A Technical History of the SEI
ihQTwP
ihQTwP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
[Alberts 2009]. In 2010, <strong>SEI</strong> researchers began to apply <strong>the</strong>se new risk principles as part <strong>of</strong> a research<br />
effort into developing a method for assessing risk in <strong>the</strong> s<strong>of</strong>tware supply chain. Finally,<br />
much <strong>of</strong> <strong>the</strong> <strong>SEI</strong>’s current risk management work is focused on s<strong>of</strong>tware assurance. In 2014, <strong>SEI</strong><br />
researchers began developing <strong>the</strong> Security Engineering Risk Analysis (SERA) method, a systematic<br />
risk-based method for building security into s<strong>of</strong>tware-reliant systems ra<strong>the</strong>r than deferring security<br />
to later lifecycle activities such as operations.<br />
The Consequence: A Disciplined Approach to Identifying and Managing<br />
S<strong>of</strong>tware Risks<br />
The <strong>SEI</strong> had a significant impact on <strong>the</strong> community in terms <strong>of</strong> risk management, primarily by establishing<br />
<strong>the</strong> foundation <strong>of</strong> a defined practice and systematic way <strong>of</strong> identifying and codifying<br />
risks. The <strong>SEI</strong> risk research produced one <strong>of</strong> <strong>the</strong> standards for s<strong>of</strong>tware risk management, enabling<br />
program managers in all types <strong>of</strong> s<strong>of</strong>tware-intensive programs to do a better job <strong>of</strong> identifying<br />
what could go wrong and mitigating <strong>the</strong> worst <strong>of</strong> those risks. In <strong>the</strong> Cutter Consortium’s report,<br />
The State <strong>of</strong> Risk Management 2002, 21 percent <strong>of</strong> respondents to a survey about risk<br />
management techniques said that <strong>the</strong>y use <strong>SEI</strong> standards for risk management. Only ISO ranked<br />
higher, with 36 percent <strong>of</strong> respondents. 23<br />
The <strong>SEI</strong> Contribution<br />
The <strong>SEI</strong> s<strong>of</strong>tware risk management effort benefited from broad community input. Working with<br />
<strong>the</strong> Department <strong>of</strong> Defense, NASA, industry, and cybersecurity experts and managers provided a<br />
wealth <strong>of</strong> useful techniques and lessons learned, as well as <strong>the</strong> opportunities to improve different<br />
approaches to solving <strong>the</strong> problems associated with risk management. Without <strong>the</strong>se contributions,<br />
<strong>the</strong> resulting methods and approaches <strong>of</strong> <strong>the</strong> <strong>SEI</strong>’s work would not be as rich, deep, and<br />
broad.<br />
The <strong>SEI</strong> risk research continues today, examining specific problems associated with today’s<br />
highly complex, interdependent programs and finding new ways to deal with <strong>the</strong> emergent issues<br />
<strong>of</strong> tomorrow.<br />
References<br />
[Alberts 2003] Alberts, Christopher & Dor<strong>of</strong>ee, Audrey. Managing Information Security Risks:<br />
The OCTAVE Approach. Addison-Wesley Pr<strong>of</strong>essional, 2003 (ISBN 03211188630).<br />
[Alberts 2008] Alberts, Christopher; Dor<strong>of</strong>ee, Audrey; & Marino, Lisa. Mission Diagnostic Protocol,<br />
Version 1.0: A Risk-Based Approach for Assessing <strong>the</strong> Potential for Success (CMU/<strong>SEI</strong>-<br />
2008-TR-005). S<strong>of</strong>tware Engineering Institute, Carnegie Mellon University, 2008. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8665<br />
23 Detailed information on this report is available only to registered Cutter users. However, some information<br />
is available at http://www.cutter.com/cgi-bin/search/usr/local/etc/httpd/htdocs?filter=&query=hype+or+reality.<br />
CMU/<strong>SEI</strong>-2016-SR-027 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 142<br />
Distribution Statement A: Approved for Public Release; Distribution is Unlimited.