A STATISTICAL NEURAL NETWORK FRAMEWORK

FOR RISK MANAGEMENT PROCESS

From the Proposal to its Preliminary Validation for Efficiency

Salvatore Alessandro Sarcià, Giovanni Cantone

Dip. di Informatica, Sistemi e Produzione, Università di Roma Tor Vergata, via del Politecnico 1, 00133 Roma, Italy

Victor R. Basili

Dept. of Computer Science, University of Maryland, A.V. Williams Bldg. 115, College Park 20742, MD, USA

Keywords: Risk Management Process, Artificial Neural Networks, Experimental Software Engineering, Prior

Probability, Posterior Probability, Bayes’ Theorem, Computational Software Engineering.

Abstract: This paper enhances the currently available formal risk management models and related frameworks by

providing an independent mechanism for checking out their results. It provides a way to compare the

historical data on the risks identified by similar projects to the risk found by each framework Based on

direct queries to stakeholders, existing approaches provide a mechanism for estimating the probability

of achieving software project objectives before the project starts (Prior probability). However, they do not

estimate the probability that objectives have actually been achieved, when risk events have occurred during

project development. This involves calculating the posterior probability that a project missed its objectives,

or, on the contrary, the probability that the project has succeeded. This paper provides existing frameworks

with a way to calculate both prior and posterior probability. The overall risk evaluation, calculated by those

two probabilities, could be compared to the evaluations that each framework has found within its own

process. Therefore, the comparison is performed between what those frameworks assumed and what the

historical data suggested both before and during the project. This is a control mechanism because, if those

comparisons do not agree, further investigations could be carried out. A case study is presented that

provides an efficient way to deal with those issues by using Artificial Neural Networks (ANN) as a

statistical tool (e.g., regression and probability estimator). That is, we show that ANN can automatically

derive from historical data both prior and posterior probability estimates. This paper shows the verification

by simulation of the proposed approach.

1 INTRODUCTION

Since the late 1980’s, when Risk Management (RM)

was first applied to the software domain (Boehm,

1989), (Charette, 1989) (Boehm, 1991), there have

been limited real advances in formal RM

methodologies (Roy, 2004).

One weakness of the existing RM practices

(Sarcià, Cantone, 2006) is the inability to check the

identified risks against past performance on similar

projects. This paper tries to improve on the current

RM practices by integrating into the frameworks an

independent mechanism for comparing the current

risks to historical data. In particular, we propose an

Artificial Neural Network-based (ANN) approach

for estimating both prior and posterior probability

using the historical data of the software

organization. Briefly, the main questions that this

paper answers are: “What is the probability that the

project succeeds? How can we evaluate whether

risks actually have impacted on the achievement of

the project objectives?” The remainder of this paper

deals with the following topics: Section 2 provides

an overview of the key elements of an RM process

focusing on the reliable prediction of project success

and failure. Section 3 defines the problem and

discusses about RM strategies and methodologies.

Section 4 presents and discusses results from a

simulation-based case study for efficiency

validation. Section 5 shows some insights for

168

Alessandro Sarcià S., Cantone G. and R. Basili V. (2007).

A STATISTICAL NEURAL NETWORK FRAMEWORK FOR RISK MANAGEMENT PROCESS - From the Proposal to its Preliminary Validation for

Efﬁciency.

In Proceedings of the Second International Conference on Software and Data Technologies - SE, pages 168-177

DOI: 10.5220/0001335701680177

Copyright

c

SciTePress

improving the proposed approach. Some final

remarks and forewords for future work conclude the

paper.

2 RISK MANAGEMENT

Risk is a measure of probability and severity of

unwanted effects (Boehm, 1991) on software

development projects.

Basically, all current risk

estimation frameworks in software development

process (Boehm, 1991), (Charette, 1989), (Higuera,

1996), (Kontio, 1996), (Karolak,

1997), (Madachy,

1997), (SEI, 2002), (Roy, 2004), and (Albert, 2006)

evaluate the risk value (or risk exposure), V as:

V(UE) = I(UE) * P(UE) (1)

where UE stands for an unwanted event (risk factor);

P(UE) is the probability that UE occurs; I(UE)

stands for the impact (or cost) due to the occurrence

of UE. As an example, we can consider the

following situation:

UE = {‘Resignation of a senior analyst’}, I(UE) = {6

month’s delay} and P(UE) = 0.25 then:

V(UE) = 6 * 0.25 = 1.5 (months) (1.a)

2.1 Risk Management Process

RM is a continuous process, which aims at applying

suitable tools, procedures, and methodologies to

avoid that risk occurs or keep it within stated limits

(SEI, 2002). Some studies describe several basic

steps of RM in slightly different ways, but

substantially they report a process, which – similarly

to the one that Figure 1 depicts – is based on the

stages below.

