The prioritization model provides a decision making model and mathematical algorithm for determining the relative merit of addressing a given best practice violation. The prioritization model is not intended to define the set of best practices that needs to be fixed to achieve compliance with a set of standards. Instead, the prioritization model provides a value weighted list of best practices defining those that provide the most benefit, or "bang for the buck", if fixed first.
Best Practice Prioritization Criteria
- Severity (S) - Severity is a measure of how large an impact on the user experience a violation of the best practice will have. Severity is inferred from user experience analysis and is ranked on a scale of one to ten where the rank represents the impact that a violation of the best practice would have on the user experience. A violation of a best practice with a severity of one would have virtually no impact on the user experience while a violation of a best practice of a severity ten would denote an insurmountable obstacle in the user experience. 1-3 (Low Severity) 4-6 (Medium Severity) 7-10 (High Severity). Note, it is possible for organizations to implement Custom Severity. If this is the case, check with your Organization Administrator for more information pertaining to the severity labels and scale used.
- Occurrence Rate (O) - Occurrence rate is a measure of how many different modules in a report have a given violation. It is calculated based on the number of modules that exhibit a violation divided by the total number of modules, multiplied by ten. For example, if a violation of a given best practice occurred in 54% of all modules - the frequency would be 5.4.
- Noticeability (N) - Noticeability is the likelihood that a given violation will be detected by users of a system. Certain best practice violations are more easily detected than others, such as violations that can be detected with automated tools. Other violations, such as those that can only be detected through manual review techniques, are more difficult to find in a module. A violation with a Noticeability of one is virtually impossible to detect, while a violation with a Noticeability of ten would be easily detected in any automated or manual test. Violations that are more difficult to detect generally pose a lower overall risk for enforcement than violations which can be detected in a trivial fashion.
- Tractability (T) - Tractability defines the estimated costs associated with ensuring that instances of a violation are fixed in accordance with the best practice. Tractability is a rough corollary to the number of hours of effort required to ensure compliance with a given best practice and the level of specificity of the fix. A violation with a Tractability of one is simple to fix, generally requiring few changes that are well defined. A violation with a Tractability of ten would relate to architecture level implementations within the system and be impossible to fix without extensive changes to the system as a whole.
To calculate the benefit of implementing any given best practice, the value for the factors outlined above (S, O, N, T) are multiplied by the relative weight of those factors (WS, WO, WN, WT) and combined adding the first three factors and subtracting the Tractability factor. The following algorithm is used:
Benefitx = (Sx* WS) + (Ox* WO) + (Nx* WN) - (Tx * WT)
The Priority for each best practice is then calculated and normalized to a scale of one to ten. This is accomplished by:
Px = [(Benefitx - BenefitMin) / (BenefitMax - BenefitMin)]*9.0 + 1.0