Risk-based testing
Risk-based testing uses risk assessment to guide testing. In this context, risk is understood as a factor that may have negative consequences and is typically expressed in terms of likelihood (i.e., probability of failure) and impact (e.g., cost or severity of failure). Risk assessment is integrated into the entire test process, i.e., test planning, design and implementation, execution and evaluation. The intuition behind the approach is to focus testing on scenarios that trigger critical situations. Risk-based testing approaches can be integrated in industrial test processes [RBT1].
It is worth noting that risk-based testing is not only about improving testing but testing also may support and improve risk assessment by providing details about known risks or detection of new ones.
Several risk-based testing approaches have been developed during the last years.
- The PRISMA (Product Risk Management) approach [RBT7] first identifies risks (business and technical) and then categorizes them into four different risks levels, represented in a risk matrix. Different test approaches are used for each risk level, e.g., tests for high-risk areas involve more reviews or have stricter exit criteria.
- Risk-Based Test Case Prioritization Using Fuzzy Expert Systems [RBT4] supports the prioritization of requirements-based tests and consists of the 4 steps
- Risk estimation by correlating with requirements (determine risk indicators that effectively indicate defects, including requirement complexity, requirement size, requirement modification status, and potential security threats)
- Risk exposure calculation for requirements (as a weighted mean of risk indicator values)
- Risk exposure calculation for risk items (based on risk exposure values of risk items)
- Prioritization of requirements and test cases (based on risk exposure values linked to the requirements)
Quantities such as requirements modification status or potential security threats are subjective and thus the approach applies fuzzy expert systems to reduce that subjectivity.
- SmartTesting is a process for risk-based test strategy development consisting of 7 core steps [RBT5]:
- Definition of risk items (functional and non-functional aspects)
- Probability estimation for each risk item (e.g., from historical data)
- Impact estimation for each risk item
- Computation of risk values
- Determination of risk levels
- Definition of test strategy based on the different risk levels
- Refinement of test strategy to match characteristics of the components
- RACOMAT is a risk management tool [RBT6] following the ISO 31000 standard developed during the EU project RASEN. It uses formal risk modelling and assessment (based on CORAS) and existing libraries such as Common Attack Pattern Enumeration and Classification (CAPEC) to enable automated security testing. Since it can be reused it allows to focus on elements that have not yet been tested but influence the impact or elements where likelihood estimation is difficult.
RACOMAT also supports test-based risk assessment. Observations of the system under test can be valuable input to the risk model and helps estimating likelihood and impact for given scenarios.
In order to compare and categorize various risk-based approaches, a taxonomy has been developed [RBT2]. It distinguishes three top-level classes:
- Context: The overall context is characterized through identification of risk drivers that determine the direction of the processes, ranging from safety and security to business and compliance. The quality properties to be considered are determined, typically including functionality, security and reliability, and the relevant elements (called risk items) are identified.
- Risk Assessment: The approaches are compared in terms of the risk factors they consider to be influential (like risk exposure), the technique to estimate and evaluate risks (list-based or formal) as well as the scale to determine the risk level (quantitative or qualitative). Further, the degree of automation of the methods used can be measured.
- Risk-Based Testing Strategy: This class differentiates methods depending on which parts of the testing process are based on risk assessment. It focuses on the phases risk-based planning (including test objectives and techniques, completion criterion as well as resource planning), risk-based test design & implementation (including preparation of test data, test selection or test automation) and risk-based text execution & evaluation (including monitoring and reporting).
This taxonomy has recently been refined to meet the needs of current standards [RBT3].
- Improved efficiency (reduced testing time and budget)
- Improved teste effectiveness (detection of defects, increased detection rate of tests)
- Testing is inherently incomplete. Prioritization by risk can reduce the remaining risk, but cannot address the inherent incompleteness.
- [RBT1] M. Felderer, R. Ramler, Integrating risk-based testing in industrial test processes, Software Quality Journal 22, p 543-575, 2014.
- [RBT2] M. Felderer, I. Schieferdecker, A taxonomy of risk-based testing, International Journal on Software Tools for Technology Transfer 16, p 559-568, 2014.
- [RBT3] J. Großmann, M. Felderer, J. Viehmann, I. Schieferdecker, A Taxonomy to Assess and Tailor Risk-Based Testing in Recent Testing Standards, IEEE Software 37, p 40-49, 2020.
- [RBT4] C. Hettiarachchi, H. Do, and B. Choi, Risk-based test case prioritization using a fuzzy expert system. Information and Software Technology, 69, p 1-5, 2016
- [RBT5] R. Ramler, M. Felderer, A process for risk-based test strategy development and its industrial evolution, International Conference on Product-Focused Software Process Improvement, Springer, p355-371, 2015.
- [RBT6] J. Viehmann and F. Werner, Risk assessment and security testing of large sclae network systems with RACOMAT, Proceedings of Risk Assessment and Risk-Driven Testing, p 3-17, 2015.
- [RBT7] E. van Veendaal, The PRISMA Approach: Practical Risk-Based Testing, 2012.