PrepareForTheWorst

How do you deal with non-functional requirements in an agile project? User stories are a great way to keep track of the functionality to be implemented. But what about all the things that the system must ensure will never happen?

I have developed an approach to rationally plan the effort invested in preventing malicious users from abusing the system. It extends traditional value-focused planning with costs incurred as systems increase the risk of undesirable events occurring. The approach is not limited to security threats, and I would like to spend this session thinking how it can be applied to other fields such as incompetent users, or system failure due to overload.

In this session, I give a brief introduction to planning security requirements with abuser stories. This is followed by a goldfish bowl discussion on whether and how the techniques can be extended to other non-functional requirements. I am particularly interested in hearing how other people have tied non-functional requirements into a user story driven project.