Identify: Includes the identification of the

internal and external sources of risk through a

suitable taxonomy (Higuera, 1996) (SEI, 2002), as

depicted in Table 1. Risk Identification involves

stakeholders and depends on the project context.

Analyze: Aims at understanding when, where,

and why risk might occur, through direct queries to

stakeholders about the probability and impact of risk

elements. The prior probability is evaluated. This is

the probability that an event (e.g., project delay)

could happen before the project starts. This is

calculated through prior information.

Plan: In order to establish a strategy to avoid or

mitigate the risk, decisions have to be made. In this

stage, contingency plans are stated as well as the

related triggering thresholds. Risk-controlling

actions are defined and selected.

Figure1: Risk Management Process.

Handle: The planned actions are carried out if

the risk occurs.

Monitoring: This is a continuous activity that

watches the status of the project, and checks

performance indicators (e.g., quality indicators, for

instance the number of defects per size unit). In this

stage, data concerning the risk trend is gathered.

Table 1: Risk sources taxonomy (based on SEI, 2002).

Control: It appraises the corrections to be taken

on risk mitigation plan in case of deviations. If the

indicators show an increase over the fixed threshold,

a contingency plan is triggered. In our opinion, this

stage should deal with the posterior probability

because events have already occurred; that is, one

tries to figure out whether an unwanted event

actually had an impact on project objectives. For

further information about prior and posterior

probability (Bayes’ Theorem), please see Section 1.8

in (Bishop, 1995).

Document and Communicate: This stage can

be truly considered as the core of RM; in fact, all

other stages refer to Documentation and

Communication for enabling information exchange.

2.2 Project Success and Failure

Project success and failure constitute the

environment where risk considerations take place.

According to the Standish Group (Standish Group,

1994), budget, schedule, and technical quality are

the primary concepts to evaluate as to whether or not

a project meets its objectives.

It was argued (Jones, 2002) that the measure of

success varies depending on how we define it. It has

been suggested that success should be based on the

developer’s point of view (Procaccino, Verner,

Lorenzet, 2006), and on the stakeholder’s

A STATISTICAL NEURAL NETWORK FRAMEWORK FOR RISK MANAGEMENT PROCESS - From the Proposal to

its Preliminary Validation for Efficiency

169

perspective (Linberg, 1999). Recently, empirical

studies (Berntsson-Svensson, Aurum, 2006) have

found that the nature of projects might not be

systematically correlated with success and failure

factors. (Boehm, 1991) includes in his top ten risk

items unrealistic schedules and budgets, but, it was

pointed out that having a schedule is not necessarily

correlated with project success (Verner, Cerpa,

2005): there are successful projects developed in a

shorter time than scheduled. Additionally, it has

been suggested that project success factors are

intertwined with product success factors (Wallin et

al., 2002).

This paper adopts a definition of project success

and failure very close to the Standish-Group’s

definition (Standish Group, 1994), which states that

a project achieves its objectives when it is on time,

on budget, with all features and functions as

originally specified. Concerning this point, let us

recall that the triad cost-schedule-performance of

project management is often termed the “Iron

Triangle” (Williams, Pandelios, Behrens, 1999).

This triadic view will be used in the rest of the

paper.

Our understanding of risk uses a threshold

concept (Linberg, 1999). In order to check whether

or not a project is meeting the stated objectives, we

consider thresholds on budget, schedule, and

required performances. In this way, project success

and failure vary according to how we set these

thresholds. This interpretation allows us to define a

project to be successful projects just on the basis of a

specific aspect (e.g. a project can be considered

successful for budget factor but fail for the required

defect rate). Actually, we are going to show, below,

that this concept can be represented by a function of

many variables, which, somehow, impact on the

metric that we picked out to represent the success.

3 PROBLEM DEFINITION

To define the problem that this paper deals with, let

us consider again equations (1), (1.a) and Figure 1.

In particular, through the Analysis phase (Figure 1),

we can calculate the risk exposure for each risk

element, which we found in the previous phase

(Identify). As we have already mentioned (Section

2.1), this kind of evaluation is based on asking direct

queries to stakeholders, which should provide a

subjective score for each identified risk. This

procedure might not be reliable because

stakeholders’ subjective scores could change over

time based upon their feeling (Tversky, Kahneman,

1974). In other words, we need a control

mechanism. A possible improvement could be using

historical data, if available. The aim would be

building a control mechanism to increase our

confidence on those subjective scores.

