
ACKNOWLEDGEMENTS iv
ABSTRACT v
ABSTRAK vi
TABLE OF CONTENTS vii
LIST OF TABLES xi
LIST OF FIGURES xii
LIST OF APPENDICES xiv
1 INTRODUCTION
1.1 Background of Study 1
1.2 Statement of the Problem 2
1.3 Purposes of Study 3
1.4 Objectives of Study 4
1.5 Scope of the Study 4
1.6 Research Question 4
1.7 Significance of the Study 5
1.8 Organization of Report 5
2 LITERATURE REVIEW
2.1 Introduction 6
2.2 A brief description of the maintenance phase 6
2.3 Categories of maintenance 8
x
2.4.1 Unique activities 10
2.5 A brief description of risk analysis 11 2.5.1 Quantitative and Qualitative Risk Analysis 12 2.5.2 Mathematically Risk Exposure 13
2.6 Basic risk analysis approach 13
2.7 Need for maintenance 14
2.8 Maintenance process models 16
2.8.1 Quick fix model 17
2.8.2 The reuse oriented model 17
2.9 Retire software and migrate legacy software 18 2.9.1 Example of a migration project 20
2.10 Gathering requirements 21
2.10.1 Functional requirements 21
2.10.2 Technical requirements 21
2.11 Migration process 22
2.12 Methods of risk analysis 23
2.12.1 OCTAVE 24
2.12.2 CORAS 27
2.12.3 CRAMM 28
2.12.4 VECTOR Matrix method 30
2.13 Advantage and disadvantage of risk analysis Methods 33
3 METHODOLOGY
3.1 Introduction 38
3.2 Operational Framework 39
3.3 Research Problem Formulation 41
3.4 Proposed and Implement Hybrid RMO risk analysis
Method for migration legacy software 42 3.4.1 Risk analysis method proposed 43
3.4.2 Steps of propose method 43
3.5 Evaluation of proposed method 46
3.6 System Hardware and Software Requirement 47
xi
4 METHOD DESIGN
4.1 Introduction 48
4.2 Process analysis 48
4.2.1 Which software should be migrate 49 4.2.2 Major phases in migration process 50
4.3 Existing risk analysis methods 51
4.3.1 VECTOR Matrix Method 51
4.3.2 OCTAVE 52
4.4 Enhancement of VECTOR method by adapting
OCTAVE method 55
4.4.1 VECTOR Matrix 57
4.4.2 Adapting OCTAVE Method 58
4.5 Enhancement of VECTOR method by adapting
OCTAVE table 59
4.6 Calculate value for each risk 61
4.7 Summary 63
5 DESIGN IMPLEMENTATION AND RESULT
EVALUATION
5.1 Introduction 64
5.2 Design Implementation 64
5.2.1 VECTOR matrix 65
5.2.1.1 Calculate the value of each risk by
VECTOR method 66
5.2.2 Adapting OCTAVE method 68
5.2.2.1 Calculate the value of each risk by
OCTAVE method 70
5.3 Comparing the value of risk using EVAO method 71
5.4 Response to risk 74
5.5 Summary 79
6 DISCUSSION AND CONCLUSION
6.1 Introduction: 80
6.2 Achievements 80
6.3 Constraints and Challenges 81
xii
6.5 Chapter Summary 82
REFERENCE 83
xiii
LIST OF TABLES
TABLE NO. TITTLE PAGE
2.1 Strengths and weakness of 4 methods 35
4.1 Some possible risks for phases of migration process 56
4.2 VECTOR Matrix table 57
4.3 Adopting OCTAVE Method 58
4.4 Enhancement of VECTOR method by adapting OCTAVE
table 60
4.5 Enhancement of VECTOR method by adapting OCTAVE
table 62
5.1 Result of sum in VECTOR matrix 65
5.2 Risk value in VECTOR matrix 67
5.3 Result of sum in adapting OCTAVE method 69
5.4 Risk value in adapting OCTAVE method 70
5.5 Enhancement of VECTOR method by adapting OCTAVE
table 72
5.6 Final result for different answer in two methods 74
5.7 Header of change GUI 75
5.8 Threat of change GUI 75
5.9 Risk Reduction for change GUI 76
xiv
LIST OF FIGURES
FIGURE NO. TITTLE PAGE
1.1 The percentage of costs in each phase of software
life cycle 2
2.1 Importance of security maintenance phase in
Comparison with the software development life cycle 7 2.2
Distribution of maintenance effort 9
2.3 ISO/IEC Maintenance Process Activities 16
2.4 The Quick fix model 17
2.5 The Reuse model 18
2.6 Major Activities in legacy system migration 23
2.7 Comparisons of different methodologies 23
2.8 OCTAVE mentions compared to other methodologies 24
2.9 OCTAVE method 25
2.10 Phases of OCTAVE method 27
2.11 CRAMM method 29
2.12 Risk assessment of information security
in bank developed using VECTOR method 32
3.1 Operational Framework 41
3.2 Problem Formulation 42
3.3 Analysis and Propose 43
3.4 Legacy System Categories 45
3.5 Possible risks in migration phases 47
3.6 Evaluation of method 48
4.1 Applications Categories 51
4.2 Major Activities in legacy system migration 53
xv
LIST OF APPENDICES
APPENDIX. TITTLE PAGE
1
CHAPTER 1
INTRODUCTION
1.1 Background of Study
Development in computer and software technology, have made this technologypartofeveryone’sdailylife.Despiteofadvanceinsoftwaretechnology and created demands for various applications, existing legacy applications that have different kind of problems for organization do not have justification for used them. Therefore these systems should be migrated to new one, which can work to new environment. In migrate process there are existing risks that maybe create problem for process, so before start migration process possible risks should be analyzed.
