Risk-based testing

Risk-based testing uses risk to focus testing on secnarios that trigger critical situations to best avoid them.

Method Purpose Short description of the method's purpose and main benefits

Method description A detailed description of the method

Risk-based testing uses risk assessment to guide testing. In this context, risk is understood as a factor that may have negative consequences and is typically expressed in terms of likelihood (i.e., probability of failure) and impact (e.g., cost or severity of failure). Risk assessment is integrated into the entire test process, i.e., test planning, design and implementation, execution and evaluation. The intuition behind the approach is to focus testing on scenarios that trigger critical situations. Risk-based testing approaches can be integrated in industrial test processes [RBT1].

It is worth noting that risk-based testing is not only about improving testing but testing also may support and improve risk assessment by providing details about known risks or detection of new ones.

Several risk-based testing approaches have been developed during the last years.

The PRISMA (Product Risk Management) approach [RBT7] first identifies risks (business and technical) and then categorizes them into four different risks levels, represented in a risk matrix. Different test approaches are used for each risk level, e.g., tests for high-risk areas involve more reviews or have stricter exit criteria.
Risk-Based Test Case Prioritization Using Fuzzy Expert Systems [RBT4] supports the prioritization of requirements-based tests and consists of the 4 steps

Risk estimation by correlating with requirements (determine risk indicators that effectively indicate defects, including requirement complexity, requirement size, requirement modification status, and potential security threats)
Risk exposure calculation for requirements (as a weighted mean of risk indicator values)
Risk exposure calculation for risk items (based on risk exposure values of risk items)
Prioritization of requirements and test cases (based on risk exposure values linked to the requirements)

Quantities such as requirements modification status or potential security threats are subjective and thus the approach applies fuzzy expert systems to reduce that subjectivity.

SmartTesting is a process for risk-based test strategy development consisting of 7 core steps [RBT5]:

Definition of risk items (functional and non-functional aspects)
Probability estimation for each risk item (e.g., from historical data)
Impact estimation for each risk item
Computation of risk values
Determination of risk levels
Definition of test strategy based on the different risk levels
Refinement of test strategy to match characteristics of the components

RACOMAT is a risk management tool [RBT6] following the ISO 31000 standard developed during the EU project RASEN. It uses formal risk modelling and assessment (based on CORAS) and existing libraries such as Common Attack Pattern Enumeration and Classification (CAPEC) to enable automated security testing. Since it can be reused it allows to focus on elements that have not yet been tested but influence the impact or elements where likelihood estimation is difficult.

RACOMAT also supports test-based risk assessment. Observations of the system under test can be valuable input to the risk model and helps estimating likelihood and impact for given scenarios.

In order to compare and categorize various risk-based approaches, a taxonomy has been developed [RBT2]. It distinguishes three top-level classes:

Context: The overall context is characterized through identification of risk drivers that determine the direction of the processes, ranging from safety and security to business and compliance. The quality properties to be considered are determined, typically including functionality, security and reliability, and the relevant elements (called risk items) are identified.
Risk Assessment: The approaches are compared in terms of the risk factors they consider to be influential (like risk exposure), the technique to estimate and evaluate risks (list-based or formal) as well as the scale to determine the risk level (quantitative or qualitative). Further, the degree of automation of the methods used can be measured.
Risk-Based Testing Strategy: This class differentiates methods depending on which parts of the testing process are based on risk assessment. It focuses on the phases risk-based planning (including test objectives and techniques, completion criterion as well as resource planning), risk-based test design & implementation (including preparation of test data, test selection or test automation) and risk-based text execution & evaluation (including monitoring and reporting).

This taxonomy has recently been refined to meet the needs of current standards [RBT3].

Method Strengths A listof the strengths of the method

Improved efficiency (reduced testing time and budget)
Improved teste effectiveness (detection of defects, increased detection rate of tests)

Method Limitations The limitations of the method

Testing is inherently incomplete. Prioritization by risk can reduce the remaining risk, but cannot address the inherent incompleteness.

Method References Bibliography references to papers about the method.

[RBT1] M. Felderer, R. Ramler, Integrating risk-based testing in industrial test processes, Software Quality Journal 22, p 543-575, 2014.
[RBT2] M. Felderer, I. Schieferdecker, A taxonomy of risk-based testing, International Journal on Software Tools for Technology Transfer 16, p 559-568, 2014.
[RBT3] J. Großmann, M. Felderer, J. Viehmann, I. Schieferdecker, A Taxonomy to Assess and Tailor Risk-Based Testing in Recent Testing Standards, IEEE Software 37, p 40-49, 2020.
[RBT4] C. Hettiarachchi, H. Do, and B. Choi, Risk-based test case prioritization using a fuzzy expert system. Information and Software Technology, 69, p 1-5, 2016
[RBT5] R. Ramler, M. Felderer, A process for risk-based test strategy development and its industrial evolution, International Conference on Product-Focused Software Process Improvement, Springer, p355-371, 2015.
[RBT6] J. Viehmann and F. Werner, Risk assessment and security testing of large sclae network systems with RACOMAT, Proceedings of Risk Assessment and Risk-Driven Testing, p 3-17, 2015.
[RBT7] E. van Veendaal, The PRISMA Approach: Practical Risk-Based Testing, 2012.

Method Dimensions

Evaluation Environment Type Type of environment where the method is applied. It can be more than one type of environment. (Dimension 1)

Evaluation Type Type of evaluation performed with that method. If a method is hybrid, more than one type can be selected. (Dimension 2)

Type of Component Under Evaluation Type of components that can be evaluated with that method. It can be more than one type. (Dimension 3)

Evaluation Stage The evaluation stage where the method is used. (Dimension 5)

Purpose of the Component Under Evaluation The type of purpose that can be evaluated by a method. It can be more than one type. (Dimension 6)

Type of Requirement Under Evaluation The type of requirements that a method is able to evaluate. It can be more than one type. (Dimension 7)

Evaluation Performance Indicator The type of evaluation criteria or KPI that a method is able to improve. It can be more than one type. (Dimension 8)

Relations

Related Methods A method could be related to other methods.

Tools A method can use zero or more tools.

Part Method A method (when it is a combination: Combination of method artefact that is a specialization of a V&V Method) could be composed of a set of V&V Methods.

Test Case or Verification and Validation activity Test Case or V&V activity performed in a Use Case. We will link to the method to the test cases where the method is used.

Standards A method can be linked with standards.

Context

Workflow

Contents

There are currently no items in this folder.