When evaluating the overall risk for achieving a

project objective (Iron Triangle), we pick all the risk

exposures and estimates for each project objective

(that is, each element of the Iron Triangle),

calculating the average risk exposure (Roy, 2004).

Generally, this average is weighted according to

information that RM managers can get by historical

data of the organization (Roy, 2004), (Fussel and

Field, 2005). Based on these weighted averages, one

should state strategies and plans to avoid or shrink

the risk occurrence. Actually, over the Control phase

(Figure 1), we are faced with the problem to figure

out whether and to what extent risks have impacted

on project objectives (e.g., scheduling slippage

evaluation). For instance, if risks impacted very

much upon the project, we should get low

probability to be successful. Note that, this

evaluation depends on what we pick out as a basis

for comparison. For instance, let us assume that the

historical data from the considered organization

shows that, usually in similar projects, the

organization got values for the Schedule

Performance Index (SPI) between 0.8 and 0.9− (SPI

is an index that provides information about the

objective to stay on time). Based on the definition of

this index (ratio between what we have done and

what we planned to do), only values greater than 1.0

should be considered as success. Let us assume that,

current project got SPI

Curr

= 0.95. If we picked out

the theoretical value (SPI

theor

= 1.0) as a threshold

for comparison, we would get a failure (because

SPI

Curr

< SPI

theor

). On the contrary, if we picked out,

for instance, the mean value on past projects (e.g.,

SPI

mean

= 0.85), we would get a success. Therefore,

if we calibrate the evaluation criterion on the

observed data then the decisions that we make are

based on information that is as large and updated as

we can. This happens because the object for

comparison is based upon real performances of the

organization. Actually, the problem is more

complex. As a matter of fact, this calibration should

take in account all possible factors (e.g., domain,

complexity, developers’ experience etc…) that

impacts on the considered performance (e.g., SPI).

In other words, we should consider a regression

function (e.g., SPI as a dependent variable and

impacting factors as independent variables). Often,

for the sake of simplicity, those factors are left out;

hence, organizations prefer adopting just theoretical

ICSOFT 2007 - International Conference on Software and Data Technologies

170

values. This research proposes a way to tackle with

these issues.

3.1 The Strategy

Figure 2 depicts our point of view. Each risk

element might impact (or might not) on one or more

project objectives. We can get the impact of the

assumed risk elements by checking suitable metrics

(Basili, Caldiera, Cantone, 1992), (Basili, Caldiera,

Rombach, 1994), (Basili, Caldiera, Rombach,

1994b), (Cantone, Donzelli, 2000), and (Piattini,

Genero, Jiménz, 2001) on the Iron Triangle during

the project, as depicted on the right side of Figure 2

(lollipop notation). Concerning the posterior

probability analysis, based on the proposed approach

(ANN), we propose to calculate the probability that

the current project has succeeded; if this probability

is less than 0.5 then risks occurred and they cannot

be left out. Moreover, the more this probability

approaches 1.0, the more the impact of risk factors

decreases. Therefore, if we get no effects on the Iron

Triangle, we can decide that the leverage of those

considered risks could be left out. Finally, if the

historical data evaluated by ANN and the weighted

scores obtained by existing frameworks agree, then

we can get more confident on our results. If, on the

contrary, they do not (e.g., if the theoretical

performance indicators and the posterior probability

do not point out success or failure at the same time),

then we have to carry out further investigations on

risk elements.

Figure 2: Risk factors that impact on the Iron triangle.

Our strategy proposes to use historical data to

build a baseline to evaluate risk value and to

automatically check whether the project is meeting

the stated objectives or not. This baseline is actually

generated by an ANN, whose output represents the

posterior probability that can be used in the risk

evaluation, as mentioned above.

3.2 The Methodology

In this section we describe the procedure that one

should follow in order to get risk probabilities from

historical data of the organization as claimed above.

(1) Identifying Success Metrics: In Figure 3 we can

see, by a lollipop notation, that for each project

objective (O) a threshold function (T

O

) can be stated,

which provides success and failure measures. Note

that, T

O

, in this framework, is a function of many

factors as mentioned in Section 3 and as explained

below. We could also define metrics on software

quality aspects such as Defect Rate, Effort per

Defect, Number of Changes per Release (T

P1

, T

P2

… T

Pn

). Therefore, with regard to Figure 3, T

B

could

be a threshold function on Cost Performance Index

(CPI) and T

S

a threshold function on Schedule

Performance Index (SPI) or Productivity (ratio

between SLOC and Effort).

