Project Management - Mindset Change (2016, April). Palagai, 1, 8-9.
The general tendency of the requirements document has predominantly focused on what the software should do. In project charters and scope control documents, sometimes we also write what features will be out of scope. The UML diagrams and use cases discuss how the classes should interface and modules should interoperate, for instance. The agile paradigm discusses persona approaches drilling down DEEP property for describing backlog features and INVEST principle elaborating on the characteristics of a user story. Even test cases that focuses on negative testing uses a requirement traceability matrix to the requirements limitedly testing the functionality of what a system shouldn't do.
But, when a system is hacked or inappropriately accessed, the loopholes rests on the inefficiencies in how the system was designed to allow such loopholes to exist. So, how do you avoid these vulnerabilities so that the hacker doesn't exploit these "working as designed" gaps?
While volunteering at the Agile 2015 conference, I chose to attend a section on Abuser stories by Judy Neher from Celebrity Technical Services. It was a great session introducing the concept that a persona of a hacker or disgruntled employee who could potentially have a malicious intent to deliberately break the system. The speaker suggested describing user stories that specifically could break the system or expose the system for mal-intent. The participants in an activity gave examples for a simple user authentication such as the stringent password recycle policy, the use of a double password and picture identification, the use of external devices such as phone, email, or mobile texting to use tokens for validation within a short timeframe before the account is locked, the creation alerts for maintenance for incorrect and frequent access to multiple accounts, the enforcement of HR exit policies on employment dates before the role based access can be authenticated, the validation of human versus robot logging by tracking the spee of password entry, etc. Imagine having such stories to bullet proof the system against malicious attacks on standard user stories and have automation capabilities to constantly check for these loopholes.
I am sure one would say that this would add more time to the scheduled release or limit the stories written per iteration/sprint. Of course, similar to non-functional stories that add some time, the abuser stories also will add time. The need to develop hinches on the type of regulations in the industry, the type of technical platforms used, the time to market considerations, etc. However, the question shouldn't be whether to do them or not but when to do them. If we fail to do them we are increasing the technical debt. A couple of alternatives are to dedicate a sprint or a portion of every sprint to address these abuser stories.
I really think this is an important component of combined technical and product ownership to ensure we see the persona of other types of users and see the system from that view. As good project mangers turn assumptions into risks and control quality, the technical and product owners should be accountable for products that preclude vulnerabilities by design. Abuser stories are a great start. Don't you think so? Share your thoughts.
Flying over India returning from Mumbai to Chennai, I was browsing the Jet Airways magazine. Often filled with travel recommendations and shopping suggestions, these in-flight magazines have only created a browsing pleasure. But, this magazine had a topic on achieving more with less perking my interest to explore.
It was an interesting read as the article began discussing how the time management pretty much shouldn't be the focus of smart managers. Instead, the article focused on attention management. Based on the time of the day, people can manage difficult tasks that require deep thinking, strategy, etc when their attention to detail is at the peak. Then, as the energy winds down, their attention takes a deep dive. This time should be used for tasks that require less critical thinking. Between these extremes is the reactive attention seeking timezone that should be used for other tasks that require a balance of the two.
I agree that it is a good idea and that tasks require different levels of thinking. For instance, planning for the project, evaluating strategies to grow account, or grooming the product backlog with new features based on the market and reactions from customers and users require thinking different from task or resource management.
However, the article said the urgency of the tasks shouldn't be a criteria for attention management. This begs some thinking as depending upon the role of an individual manager, the urgency of the task, such as a grieving customer on the phone, an infrastructure deficiency leading to business continuity management, or a delayed or poor quality work impacting deployment readiness of a project is not something that can be ignored.
The earlier approach on using Scrumban to think a couple of steps ahead and plan can be combined with attention management to better compartmentalize take at hand and energy/attention requirements to better manage productivity.