Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

CURE Analysis Example

The analysis component of CURE is least well described in existing documents largely because the CURE developers have always assumed a formal training program would be in place. However, the following outlines the steps of the analysis process.

  1. The three members of the evaluation team go through the evaluation record in order and agree on the text for each risk factor. As the text is agreed the equivalent field in the database is edited to match the agreed text. This process, while time consuming, should not generate much discussion other than on what was heard. If the evaluation team agree that a risk factor doesn't apply then it may be deleted from the database.
  2. The database is used to generate the report of conditions and risk factors and a copy is printed for each member of the evaluation team.
  3. The team then reads the report and agrees whether the condition should be considered a risk, a strength, or is not applicable to the program. It is usually helpful to capture as much of the discussion as possible since it is during this phase that some risk mitigations arise.
  4. For each risk the team must specify the bad consequence, the severity of the risk, the supporting evidence (the risk factors), possible mitigations, and the likely owner of the action to mitigate the risk. For each strength the team simply lists the strength and supporting evidence.
  5. Develop the outbrief listing all of the above data.

Generally, the analysis process considers conditions that apply only weakly at best. These are generally eliminated. Conditions where every risk factor is positive are considered strengths and the rest of the conditions are considered to be risks.