The Human Factor in Software Engineering

CreaRE 2017: Sixth International Workshop on Creativity in Requirements Engineering

The most important event in February for me was the REFSQ conference which I have attended each year since 2005 and usually, I have been also a co-organizer. This year, my contribution was the organization of the CreaRE workshop for the 6th time. It took place on Monday 27th February in Essen. The agenda included three presentations and one interactive session.

• Luisa Mich, Victoria Sakhnini and Daniel Berry: Downsizing EPMcreate to Lighter Creativity Techniques for Requirements Elicitation. EPMCreate is a creativity technique for systematically eliciting requirements by changing the analyst's perspective. The method includes 16 steps in its original form. To execute them takes its time. Therefore, this presentation discussed (1) the question how to develop one-step, two-step etc. methods based on these 16 steps and (2) which of these reduced methods correspond to existing creativity techniques. Finally, the steps must be combined in a way to cover all perspectives.
• Eduard C. Groen, Matthias Koch and Andreas Maier: Vicus – A Persona for Towns: The authors work on eliciting requirements for the domain of Smart Towns. Here, the conditions differ from those in other IT projects. Neither individual stakeholders nor groups are to be considered, but whole towns or villages as a community. Therefore, the authors use personas for characterizing a town. For doing so, they use an adapted persona template.
• Nils Kubischok: Imagining the future: A social science approach to the importance of visions in the software development process. The social sciences know the strong effect of visions on expectations and actions. In Requirements Engineering, this effect so far is only vaguely discussed. This state-of-the-art article provides an overview on visions in Requirements Engineering and gives a justification of the importance of visions in RE.
• Kristian Beckers, Veronika Fries, Eduard C. Groen and Sebastian Pape: Creativity Techniques for Social Engineering Threat Elicitation: A Controlled Experiment (interactive session): For this experiment, three groups were formed. Each group followed the objective to identify social engineering threats which could be dangerous for the conference. Two groups played card games, the serious game; the other group used brainstorming to gather lists of victims, assets, channels, psychological principles, attacks, and attackers and combined them using the technique Morphological Forced Connections to form specific attack scenarios.

I participated in the second group. As for each category, we found about 10 results, I calculated that theoretically, we could form up to one million scenarios based on these. This created a bit a frustrating feeling: "What to start with?" Finally, however, I think that we found basically every relevant threat.

The card-game groups enjoyed the fun of playing and of being mean. They found the cards helpful, especially as non-experts who had not thought about social engineering before. The cards helped them to get a clear idea about the topic.

The three groups' results will be compared to each other scientifically. I am looking forwards to learn about the findings!

The presentation slides can be downloaded from the workshop website at the menu point "Workshop Program" and the workshop proceedings are online here.
There, you also find the other workshops' proceedings.

Best of Software Quality Days SQD
The SQD took place on January 17 to 20 in Vienna. At this rather practice oriented conference, Best Practices and experiences are exchanged. I myself organized a workshop about ethical decisions in software engineering on 20th January.

I liked these two presentations most because they provided really new and useful insights:

• The two presentations of Jürgen and Pagano about Test Gap Analysis:
  "Haben wir das Richtige getestet? Erfahrungen mit Test-Gap-Analyse im Hotfix-Test, Iterationstest und Releasetest in der Praxis" and "Oh nein, morgen ist Release! - Test-Gap-Analyse live am Beispiel".
  Test Gap Analysis is the visualization of two different aspects of the same software as a tree map: The information, which code lines have been modified, and which code lines have been executed during testing. Especially critical are those code lines which have been modified but not tested. Like this, testing need becomes evident. This visualization is generated by the tool TeamScale which still is in its pilot phase and can still be tested for free. The slides of the first presentation including tool screenshots are provided by the authors here.
• And another presentation of Sneed about the COBOL Java migration: Harry M. Sneed, Chris Verhoef: Validating converted Java Code via Symbolic Execution.
  How do you find out that the Java code behaves exactly like the COBOL code? In the ideal case, it has been restructured during migration. In my lecture, I teach that it is impossible to compare two computer programs whether they do the same. The theoretical informatics can prove this. Sneed nevertheless managed to solve the problem: He compares the control flows and data flows of bothe programs by symbolic execution.

Best of REFSQ Requirements Engineering: Foundation for Software Quality
Essen, Germany, Feb 27 to March 2
Here, I summarize three days of conference with parallel sessions plus one workshop day. Doing so, I focus on what is useful seen from a practical perspective. At a scientific conference, we also see preliminary results, research previews, ideas and position papers.
In Requirements Engineering, there seems to be a trend towards automatization. This does not contradict my vision of a creative Requirements Engineering, as there are still enough uncreative activities in this area. Each boring routine work calls for automatization to keep our head free for new ideas and the overview.

