The Human Factor in Software Engineering

CreaRE 2017: Sixth International Workshop on Creativity in Requirements Engineering

The most important event in February for me was the REFSQ conference which I have attended each year since 2005 and usually, I have been also a co-organizer. This year, my contribution was the organization of the CreaRE workshop for the 6th time. It took place on Monday 27th February in Essen. The agenda included three presentations and one interactive session.

• Luisa Mich, Victoria Sakhnini and Daniel Berry: Downsizing EPMcreate to Lighter Creativity Techniques for Requirements Elicitation. EPMCreate is a creativity technique for systematically eliciting requirements by changing the analyst's perspective. The method includes 16 steps in its original form. To execute them takes its time. Therefore, this presentation discussed (1) the question how to develop one-step, two-step etc. methods based on these 16 steps and (2) which of these reduced methods correspond to existing creativity techniques. Finally, the steps must be combined in a way to cover all perspectives.
• Eduard C. Groen, Matthias Koch and Andreas Maier: Vicus – A Persona for Towns: The authors work on eliciting requirements for the domain of Smart Towns. Here, the conditions differ from those in other IT projects. Neither individual stakeholders nor groups are to be considered, but whole towns or villages as a community. Therefore, the authors use personas for characterizing a town. For doing so, they use an adapted persona template.
• Nils Kubischok: Imagining the future: A social science approach to the importance of visions in the software development process. The social sciences know the strong effect of visions on expectations and actions. In Requirements Engineering, this effect so far is only vaguely discussed. This state-of-the-art article provides an overview on visions in Requirements Engineering and gives a justification of the importance of visions in RE.
• Kristian Beckers, Veronika Fries, Eduard C. Groen and Sebastian Pape: Creativity Techniques for Social Engineering Threat Elicitation: A Controlled Experiment (interactive session): For this experiment, three groups were formed. Each group followed the objective to identify social engineering threats which could be dangerous for the conference. Two groups played card games, the serious game; the other group used brainstorming to gather lists of victims, assets, channels, psychological principles, attacks, and attackers and combined them using the technique Morphological Forced Connections to form specific attack scenarios.

I participated in the second group. As for each category, we found about 10 results, I calculated that theoretically, we could form up to one million scenarios based on these. This created a bit a frustrating feeling: "What to start with?" Finally, however, I think that we found basically every relevant threat.

The card-game groups enjoyed the fun of playing and of being mean. They found the cards helpful, especially as non-experts who had not thought about social engineering before. The cards helped them to get a clear idea about the topic.

The three groups' results will be compared to each other scientifically. I am looking forwards to learn about the findings!

The presentation slides can be downloaded from the workshop website at the menu point "Workshop Program" and the workshop proceedings are online here.
There, you also find the other workshops' proceedings.

Best of Software Quality Days SQD
The SQD took place on January 17 to 20 in Vienna. At this rather practice oriented conference, Best Practices and experiences are exchanged. I myself organized a workshop about ethical decisions in software engineering on 20th January.

I liked these two presentations most because they provided really new and useful insights:

• The two presentations of Jürgen and Pagano about Test Gap Analysis:
  "Haben wir das Richtige getestet? Erfahrungen mit Test-Gap-Analyse im Hotfix-Test, Iterationstest und Releasetest in der Praxis" and "Oh nein, morgen ist Release! - Test-Gap-Analyse live am Beispiel".
  Test Gap Analysis is the visualization of two different aspects of the same software as a tree map: The information, which code lines have been modified, and which code lines have been executed during testing. Especially critical are those code lines which have been modified but not tested. Like this, testing need becomes evident. This visualization is generated by the tool TeamScale which still is in its pilot phase and can still be tested for free. The slides of the first presentation including tool screenshots are provided by the authors here.
• And another presentation of Sneed about the COBOL Java migration: Harry M. Sneed, Chris Verhoef: Validating converted Java Code via Symbolic Execution.
  How do you find out that the Java code behaves exactly like the COBOL code? In the ideal case, it has been restructured during migration. In my lecture, I teach that it is impossible to compare two computer programs whether they do the same. The theoretical informatics can prove this. Sneed nevertheless managed to solve the problem: He compares the control flows and data flows of bothe programs by symbolic execution.

