< Back to all manuals

Xcalscan User Manual (Release 2.0.0)

Xcalscan User Manual (Release 2.0.0)

Define Project Risks

13.0 How to Define Project Risks?

latest update: 2021-06-17

Defining overall project risks is complex. It is based on vulnerability types, compliance standards and business needs. Different industries and different organizations have vastly different requirements at a business level.

According to the CERT standard developed by Carnegie Mellon University’s Software Engineering Institute, every risk contains 3 critical elements.

These are:

  1. a) Severity of the consequence,
  2. b) Probability of the risk and
  3. c) Cost of repair.

Luckily, CERT has already provided a corresponding value for every defect to define its risk level. We will refer to CERT standard when defining the value of a defect’s risk level as discovered by Xcalibyte.

According to “Code Complete”, a classic book written by Steve McConnell, typically in every 1000 lines of code committed by a programmer, we can find 15-50 defects. We consider 15 defects in every 1000 lines of code the average risk level (i.e. low risk) in a project.

Based on this value, we define the project risk level as follows:

Project Risk Value (R) =(Severity*Probability)*Number of Defects*Lines of Code/1000

The defects are displayed by risk level which is high, medium or low. Xcalscan shows the number of defects for each category and the percentage of the total project that has been identified at that risk level from the following tables.

Project Risk Value (R) =
(Severity*Probability) * Number of defects * Lines of code/1000

Value of R Project Risk Level Explanation
R <= 45.00 Low 15 defects found in every 1000 lines of code. It is defined as low risk
R45.01<=R<= 90.00 Medium The project risk is medium if no more than 90 defects in 1000 lines of source code are found.
R > 90.00 High The risk level is high if the number of defects found are twice the average level.

Probability of a defect:

Value Probability CERT Defined Level Explanation
1 100% 3 High Probability
0.5 Higher than 50% 2 Medium Probability
0.01 Higher than 1% 1 No Probability

The severity of the consequence caused by a defect:

Value Severity Value of Severity define in CERT Explanation
3 Very Severe 3 High
2 Medium Severity 2 Medium
1 Regular 1 Low

If the value of R <= 45, then the overall project risk is determined as low. If the value of R is more than 45 but less than 90, then it’s determined to be medium. If the value is more than 90, then it’s determined to be high.

13.2 The calculation of Complexity

The complexity of an issue group correlates with the number of paths in the issue group, the number of nodes, function calls and programming languages in the paths, and the nature of the issue group.

It is computed as follows:               Complexity = B * MAX(mp(path1), …, mp(pathn))


B = the number of paths in the issue group.

mp = the complexity of a path in the issue group.

While mp is defined as

mp(path) = BV * (N+C+2*CL)


N = the number of nodes in the path

C = the number of calls in the path excluding inline functions without control flow

CL = the number of calls that involves two programming language in the path

BV = the nature of the bug