Open Source Software (OSS) is a strategic asset for organisations thanks to its short time-to-market, the opportunity for a reduced development effort and total cost of ownership, and its customization capabilities. OSS-based solutions in-clude projects that are developed and co-evolve within the same organisation, OSS communities, companies, and regulatory bodies, forming an articulated stra-tegic business ecosystem. The adoption of OSS in commercial projects leads to numerous challenges in the wide spectrum of available OSS solutions and risks emerging from the intrinsic structure of an OSS project. In this position paper we devise the use of i* models for understanding the strategic perspective of OSS ecosystems, representing actors, intentional dependencies and responsibilities. We argue that these models can play a crucial role in the analysis of organisation-al risks inherent to OSS component adoption and in the definition of risk mitiga-tion activities
Axa Assurance Maroc - Insurer Innovation Award 2024
Using i* to Represent OSS Ecosystems for Risk Assessment
1. Using i* to Represent OSS
Ecosystems for Risk
Assessment
2. i* for Risk Assess. in OSS Ecosystems
Content
• Motivation
• Research Objectives
• Scientific Contributions
• Conclusions, Ongoing & Future Work
2
3. i* for Risk Assess. in OSS Ecosystems
MOTIVATIONS
3
4. i* for Risk Assess. in OSS Ecosystems
Motivation
• OSS Strategic asset
Short-time to market
Reduced development & maintenance cost
…
• OSS Integration involves risks
RISCOSS will provide some risk management
strategies for risk identification & mitigation
• OSS Project composed by multiple “Actors”
RISCOSS wants to explore the Strategic Rationale
behind the OSS Ecosystem
4
5. i* for Risk Assess. in OSS Ecosystems
RISCOSS Project
Specification of risk identification, management
and mitigation methods
for
community-based and industry-supported Open
Source Software (OSS) development,
composition and life cycle management
to
individually, collectively and collaboratively
manage OSS adoption risks
5
6. i* for Risk Assess. in OSS Ecosystems
RESEARCH OBJECTIVES
6
7. i* for Risk Assess. in OSS Ecosystems
Research Objectives
• COTS Adoption Processes: Well-defined
Guidelines for risk analysis, cost estimation &
contract agreement
• OSS Adoption Process: Missing
• OSS Community:
+1 business goal
No service Agreement
No “formal” roadmap
Risks: lack of roadmap and ownership, unclear
responsibility and response time (bugs),…
7
8. i* for Risk Assess. in OSS Ecosystems
One RISCOSS Main Objective
• O1: Support Risk Assessment for OSS adoption
using i* framework …
Understanding the OSS Ecosystem
Evaluating risks
• Lack of ownership: strategic dependencies?
• Lack of roadmap: community structure?
• … providing …
Guidelines
Measures
• … to support the decision process
8
9. i* for Risk Assess. in OSS Ecosystems
SCIENTIFIC CONTRIBUTIONS
9
10. i* for Risk Assess. in OSS Ecosystems
Scientific Contributions
• Ecosystem Patterns
• Levels of abstraction
• Guidelines for specification models &
repositories
• New modelling concepts
10
11. i* for Risk Assess. in OSS Ecosystems
Ecosystem Patterns
• Role: Producer, Consumer, Community
• Setting: Industrial, Academia, Public
Administration
• Business Strategy: from OSS collaboration to
exploitation
• Business Process: adoption, migration,
consolidation, improvement
11
12. i* for Risk Assess. in OSS Ecosystems
Level of Abstraction
• Different level of detail (class/instance)
E.g. Instances for identifying heroes
• 3 i* Diagrams
SA: OSS Ecosystem actor relationships
SD: OSS Ecosystem actors dependencies
SR: OSS Ecosystem actor & dependencies rationale
12
13. i* for Risk Assess. in OSS Ecosystems
XWiki.org SA Diagram
13
14. i* for Risk Assess. in OSS Ecosystems
XWiki.org SD Diagram
14
15. i* for Risk Assess. in OSS Ecosystems
XWiki.org SR Diagram
15
16. i* for Risk Assess. in OSS Ecosystems
Guidelines & Repository
• RiSD Adaptation
• Need to define
General guidelines for SR
Specific guidelines related to OSS Ecosystems
Who is the “responsible” for the roadmap?
How “companies” influences the community?
• Repository for OSS models
For analysts to get project overview and identify
risks
16
17. i* for Risk Assess. in OSS Ecosystems
New Modelling Concepts
• Risk-related constructs
Risk, event, …
• For dependencies:
No delegations/responsibilities, but
“expectations”?
No duties, but “social norms”?
Available i* risk modelling approaches
17
18. i* for Risk Assess. in OSS Ecosystems
CONCLUSIONS & FUTURE WORK
18
19. i* for Risk Assess. in OSS Ecosystems
Conclusions
• RISCOSS objective: Support decision making
related to the risk assessment in OSS adoption
• i* for OSS Ecosystem models
• Scientific Contributions
Ecosystem Patterns: Role, Setting, Business
Strategy & Business Process
Levels of abstraction & SA Diagrams
Guidelines for specification models & repositories
New modelling concepts
19
20. i* for Risk Assess. in OSS Ecosystems
Ongoing & Future Work
• We …
Modeled RISCOSS 5 use cases (i*)
Are analyzing these models in order to …
• Identifying potential patterns
• Identify potential new modelling concepts
• Furthermore, we are …
SLRs: OSS Ontologies, OSS Ecosystems & OSS Risks
• In order to…
Define an ontology linked to the i* elements (UFO)
Identifying risks, metrics & mitigation activities
20
22. i* for Risk Assess. in OSS Ecosystems
i* Mapping
RISCOSS Ontology concepts
i* Construct
Activity and all the Activity types
Task
Actor and all the Actor types
Actor
Community
Actor
Resources and all the Resource types
Resource
Role and all the Role types
Actor
Property has-actor
is-part-of link
Generalization/specialization hierarchies
is-a link
22
23. Phase II
Activity II.1
Activity II.2
Activity II.3
Activity II.4
Activity III.1
Activity III.2
Activity III.3
Phase III
i* for Risk Assess. in OSS Ecosystems
RiSD for OSS Ecosystem
Activity III.4
Activity III.5
Activity III.6
RiSD
Identifying departing actors
RiSD for Ecosystems
… including OSS Adopter and/or
OSS Project as an actor
Establish goal dependencies
among actors
Classify and rename dependums
Check for new actors and
… no related to actor inside the
dependencies
OSS Adopter and/or OSS Project
Include Software System
No Apply
Identify subsystems (is-part-of Identify OSS Adopter’s and/or OSS
link)
Project’s actors (is-part-of link)
Refine software system
Refine OSS Adopter and/or OSS
dependencies
Project’s actors dependencies
Identify subsystems
Identify Adoper and/or OSS
dependencies
Project`s actors dependencies
Classify and rename dependums
Check for new actors and
dependencies
… specializations and
aggregations)
23