A good part of the automatization refers to the identification and analysis of natural language requirements. As this chaotic type of requirements specifications still prevails in practice, we try to cope with this as well as possible:

• Prof. Lionel C. Briand in his keynote presentation "Analyzing Natural-Language Requirements: The Not-Too-Sexy and Yet Curiously Difficult Research that Industry Needs" gave an overview on the automated analysis of text in general and of requirements specifically. The objective of this text analysis can be translation, quality assurance, but also the Impact Analysis, i.e. to identify which other text must be modified, too, when one requirement is changed. Further information about the tool RETA (for the template compliance check) you find here. The tool Narcia does Change Impact analyses.
• Martin Wilmink, Christoph Bockisch: On the Ability of Lightweight Checks to Detect Ambiguity in Requirements Documentation. pp. 327-343. Natural language requirements suffer from ambiguity, compared to graphical models. These authors have developed a tool named tactile check which automatically identifies ambiguities in requirements. Further informationen about you find at github.
• Garm Lucassen, Fabiano Dalpiaz, Jan Martijn E.M. van der Werf, and Sjaak Brinkkemper:
  Improving User Story Practice with the Grimm Method: A Multiple Case Study in the Software Industry. pp. 235-252. Here, the automated quality assurance of user stories is supported by the computer linguistic tool Automatic Quality User Story Artisan (AQUSA). The combination of AQUSA with the Quality User Story (QUS) Framework is called the Grimm Method. The method was tested by 30 practitioners in three companies for two months. The quality of the user stories improved quantitatively, but the participants did not perceive this improvement as important.
• Paul Hübner, Barbara Paech: Using Interaction Data for Continuous Creation of Trace Links Between Source Code and Requirements in Issue Tracking Systems. pp. 291-307. These researchers care for the stepchild traceability. As traceability in practice manually is usually managed only carelessly, the automated identification of traceability links promises practical help. In a case study, such links were found and created automatically in an Issue Tracker System (ITS).
• Carles Farré, Xavier Franch, and Tudor Ionescu: State of the Practice on Software Release Planning. This research presented at the PrioRE workshop analyses the capabilities of release planning tools and checks how far artificial intelligence algorithms are applied there already. Their previous literature study had shown that out of many promising research approaches, only one had made the jump to a commercial tool. Now, they investigated vice versa what can be found in real-world tools. Their results you find online here.
• Norbert Seyff, Melanie Stade, Farnaz Fotrousi, Martin Glinz, Emitza Guzman, Martina Kolpondinos-Huber, Denisse Munante Arzapalo, Marc Oriol, Ronnie Schaniel: End-user Driven Feedback Prioritization. This contribution at the PrioRE workshop treats the question how enduser feedback can be analysed and prioritized automatically without a person reading all the text. The authors not yet can present a ready-for-use solution, but they present a list of solution ideas. You find the article online here.

Further concrete results were presented by the following empirical studies:

• Irum Inayat, Sabrina Marczak, Siti Salwah Salim, and Daniela Damian: Patterns of Collaboration Driven by Requirements in Agile Software Development Teams -
  Findings from a Multiple Case Study. pp. 131-147. In several case studies the communication patterns of distributed agile teams were investigated. The most amazing result was that distance does not seem to have an influence. Previous studies rather showed that each staircase already impairs the communication frequency and quality. However, I can well imagine that here two factors lead to better distance communication: Firstly, in agile teams the communication is both emphasized and structured, and secondly, today it is normal for us to collaborate and be friends with persons who are far away.
• Katsiaryna Labunets, Fabio Massacci, and Federica Paci: On the Equivalence Between
  Graphical and Tabular Representations for Security Risk Assessment. pp. 191-208. In two experiments, two alternative notations for security risk assessments have been compared with each other: graphical notations and tables. Both showed the same efficacity.

The Sixth International Workshop on Creativity in Requirements Engineering CreaRE 2017 takes place on 27 February in Essen, at the REFSQ Conference. The workshop's topic is the role of creativity in Requirements Engineering. We are still planning the agenda. It will be a combination of presentations, discussions and interactive sessions.