Asimpleexistingdefinitionofriskis“aproblemthathasnotyethappened butwhichcouldcausesomelossorthreatenthesuccessoftheprojectifitdid”.In this project risk analysis has a serious role before spreading a new application technology. For finding the possible risks of a new technology deployment project, someone should know how a suitable basic risk analysis can be performed.
2 1.2 Statement of the Problem
One of the most important and difficult activity of the software engineering is security maintenance in migration of legacy system to a new system.
Security maintenance is considerable because two-thirds of a software system's lifetime cost involves maintenance. Figure 1.1 shows the percentage of costs in each phase of software life cycle. (Kagan Erdil, 2003)
Figure 1.1: The percentage of costs in each phase of software life cycle.
3 hazards. To decrease the risks and attempt in this phase using a suitable risk analysis is necessary. The aim of any risk analysis is providing decision-makers with the best possible information about the probability of loss. As a result, it is important that decision-makers accept the risk analysis method used, and that information resulting from the analysis has to in a useful form.
Given the importance of object, there are a few researches about risk analysis of this part until now. So this project is tried to search and study of risk analysis methods and finds suitable methods for analysis possible risks in migration of legacy software. These methods should be used in a combination together to achieve better results of risk assessment.
1.3 Purpose of Study
By the development of computer technology, the backbone of software was introduced widely. The same as other technology, however, software has many benefit in the world, but it has many problems too, which may accrue after release of software. One of these problems is: legacy software that was developed in the past and now it is critical to the business in which the system operates. There are two problems which often dependent to legacy system, difficult to understand and expensive to maintain. Today many legacy software Becomes to dilemma. These systems are actually critical, but maintaining them incurs unjustifiable expense.
4 1.4 Objectives of Study
To study and compare existing information security risk analysis methods and choose suitable methods for migration of software.
To propose enhanced risk analysis method for migration process. To implementation and evaluate the enhanced method.
1.5 Scope of the Study
In order to reach the objectives stated above, the scope of this study is limited to the following:
This study takes into information security risk analysis methods. This study focuses on risk analysis in migration process.
Project evaluation is accomplished by Distribute risk analysis questionnaire for evaluate risk analysis for reason that legacy software wants to migrate to new software.
1.6 Research Questions
The questions in this report which are going to be discussed can be mentioned as follow:
What are the current phases in migration of software? What are the current risk analysis methods?
What are the suitable methods which can analyze existing risks for migration process?
5 1.7 Significance of the Study
This research increase softwareengineering’sabilityfordevelopingsoftware and tries for keep the software up to date with environment changes. Risk analysis in migration process can show the risks and importance of them and also provide enough information to deal with the risk. Also in migration legacy software, risk analysis can find risks, evaluate of them and provide information to deal with the risk.
1.8 Organization of Report
83
REFERENCES
Bing Wu, D. L., Jesus Bisbal, D O’Sullivan, Ray Richardson. (1997). Legacy Systems Migration - A Method and its Tool-kit Framework.
Breier, J., & Hudec, L. (2011). Risk analysis supported by information security metrics. Paper presented at the Proceedings of the 12th International
Conference on Computer Systems and Technologies, Vienna, Austria.
Choudhari, J., & Suman, U. (2012). Story Points Based Effort Estimation Model for Software Maintenance. Procedia Technology, 4, 761-765.
Christopher Alberts, A. D., James Stevens, Carol Woody. (August 2003). Introduction to the OCTAVE® Approach.
Comparing Migration Methodologies. (2007).
Cummings, C. Choosing the Best Risk Assessment Model.
DavorMaček,I.M.,NikolaIvković. (2011). Information Security Risk Assessment in Financial Institutions Using VECTOR Matrix and OCTAVE Methods. Junaid Ahsenali Chaudhry, M. A. B., Ms. Rafhana Abd Rashid. (2012). Information
Security Risk Analysis Methods.
Er, M. C. (1984). Problems and solutions in software maintenance. Data Processing, 26(6), 25-27. doi: http://dx.doi.org/10.1016/0011-684X(84)90275-2
JesusBisbal,D.L.,RayRichardson,DonieO’Sullivan,.ASurveyofResearch into Legacy System Migration.
K.K Aggarwal, Y. S. (2007). software requirements analysis and specification. Kagan Erdil, E. F., Kevin Keating. (2003). Software Maintenance
84 Mahmoodian, N., Abdullah, R., & Murad, M. A. A. (2010, 15-17 June 2010).
Text-based classification incoming maintenance requests to maintenance type.
Paper presented at the Information Technology (ITSim), 2010 International Symposium in.
Martin Butler, B. W. (2010). Reducing Costs and Improving Agility Through Legacy Migration.
Muhammad Inayat Ullah, M. S., Nazir Muhammad. (2010). reduction of enhanced maintenance effort using ARM model and RMMM plan.
Patterson, F. D., & Neailey, K. (2002). A Risk Register Database System to aid the management of project risk. International Journal of Project Management, 20(5), 365-374. doi: http://dx.doi.org/10.1016/S0263-7863(01)00040-0
Pyka Marek, J. P. (2006). The OCTAVE methodology as a risk analysis tool for business resources.
Talabis, M., & Martin, J. (2013). Chapter 2 - Information Security Risk Assessment: A Practical Approach Information Security Risk Assessments (pp. 27-62). Boston: Syngress.
Tsiakis, T. (2010). Information Security Expenditures: a Techno-Economic Analysis. International Journal of Computer Science and Network Security (IJCSNS),
10(4), 7-11.
Vorster, A., & Labuschagne, L. (2005). A framework for comparing different information security risk analysis methodologies. Paper presented at the
Proceedings of the 2005 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries, White River, South Africa.
Williams, L. (2007). Security Risk Analysis.
