RISCOSS: Risks and Costs in Open Source Software Adoption

Angelo Susi
Fondazione Bruno Kessler (FBK) - Italy
Topics recommended for the 2016-2017 Work Programme: 

Here in the following three relevant topics for the WP2016-2017. They emerged in the last years in the work related to risks analysis in OSS ecosystems where communities, companies and public administrations coexist and exchange values, knowledge and the possibility to share and collaboratively identify and treat risks.

  1. Risk analysis in the context of cloud in particular for the activities of data management, use of services and their inclusion in other services.
  2. Identification and analysis of privacy issues in the cloud especially in the context of public administration where the trade-off between the complete interoperability of the public services and the need of assuring the privacy of the citizens is becoming more and more crucial.
  3. New risk analysis and treatment techniques that can be used in contexts of distributed and collaborative environments that are emerging thanks to the cloud.
Projects major results: 

RISCOSS develops a risk management methodology to facilitate the adoption of open source code into mainstream products and services [1]. The methodology is supported by a software platform that integrates the whole decision-making chain. The project has delivered a number of methods and techniques as described for example in [2][3]. We focused on the development of the methodology based on the modelling and analysis of OSS-based ecosystems statistical and logic based assessment and measurement techniques for the management of risk adapted to the specifics of open source software. These techniques also include ontologies for OSS ecosystems and risks, patterns for modelling OSS ecosystems according to the business strategies adopted, risk-reasoning techniques based on risk models and goal-oriented models. Finally, they have been integrated into the prototype of the platform that will be exploited for the evaluation of the proposed methods in contexts such as companies, OSS communities and public sector.

Potential exploitation strategy: 

The increasing adoption of OSS components calls for decision-support practices, platforms or on-line services, that help users understand the kind of risk underlying their choice. All use-case partners, TEI, KPA, XWiki, Moodbile, Cenatic and OW2 have plans to incorporate RISCOSS into the conduct of their businesses. For example, TEI intend to introduce the platform into its software development process. Cenatic will test RISCOSS in enabling the dissemination of open source solutions in the public sector. XWiki and Moodbile.org open source projects, will leverage RISCOSS to enhance the consistency of their user- and community-driven feature roadmaps, and put the focus on reliability, stability and support for backward compatibility. OW2 will leverage RISCOSS to complement its SQuAT (Software Quality Assurance and Trustworthiness) quality program. Moreover, RISCOSS is in the phase of disseminating the product into some OSS communities for the validation of the platform and for the identification of exploitation opportunities.

An update since the last Concertation meeting (March 2014): 

The project is in contact with OSSmeter project that is developing OSS communities and projects data gathering and analysis tools. This aspect is important for RISCOSS since these data can be the bases of the risk management approach proposed by our project. The objective here is to make it deep the interaction while the two projects evaluates their prototypes. On the research side, several new publications have been accepted since the last meeting, some of them are listed in the reference section (for an exhaustive list you can visit the RISCOSS website http://www.riscoss.eu). These publications mainly concern the description of the methodology and of the techniques we propose for the problem of risk modeling and analysis via the statistical and logic based methods. In parallel, the first prototype of the platform, integrating some of the risk analysis techniques, has been released, ready to be evaluated in the next months.