(2) Selecting Impacting Factors on the Success

Metric: By impacting factor, we mean a variable

that can affect the measurement of success metric

(e.g., Domain, KSLOC, Complexity, and

Developers’ Expertise). It is possible that we should

take in account a big number of factors to get good

results. But, the more this number grows, the more

regression function is difficult to be estimated, if we

use canonical methods. However, if we use ANN

and Backpropagation for calculating regression

functions, the number of factors does not influence

the procedure.

Figure 3: Using Computational Intelligence technique to

evaluate project successes and failures.

Of course, the effects of this grow impact on the

computation time, which could be very big. Hence,

we are considering ANN as a mean to estimate non-

linear regression functions because we can obtain

reliable estimates as automatically as possible, even

if we have to consider a high number of impacting

factors. Refer to (Bishop, 1995) and (Dreyfus, 2005)

A STATISTICAL NEURAL NETWORK FRAMEWORK FOR RISK MANAGEMENT PROCESS - From the Proposal to

its Preliminary Validation for Efficiency

171

for more information about the use of ANN and

Backpropagation as a mean to estimate non-linear

regression functions.

In order to understand which factors impact the

considered project objective, we can use GQM

approach (Basili, Caldiera, Rombach, 1994). Briefly,

some possible questions are the following:

• What can impact on the achievement of the

project objective? (E.g., effort ÷ team size,

team experience, used development tools).

• What is the software context? (E.g., Domain,

Category)

• What is the development context? (E.g.

knowledge of the software system,

organization maturity, development flexibility,

etc.)

(3) Evaluating non-linear regression function:

Now, we can build an ANN, for regression, as

depicted in Figure 4, where input variables

(independent variables) are the impacting factors

said above, and the output (dependent variable) is

the regression function estimate (on the success

metric).

Using this regression function, we can divide our

past projects between the successful and failed ones.

In particular, if a project got a threshold value better

than the regression function it is considered as a

success, if this value was worse than regression

function, it is considered as a failure. Note that, all

the projects can belong to just one of those classes.

Figure 4: A Multi-layered Fed-forward Neural Network

(Perceptron) for estimating regression functions.

Figure 5 depicts a trivial case in two dimensions. We

show such an example because it can be represented

on a plane. In a real case (e.g., Figure 4), we could

have many factors and just one success metric. It is

important to note that, what we are actually

calculating is an iperplane that splits the considered

iperspace into two disjoined subsets. Class A is the

success class and class B is the failed one.

(4) Rejecting non-relevant factors: It is possible

prove (Dreyfus, 2005) that an ANN that has a

minimal configuration in terms of input variables

and internal parameters (hidden units) provides the

best regression function estimate. This characteristic

is called parsimony. Therefore, over this stage, we

should reject factors that do not impact on the

success metric as well as shrink the ANN internal

configuration (hidden units) as much as possible. In

order to carry out this task, we can apply many

different techniques, such as Principal Component

Analysis (Jollife, 1986), Wrapper for Feature Subset

Selection (John, Kohavi, Pfleger, 1994), Cross-

validation or Leave-one-out (Dreyfus, 2005).

Figure 5: Two-dimension regression function that splits

the plane into two disjoined subsets. The dashed line is a

threshold function.

(5) Building a Two-Class Classification Network:

So far we have turned our evaluation problem into a

two-class discrimination problem. Now, we build a

new network, for discrimination, as depicted in

Figure 6. Such a system is able to classify all

possible inputs as belonging to A or B. Actually, we

can obtain much more from this kind of network. In

fact, this is able to provide the posterior probability

said above (Bishop, 1995). This is a very important

result because, generally, Bayes’ theorem has just

theoretical importance, but it cannot be practically

applied. The problem is that we cannot know all

terms of Equation (2) right side.

In order to explain this problem let us consider

Equation (2). Let Pr(A | x) be the posterior

probability that Bayes’ theorem provides, that is,

the probability that the considered project belongs to

A after its measurements have been executed.

B)Pr(B)|(xpA)Pr(A)|(xp

A)Pr(A)|(xp

x)|Pr(A

XX

X

+

=

(2)

Pr(A) and Pr(B) represent prior probability of

class A and B respectively, p

X

(x | A) and p

X

(x | B)

represent the probability density that x occurs

conditioned to class A or B, that is, the probability

that x occurs with respect to A or B.

The real problem is that we could, somehow, get

estimates for P(A) and P(B), but we are not able to

ICSOFT 2007 - International Conference on Software and Data Technologies

172

estimate p

X

(x | A) and p

X

(x | B), that is, Bayes’

Theorem is not useful for real classifications. Based

on the mathematical proof reported in (Bishop,

1995), if we use an ANN like the one that Figure 6

depicts, we can directly obtain Pr (A | x) even if we

cannot know the conditioned probabilities said

above.