It is really amazing how bad requirements engineering can make customers´ lifes more difficult...
I am expecting a parcel, and it was sent to the package station next to my home. However, it seems
that the station is full. Instead, it was forwarded to another place, to a shop. I was informed by email about that and what they send me is street name, house number and town name. (The town is large, however.) They recommend me to visit their webpage to find out where the shop is and when it is open. So, I click on the link. It was quite difficult to find out how I can find shops on this page at all, because I can get all other information about everything there. It is a link to the general search page. However, what sends me back to a public search machine is that the information which the email contains is not sufficient to find the shop on the company´s web page. I need the zip code. This town has several zip codes and definitively more than one "Bahnhofstraße" (railway street). Has anyone written a use case for this scenario? Has anyone tested it? If they had, they might have thought about the information which the email needs to contain in order to allow me to find out where I can find my parcel. On the other hand, I have a lot of time to find out, because I can not get it before Monday at 11...

When I was 14, I was a freak because I sometimes spent some hours in front of a computer screen writing computer programs, designing stationary and writing letters. Today, this is normal work.

When I was 25, I was a freak because I met new people online in chat rooms and also met them at chatter parties. We had fun, but we were freaks.

Nowadays, people stare at a computer screen day and night, first thing in the morning, last thing before they sleep. While they walk or eat or talk, they are reading or typing. They tell strangers their sexual preferences or publish family videos. But it is not considered to be freaky. Now, it is freaky to be away from computer and internet for a few hours.

And people not even realize how they changed so completely.

The Implicit Social Attitude tests can measure your attitudes, not based on your self-judgement, which usually is strongly biased. Instead, the test principle is based on measuring how fast you answer to questions. When you are biased, you can answer some questions faster than others. Here, you find the test about gender bias. Further such tests are available here.

Currently, I am doing research about the history of software development process models and while going through the archives, I found this very beautiful analogy about software engineering:

"The third reason that we keep seeing missed schedules was pointed out to me by the editor of one of our best computing journals, who says he has concluded that producing large computer programs is like raising a family. You ean observe your neighbors and see all of the successes and failures in their children. You can reflect on the experiences you had as one member of a large family. You can observe all the proper maxims of life and society. You can even study at length the experiences of many others who have raised families. In the final analysis, however, you have to start out and do it on your own, learn the unique options you have, see what unexpected problems arise, and, with reasonable luck, perform about as well as those who have been doing it forever."

source: H.D. Benington: Production of Large Computer Programs. Proc. ONR Symp. Advanced Programming Methods for DigitalComputers, June 1956, pp. 15-27.

So, software engineering must be learned by doing!

When reading technical literature and information about new technological products and software, I more and more have the impression that all usefull applications have already been developed. For my daily life and work, I do not need additional software and not even additional functionality for my current software. The only improvements that make sense are better quality, security and privacy. For some applications, I would even vote to deleting some functionality in order to improve quality.

In the production domain, more automatization leads to better efficiency, but one day we reach the point where everything that can be automatized already is.

Then, we could relax, but something is driving is to innovation and growth. Financial need or psychological disease??

As a generalist, I have been working in different domains and jobs so far, and I am again and again shocked about how chaotic software is developed. Software development, that is so expensive and success-critical, is developed somehow ad hoc. Often, this is because the programmers are either asocial divas who do not accept any orders from others (that´s what they call the requirements), or autists who can not integrate in a team or egocentrics who do not want to integrate into a team because then their own merits are not well visible. And the good programmers know they can decide how they work because they are indispensable. In other domains, where people are more easily replaced, the pressure to keep to standards and deadlines is much higher.

When I was young, I believed the prejudice that work flows and creativity contradict each other. Standards kill creativity etc etc. But this is not true. Working systematically is a well-known strategy used by successful, productive bestseller authors. Literature magazines, bus timetables, each publication of a club or political party is written with more care than some critical software. And a lot of work is for the dustbin because requirements were not defined in advance or the requirements were wrong. Standards help us to get the real and complete requirements early-on and to be productive and reliable. Currently, I am participating at a work flow of the EU for assessing research project proposals. It is organized like a production chain, but it is OK. I know exactly what to do when, and I know that my results will be used, nothing is for the dustbin. Although the form of the work is like a work chain, the content is highly intellectual, and this is no contradiction.

My own office and work is well-organized (time management!) and it is good to know at any time and any place what the most important work to be done is right now and here. This helps me to concentrate on the content, not on the organization. When you work in chaos, you are always searching for something, you make sub-optimal decisions and most of your work will not lead to a useful result. It might be painful at first to keep to rules and work flows, but it soon becomes a routine.

No, I have not disappeared, I just was elsewhere. I had a crazy winter, travelling around Europe like an opera star. :-)

Recently, I wrote a guest blog article for the Microtool blog with the title: "Inspection as the Path to Good Specifications". If you like, you can join our discussion there about sense and nonsense of requirements inspections.