Best of REFSQ Requirements Engineering: Foundation for Software Quality
Essen, Germany, Feb 27 to March 2
Here, I summarize three days of conference with parallel sessions plus one workshop day. Doing so, I focus on what is useful seen from a practical perspective. At a scientific conference, we also see preliminary results, research previews, ideas and position papers.
In Requirements Engineering, there seems to be a trend towards automatization. This does not contradict my vision of a creative Requirements Engineering, as there are still enough uncreative activities in this area. Each boring routine work calls for automatization to keep our head free for new ideas and the overview.

A good part of the automatization refers to the identification and analysis of natural language requirements. As this chaotic type of requirements specifications still prevails in practice, we try to cope with this as well as possible:

• Prof. Lionel C. Briand in his keynote presentation "Analyzing Natural-Language Requirements: The Not-Too-Sexy and Yet Curiously Difficult Research that Industry Needs" gave an overview on the automated analysis of text in general and of requirements specifically. The objective of this text analysis can be translation, quality assurance, but also the Impact Analysis, i.e. to identify which other text must be modified, too, when one requirement is changed. Further information about the tool RETA (for the template compliance check) you find here. The tool Narcia does Change Impact analyses.
• Martin Wilmink, Christoph Bockisch: On the Ability of Lightweight Checks to Detect Ambiguity in Requirements Documentation. pp. 327-343. Natural language requirements suffer from ambiguity, compared to graphical models. These authors have developed a tool named tactile check which automatically identifies ambiguities in requirements. Further informationen about you find at github.
• Garm Lucassen, Fabiano Dalpiaz, Jan Martijn E.M. van der Werf, and Sjaak Brinkkemper:
  Improving User Story Practice with the Grimm Method: A Multiple Case Study in the Software Industry. pp. 235-252. Here, the automated quality assurance of user stories is supported by the computer linguistic tool Automatic Quality User Story Artisan (AQUSA). The combination of AQUSA with the Quality User Story (QUS) Framework is called the Grimm Method. The method was tested by 30 practitioners in three companies for two months. The quality of the user stories improved quantitatively, but the participants did not perceive this improvement as important.
• Paul Hübner, Barbara Paech: Using Interaction Data for Continuous Creation of Trace Links Between Source Code and Requirements in Issue Tracking Systems. pp. 291-307. These researchers care for the stepchild traceability. As traceability in practice manually is usually managed only carelessly, the automated identification of traceability links promises practical help. In a case study, such links were found and created automatically in an Issue Tracker System (ITS).
• Carles Farré, Xavier Franch, and Tudor Ionescu: State of the Practice on Software Release Planning. This research presented at the PrioRE workshop analyses the capabilities of release planning tools and checks how far artificial intelligence algorithms are applied there already. Their previous literature study had shown that out of many promising research approaches, only one had made the jump to a commercial tool. Now, they investigated vice versa what can be found in real-world tools. Their results you find online here.
• Norbert Seyff, Melanie Stade, Farnaz Fotrousi, Martin Glinz, Emitza Guzman, Martina Kolpondinos-Huber, Denisse Munante Arzapalo, Marc Oriol, Ronnie Schaniel: End-user Driven Feedback Prioritization. This contribution at the PrioRE workshop treats the question how enduser feedback can be analysed and prioritized automatically without a person reading all the text. The authors not yet can present a ready-for-use solution, but they present a list of solution ideas. You find the article online here.

Further concrete results were presented by the following empirical studies:

• Irum Inayat, Sabrina Marczak, Siti Salwah Salim, and Daniela Damian: Patterns of Collaboration Driven by Requirements in Agile Software Development Teams -
  Findings from a Multiple Case Study. pp. 131-147. In several case studies the communication patterns of distributed agile teams were investigated. The most amazing result was that distance does not seem to have an influence. Previous studies rather showed that each staircase already impairs the communication frequency and quality. However, I can well imagine that here two factors lead to better distance communication: Firstly, in agile teams the communication is both emphasized and structured, and secondly, today it is normal for us to collaborate and be friends with persons who are far away.
• Katsiaryna Labunets, Fabio Massacci, and Federica Paci: On the Equivalence Between
  Graphical and Tabular Representations for Security Risk Assessment. pp. 191-208. In two experiments, two alternative notations for security risk assessments have been compared with each other: graphical notations and tables. Both showed the same efficacity.