Figure 6: An Artificial Neural Network for two-class

discrimination problems.

3.3 Prior Probability Estimate

So far we have shown that if we use a particular

ANN for two-class discrimination, we can directly

calculate the posterior probability. Now we show

how to estimate the prior probability, that is, the

probability that a project can achieve a stated

objective before the project starts.

Let us observe that an individual input for the

network in Figure 6 is a vector V

i

, like Expression

(3) shows, where, v

i,1

, v

i,2

, …. , v

i,n

are the V

i

‘s

components and stand for the actual values that the

network receives as an input.

V

i

= (v

i,1

, v

i,2

, …. , v

i,n

) (3)

V

i

is a generic vector that represents the i

th

project, and the second number (1 through n)

represents the index of the input variables. With

regards to Figure_6, for instance, the values in

Expression (4) might be gathered.

In order to obtain all the possible V

i

instances

that the network can receive in input (henceforth we

are denoting those vectors by the term Input Set,

writing V), we consider the Cartesian in Expression

(5), where {v

i

}, is the set of all possible values that

the i

th

component of V can get. As experimentalists,

we often call {v

i

} with Factor and the values that it

can get (v

i,1

, v

i,2

, …. , v

i,n

) with Levels or

Treatments.

v

i,1

= {Val(SPI)} = {0.9},

v

i,2

= {Val(Effort/TeamSize)} =

{1000/20}= {50}

…

(4)

V = {v

1

} x {v

2

} x … x {v

i

} x … x {v

n

} (5)

Note that, in a software engineering environment

the cardinality of this Input Set is a finite number,

i.e. the size of {v

i

} is a finite number. For instance,

even if SPI might get real (infinitive) values in [0,

+∞[, actually, significant values for an organization

could lie, for instance, inside [0.4, 1.5]. Moreover,

significant approximations for those elements of the

set [0.4, 1.5] are bounded to the first or second

fractional, that is, finer grain values are not

significant for the organization. For instance, we

could make decision to have, in [0.4, 1.5[, just 11

possible values (0.4, 0.5 … 1.4), i.e. 1 factor and 11

treatments. A question arises naturally:

Expression (6) shows how to calculate the

cardinality of V.

N = Card{v

1

} * Card{v

2

} * ... * Card{v

n

} (6)

Note that, based on the definition of Input Set, V

includes all the significant values for the

organization. As experimentalists we generally call

this set with Population. Now, in order to calculate

the prior probability, we can feed the ANN with the

whole Input Set V and obtain the cardinalities of

both classes, A and B, Figure 7.

Figure 7: Prior probability estimation by a two-class

classification network.

This happens because such a network is able to

classify all possible significant inputs as belonging

to A or B. In particular, the input vector belongs to

A if and only if the ANN output lies inside [0.5,

1.0]. If this output lies inside [0, 0.5[, then the

considered input belong to B (Figure 7).

Let us denote by A the subset of V composed of

all the success vectors and by B the subset composed

of all failure vectors, with {A} ∩ {B} = Φ and {A}

∪ {B} = {V} (Figure 7).

Said C

A

and C

B

the cardinalities of A and B,

respectively, we can calculate the prior probabilities

to be successful (to achieve a project objective) by

Expressions (7). Overall, P(A) represents the

probability that the successful class can occur.

Hence, P(B) = 1 - P(A) is the probability to fail.

Based on historical data, therefore, P(A) value

A STATISTICAL NEURAL NETWORK FRAMEWORK FOR RISK MANAGEMENT PROCESS - From the Proposal to

its Preliminary Validation for Efficiency

173

represents the success probability that the

organization succeeds in developing a project before

the project starts.

P(A) = Card(A)/Card(V) = C

A

/N

P(B)

= CARD(B)/CARD(V) = C

B

/N = 1- P(A)

(7)

Note that, what we have been presented in this

Section could be viewed as a methodology for

estimating prior probability like Bootstrap and

Jacknife (Efron, Tibshirani, 1993) estimate

confidence intervals for population parameters.

4 CASE STUDY

Let us give, now, some demonstrations concerning

the efficiency of the proposed approach by showing

a typical application. As usual in Artificial Neural

Network computation (Dreyfus, 2005), we consider

an artificial set of observations, which we obtained

by a complete randomization. This kind of data is

supposed to be definitely not correlated; therefore, if

we are able to obtain the expected results from this

data set, we can show that this procedure is able to

reach the claimed goal (efficiency). Basically,

artificial data is more useful when one wants to

measure the efficiency of procedures, whereas real

data, which is supposed to be strongly correlated, is

more helpful when one wishes to evaluate the

effectiveness. At this stage, we verify efficiency.

