RISCOSS - Managing Risk and Costs in Open Source Software Adoption
The RISCOSS project aims at proposing a tool supported methodology to evaluate the risks and costs intrinsic to the adoption of Open Source Software (OSS) in companies of different sizes, public administrations and OSS communities.
The main problem in this context is that of identifying and deciding the exposure and impact of the risks on the business goals of the adopting organization. Two exemplar risks are: licensing risks and maintenance risks.
Licensing risk is one of the most critical risks. It refers to the capacity of an adopting organization to use sets of OSS components whose licenses allow releasing the product using an OSS license that does not negatively impact on the business objectives of the organization. This may, for example, limit product sales.
Maintenance risks on the other hand, refer to difficulties organisations may have in being supported by OSS communities in maintaining OSS components used in a given product. In particular, organizational costs related to the maintenance and evolution of a given OSS component included in the product and generating possible misalignments between the internal component and the work of the community.
Open Source software available on
The main benefit for an organization adopting OSS is related to the increasing of awareness of possible risks in doing so. RISCOSS, identifies the two dimensions of OSS-related risks. On the one hand, the technical risk directly related to the adoption of OSS, so influencing the way an organization produces software. On the other hand, the business/strategic risks that are related to the overall business dimensions of the organization. These two aspects should allow organizations to better decide how to avoid or mitigate possible risks at different levels of the organization.
For licensing and maintenance, RISCOSS proposes licensing models that let users evaluate the exposure of an organization to this risk and evaluate the possible impacts on the goals and assets of the organization. This allows the organization to decide if a particular set of components is compliant or, as a mitigation strategy, whether the set should be changed with other components which have the same functionalities. In the case of maintenance, RISCOSS evaluates the exposure and impact of the risk on the organization allowing for possible mitigation activities in the case maintenance problems arises from OSS.