Analyzing Differences in Risk Perceptions between Developers and Acquirers in OTS-based Custom Software Projects Using Stakeholder Analysis Dana S. Kusumo 1,2,3 , Mark Staples 1,2 , Liming Zhu 1,2 , Ross Jeffery 1,2 1 National ICT Australia 2 University of New South Wales 3 Institut Teknologi Telkom {dana.kusumo, mark.staples, liming.zhu, ross.jeffery}@nicta.com.au ABSTRACT Project stakeholders can have different perceptions of risks and how they should be mitigated, but these differences are not always well understood and managed. This general issue occurs in Off-the-shelf (OTS)-based custom software development projects, which use and integrate OTS software in the development of specialized software for an individual customer. We report on a study of risk perceptions for developers and acquirers in OTS-based custom software development projects. The study used an online questionnaire-based survey. We compared stakeholders’ perceptions about their level of control over and exposure to 11 shared risks in OTS-based software, in 35 OTS-based software developments and 34 OTS-based software acquisitions of Indonesian background. We found that both stakeholders can best control, and are most impacted by, risks about requirements negotiation. In general stakeholders agree who can best control risks (usually the developer), but there were different perceptions about who is most impacted by risks (the developer reported either themselves or both stakeholders; while usually the acquirer reported both stakeholders). In addition, both stakeholders agree that the acquirer is most impacted by the risk of reduced control of future evolution of the system. We also found disagreement about who is most impacted by the risk of lack of support (usually each stakeholder reported themselves). This paper makes two main contributions. First, the paper presents a method based on stakeholder analysis to compare perceptions of the respondents about which stakeholder is affected by and can control risks. Second, knowing stakeholder agreement on which stakeholder has high risk control should be helpful to rationalize responsibility for risks. Categories and Subject Descriptors D.2.9 [Software Engineering]: Management. K.6.1 [Management of Computing and Information Systems]: Project and People Management – management techniques. Keywords: Risks, perception, Off-the-shelf (OTS), developers, acquirers, survey 1. INTRODUCTION Custom software development is either in-house or contracted software development with specific requirements for an individual customer [13] [22]. Off-The-Shelf (OTS) software is “a commercially available or open source piece of software that other software projects can reuse and integrate into their own products” [41]. This study focuses on OTS-based custom software development, which uses and integrates OTS software in the development of specialized software for an individual customer [8]. The relationship between acquirers and developers in OTS-based custom software development is depicted in Figure 1. Figure 1. OTS-based custom software project Risks associated with a software project affect all stakeholders [11] [33] [34] [46]. Here, we defined a risk as a deviation from the expected objective [48]. Risks arise from the start of the software acquisition process [33][34]. Most of the literature focuses on risks from the perspective of the software development organization, and little attention has been given to the software acquirer’s perspective [18][33]. This paper covers both perspectives for OTS-based custom software projects. One approach that accounts for different stakeholder involvement in a project is stakeholder analysis [10] [44] [46]. Stakeholders are defined as anyone who are affected by or can influence the system under development [10] [19] [44] [46]. Stakeholder analysis considers activities and issues such as: stakeholder identification, area of interest, stakeholder contribution and expectation, stakeholder influence, strategy to involve stakeholder and stakeholder responsibility [3] [16]. Responsibility is defined as “a duty, held by some agent, to achieve, maintain or avoid some given state, subject to conformance with organizational, social and cultural norms” [38]. Previous studies have reported that stakeholders tend to perceive the importance of certain risks as higher than others if they cannot control the risks, and also that different stakeholders tend to identify risk from other stakeholders’ perspectives [20] [21] [35]. As different stakeholders perceive risk differently [21], therefore there are different perceptions of stakeholder’s responsibility for risks. In addition, stakeholder perceptions vary based on either individual's or organization's background, experience, need and expectation [15]. To manage risks effectively, it is important to involve stakeholders [14] [34] aiming to take account differences in risk perceptions and to identify stakeholder responsibility for risks [14]. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ESEM’12, September 19–20, 2012, Lund, Sweden. Copyright 2012 ACM 978-1-4503-1056-7/12/09...$15.00. 69