We have taken in account the simulation design

explained below. Based on the proposed strategy

(see Section 3.2), our project objective was to

“Carry out the project on time”. We used the SPI as

a metric for success. Higher SPI values (more or

equal to 1) point out higher performances, and lower

values (less than 1) point out lower performances.

We picked 8 attributes to characterize a project:

Schedule Performance Index (SPI), as already

mentioned, Effort/TeamSize rate (ETS), Developer

Experience (DVE), Analyst Experience (ANE),

Advanced Development Tool Use (TOL), Software

Kind (SWK), Software Category (SWC), Required

Software Reliability (RSR). Table 2 shows all the

values that each attribute could get. In particular, the

cardinality of the Input Set was 600,000 elements.

Firstly, we considered an ANN for regression.

We used a feedforward neural network

(Rumelhart, Hilton, Williams, 1986), (Dreyfus,

2005), made by three levels (one hidden layer), with

7 input units (one for each attribute in Table 2,

except SPI), 5 hidden units, and 1 output unit (SPI).

The hidden unit activation functions were sigmoid

(hyperbolic tangent) and the output had a linear

function.

Table 2: Project attributed taken in consideration.

Table 3: Project data (columns) and instructions (bottom)

as provided to MatLab

™ for simulation.

As a training set of this regression network, we

considered matrix p (Table 3) except the first row,

which was used as a target set. In particular, each

column of p represents a past project and each row

represents all of the observations on the considered

input variable. A completely randomized validation

set (matrix tv, Table 3), was also considered. We

trained the network by the optimization algorithm

called Levenberg-Marquardt with early stopping on

matrix tv (validation set) and mean square error

(network performance) of 0.05. In order to increase

the performance of this regression network, firstly,

we carried out data normalization, that is, we

transformed the training set in a set with mean 0 and

deviation standard 1. Subsequently we performed

Principal Component Analysis (impact rate of an

ICSOFT 2007 - International Conference on Software and Data Technologies

174

input variable less than 0.05) (Jollife, 1986), as said

above (Dreyfus, 2005). Note that, this kind of

analysis reduced our input set from 7 to 6 input

variables. Then, we exploited this regression

network to split the training set into two subsets: the

first one composed of all values of p that showed

SPI values more than regression function (success)

and the second one composed of all other values

(failure). In particular, we obtained the following

classification result, represented by vector t:

t = [0 0 0 1 0 0 1 1 1 0 1 1 0 1 0 0 0 1 1 1];

Where 0 means that the corresponding column in p

belongs to the failed subset, and 1 means that the

corresponding column in p belongs to the success

subset. Therefore, for instance, the first three

columns of p belong to the failed subset and the

fourth one belongs to the success subset. Then, we

built a classification network where the training set

was the overall matrix p and the target set was t

(Lanubile, Visaggio, 1997). The topology of this

classification network was also of 5 hidden units of

hyperbolic-tangent activation functions and an

output unit of sigmoid logarithmic function. We also

trained this second network, by the Levenberg-

Marquardt algorithm with early stopping on the

overall matrix tv and mean square error of 0.05. The

target vector for the validation set was tt = [0 1 0 0 0

0 0 1 1 0]. Also for this second network, we carried

out data normalization and Principal Component

Analysis (rate = 0.05), which reduced our training

set from 8 to 7 input variables. We made use of

MatLab™ Neural Network Toolbox for training all

of the considered networks and performing principal

component analysis. In order to evaluate the

performance of this second network, we used

VMRE (the mean square error calculated on the

validation set) and TMRE (the one calculated on the

training set). We obtained the following

performances:

VMRE = 0.2204

TMRE = 0.0304

(8)

Notice that, although the validation set was obtained

by a complete randomization (there should be no

correlation between training set and validation set),

we obtained acceptable results using, as well.

Finally, we calculated the prior probability as

said above. In particular, the cardinality of Input Set

(V) was N = 600,000, hence, the overall Input Set

was a matrix 8×600,000. We fed the network with

those 600,000 vectors and obtained the classification

map depicted in Figure 8, where x-axis represents

the network output, and y-axis shows the number of

occurrences for each considered output slot.

Figure 8: Histogram obtained by an Artificial Neural for

Classification.

In Table 4, we reported a descriptive analysis of the

obtained results. The calculation of the prior

probability, that is, the success/failure probability

before the project starts, is executed by Expression

(9).

P(A) = 366,078/600,000 = 0.61

P(B) = 233,922/600,000 = 0.39

(9)

As said in Section 3.3, we split the histogram in

Figure 8 by considering OUTNET = 0.5, as a bound,

where OUTNET stands for artificial neural network

output. Note that, for each possible value that we

provide to the classification network (typically the

Input Set IS), we get a value that represents the

posterior probability that the considered input

belongs to class A. Prior and posterior probabilities

thus calculated can be used, respectively, as a

probability estimate in achieving project objective

before the project starts (Analysis phase) and

whenever a further project iteration has been carried

out (Control phase).

Table 4: Descriptive Analysis of results.

A STATISTICAL NEURAL NETWORK FRAMEWORK FOR RISK MANAGEMENT PROCESS - From the Proposal to

its Preliminary Validation for Efficiency

175

In figure 9, we reported further representation of the

classification.

Figure 9: A geometrical interpretation of Bayes’ decision

rule.

The blue continuous line is the obtained probability

density function. Concerning Figure 9, in a

theoretical case, those two dashed tails (Figure 9)

together with their continuances (blue) would

represent the probability density functions that a

generic element in the population belongs to A or B,

respectively. Green area, below their intersection, is

the theoretical misclassification area, that is, the one

that Bayes’ theorem would address. Actually, we got

the blue continuous line. Therefore, the actual

misclassification area is the one that is bounded by

B

l

and B

h

(grey and green area). Figure 9 also shows

that, if we pick up OUTNET = 0.5 as a class

boundary, we can correctly manage this

misclassification area and obtain the expected

results.

5 METHODOLOGY

IMPROVEMENT

It is important noting that, performances of such a

classification network could be improved by

carrying out cross-validation (Dreyfus, 2005).

Sometimes, real applications do not allow us to split

training set into two subsets, the one for training and

the other for validating. For this reason, in order to

evaluate the generalization capability of such a

network, we could apply leave-one-out technique.

For more details about those optimization

procedures, it is worth consulting (Dreyfus, 2005)

and (Bishop, 2006), which provide sound

mathematical motivations about the optimization of

ANN(s) together with a number of practical

implementation techniques.

6 CONCLUSION AND FUTURE

WORK

This paper proposed a new model for risk

evaluation, and an approach to build a statistical

neural network-based framework for supporting risk

management process. We showed that such a tool is

able to provide suitable probability estimates

exploiting both prior information (the one that is

available before the project starts) and posterior

information (the one that is available after events

have occurred). Future work will be concerned with

using data gathered by real applications for

effectiveness validation of the proposed approach.

Our prospective work should also investigate its

effectiveness when it is used together with other

frameworks in terms of reliability and effort

improvement in carrying out risk management

process.

ACKNOWLEDGEMENTS

We would like to thank people at the University of

Maryland Empirical Software Engineering Group

for discussing topics presented above, and providing

suggestions for improvement.

REFERENCES

Alberts, C.J., 2006. Common Element of Risk. TN-014,

pp. 1-26, CMU/SEI.

Basili, V., Caldiera, G., and Cantone, G., 1992. A

Reference Architecture for the Component Factory.

Transactions on Software Engineering and

Methodology

, vol. 1(1): 53-80, ACM.

Basili, V. R., Caldiera, G., Rombach, H. D., 1994.

Goal

Question Metric Paradigm

. In Encyclopedia of

Software Engineering, Ed. J.J. Marciniak, John Wiley

& Sons.

Basili, V. R., Caldiera, G., Rombach, H. D., 1994.

The

Experience Factory

. In Encyclopedia of Software

Engineering, Ed. J.J. Marciniak, John Wiley & Sons.

Berntsson-Svensson, R., Aurum, A., 2006. Successful

Software Project and Product: An Empirical

Investigation. In

ISESE06, Intl. Synposium on

Empirical Software Engineering

, IEEE CS Press.

Bishop C., 1995.

Neural Network for Pattern Recognition,

Oxford University Press.

Boehm, B.W., 1989.

Tutorial on Software Risk

Management

, IEEE CS Press.

Boehm, B.W., 1991. Software Risk Management:

Principles and Practices,

IEEE Software, No. 1, pp.

32-41, IEEE CS Press.

ICSOFT 2007 - International Conference on Software and Data Technologies

176

Briand, L.C., Basili, V.R., Thomas, W.M., 1992. A Pattern

Recognition Approach for Software Engineering Data

Analysis.

Transactions on Software Engineering, Vol.

8, No. 1, pp. 931-942, IEEE CS Press.

Cantone, G., Donzelli, P., 2000.

Production and

Maintenance of Goal-oriented Measurement Models

.

Intl. Journal of Software Engineering & Knowledge

Engineering, Vol. 10, No. 5, pp. 605-626. World

Scientific Publishing Company.

Charette, R.N., 1989.

Software Engineering Risk Analysis

and Management

, McGraw-Hill.

Chen, Z., Mezies, T., Port, D., Boehm, B. W., 2005.

Feature Subset Selection Can Improve Software Cost

Estimation Accuracy. PROMISE06, Conference on

Predictor Models in Software Engineering. ACM.

CMMI Product Team, 2002. Capability Maturity Model

Integration (CMMI), Version 1.1.

TR-012, pp. 397-

416, CMU/SEI.

Dreyfus G.,

Neural Networks Methodology and

Applications

, Springer, 2005.

Efron B. and Tibshirani R. J..

An Introduction to the

Bootstrap

, volume 57 of Monographs on Statistics and

Applied Probability. Chapman & Hall, 1993.

Fussel, L., Field, S., 2005. The Role of the Risk

Management Database in the Risk Management

Process.

ISCEng05, International Conference on

Systems Engineering

, IEEE CS Press.

Higuera, R.P. , 1996. Software Risk Management.

TR-012,

pp. 1-48, CMU/SEI.

John G., Kohavi R., Pfleger K., 1994.

Irrelevant features

and the subset selection problem

. 11

th

Intl. Conference

on Machine Learning

, pp. 121-129. Morgan

Kaufmann.

Jollife I.T., 1986.

Principal Component Analysis,

Springer.

Jones, C., 2002. Patterns of large software systems: failure

and success.

Computer, N.o 23, pp. 86-87, IEEE CS

Press.

Madachy, R.J., 1997. Heuristic Risk Assessment Using

Cost Factors.

Software, pp. 51-59, IEEE CS Press.

Piattini, M., Genero, M., Jiménez, L., 2001.

A Metric-

Based Approach for Predicting Conceptual Data

Models Maintainability

. Intl. Journal of Software

Engineering and Knowledge Engineering 11(6): 703-

729, World Scientific.

Rumelhart, D.E., Hilton, G.E., Williams, R.J., 1986.

Learning internal representations by error propagation,

Nature, pp. 318-364, Nature Publishing Group.

Karolak, D.W., 1997.

Software Engineering Risk

Management

, IEEE CS Press.

Kontio, J., 1996. The Riskit Method for Software Risk

management, Version 1.00.

TR-3782, UMDCS.

Lanubile, F., Visaggio, G., 1997. Evaluating Predictive

Quality Models Derived from Software Measures:

Lessons Learned. JSS p. 38:225-234,

Journal of

Systems and Software

, Elsevier.

Linberg, K.R., 1999. Software developer perceptions

about software project failure: a case study

. JSS, pp.

177-192,

Journal of Systems and Software, Elsevier.

Procaccino, J. D., Verner, J. M., Lorenzet, S. J., 2006.

Defining and contributing to software development

success.

Commununications of the ACM, No. 49,

ACM.

Roy, G. G., 2004. A Risk management Framework for

Software Engineering Practice.

ASWEC04, Australian

Software Engineering Conference

. IEEE CS Press.

Sarcià A. S., Cantone, G., 2006. Using Artificial Neural

Networks to Improve Risk Management Process.

TR06, ESEG-DISP, Univ. of Roma Tor Vergata.

Srinivasan, K., Fisher, D., 1996. Machine Learning

Approaches to Estimating Development Effort.

Transactions on Software Engineering, IEEE CS

Press.

Standish Group, 1994. CHAOS Report 1994-99.

http://www.standishgroup.com, last access Feb. 2006.

Tversky A., and D. Kahneman, 1974. Judgment under

Uncertainty: Heuristic and Biases, pp. 1124-1131,

Science, AAAS Press.

Verner J.M., Cerpa N., 2005. Australian Software

Development: What Software Project Management

Practices Lead to Success?

ASWEC05, Australian

Software Engineering Conference

. IEEE CS Press.

Wallin, C., Larsson, S., Ekdahl, F., Crnkovic, I., 2002.

Combining Models for Business Decisions and

Software Development. Euromicro02,

Euromicro Intl.

Conf.

, pp. 266-271, IEEE CS Press.

Williams, R.C., Pandelios, G.J., Behrens, S.G., 1999.

Software Risk Evaluation (SRE) Method Description

(Version 2.0).

TR-029, pp. 1-99, CMU/SEI.

A STATISTICAL NEURAL NETWORK FRAMEWORK FOR RISK MANAGEMENT PROCESS - From the Proposal to

its Preliminary Validation for Efficiency

177