Skip to main content

Conspicuous in their absence

If you're a tester then you'll no doubt of heard phrases to the effect of "That's pretty unlikely", "Our users don't do that" or "Thats a fairly minor browser". Its been blogged about before, and elsewhere. The argument is many users are niche, novice, confused or from different backgrounds / viewpoints / languages. These are realistic and probably correct hypotheses, for many situations.

From my experience, thats often where the discussion ends, someone makes a judgement call, and the issue is fixed, mitigated or ignored. More often, than not, its ignored. That decision should probably be a business decision, its their money. But can they make such a decision safely? We are asking for consent to 'not operate' or 'operate' on their software. To come to the right decision, they need to be fully informed. i.e.: Are we sure that the issue is indeed rare? Are they making a properly informed decision?

For example what if the issue is: that a website has several serious issues when viewed in a particular web browser, but not in a more 'mainstream' browser. When this issue is presented to the decision maker - How could it be presented?

A) Users of Browser XYZ ... can't play/view the video
B) A browser used by < 1% of our users ... can't play/view the video

Option (B) appears to give more information. But we are also including a reporting bias here. The users maybe only make up 1% of our users - because - the video doesn't work. They tried to use the site but gave up in frustration or found a competitors site had fully working video - and so took their custom there.

Whenever we try to quantify a user's behaviour as it appears to us - we need to remember that we are not seeing the full picture. Rather we are glimpsing just the tip of the iceberg. The users probably haven't complained about how the system crashes, when you use that feature, because they've learned not to use that button "as it's flakey". They'd love to use that button - if only it worked.

This survivorship bias is endemic in the world around us, not just in software development. How many times have you seen adverts that read something like "90% of our customers would recommend us to a friend!". The adverts fail to mention that most of the customers ran screaming away to a competitor, or failed to even get through a tortuous ordering process - leaving the rest who love the -one- working feature. Now that those other 'disgruntled users' are out of the picture, the few remaining customers may generally be happy.

Many companies even make it harder still to get the feedback they need. Rather than a Help page or Help button having an easy to find web-form to submit problems or questions - they hide or remove this functionality altogether. Thats free testing - by real users - providing details of actual real world bugs and requirements - being ignored in the belief that they are saving the company money.

From a testing standpoint, we provide information, and its important not only to provide the facts, but maybe some context and explanation as to how the issue reports might relate to real world applications e.g. for the above there is an option (C): iPhone users won't be able to view the video. Or: these users make up 1% of users here, but Google/Microsoft etc has them at 10% of its users, Why don't we see all of those users?

Comments

  1. Splendid piece, as usual.

    A related bias is in thinking about the symptom as being the problem, when the problem is something poorly understood and potentially far bigger. (I wrote about that here.

    Mark Federman wrote a wonderful piece related to the your notes on survivorship bias. You can find that here .

    ---Michael B.

    ReplyDelete
  2. It's hard for some stakeholders to listen to testers when profits are louder than our concerns.

    ReplyDelete
  3. Second link in the first comment is giving 404 error because it has quote symbol at the end . I removed the quote and this seems to be correct link
    http://individual.utoronto.ca/markfederman/VoiceoftheCustomer.pdf

    ReplyDelete

Post a Comment

Popular posts from this blog

Betting in Testing

“I’ve completed my testing of this feature, and I think it's ready to ship” “Are you willing to bet on that?” No, Don't worry, I’m not going to list various ways you could test the feature better or things you might have forgotten. Instead, I recommend you to ask yourself that question next time you believe you are finished.  Why? It might cause you to analyse your belief more critically. We arrive at a decision usually by means of a mixture of emotion, convention and reason. Considering the question of whether the feature and the app are good enough as a bet is likely to make you use a more evidence-based approach. Testing is gambling with your time to find information about the app. Why do I think I am done here? Would I bet money/reputation on it? I have a checklist stuck to one of my screens, that I read and contemplate when I get to this point. When you have considered the options, you may decide to check some more things or ship the app

Test Engineers, counsel for... all of the above!

Sometimes people discuss test engineers and QA as if they were a sort of police force, patrolling the streets of code looking for offences and offenders. While I can see the parallels, the investigation, checking the veracity of claims and a belief that we are making things safer. The simile soon falls down. But testers are not on the other side of the problem, we work alongside core developers, we often write code and follow all the same procedures (pull requests, planning, requirements analysis etc) they do. We also have the same goals, the delivery of working software that fulfills the team’s/company's goals and avoids harm. "A few good men" a great courtroom drama, all about finding the truth. Software quality, whatever that means for you and your company is helped by Test Engineers. Test Engineers approach the problem from another vantage point. We are the lawyers (& their investigators) in the court-room, sifting the evidence, questioning the facts and viewing t

XSS and Open Redirect on Telegraph.co.uk Authentication pages

I recently found a couple of security issues with the Telegraph.co.uk website. The site contained an Open redirect as well as an XSS vulnerability. These issues were in the authentication section of the website, https://auth.telegraph.co.uk/ . The flaws could provide an easy means to phish customer details and passwords from unsuspecting users. I informed the telegraph's technical management, as part of a responsible disclosure process. The telegraph management forwarded the issue report and thanked me the same day. (12th May 2014) The fix went live between the 11th and 14th of July, 2 months after the issue was reported. The details: The code served via auth.telegraph.co.uk appeared to have 2 vulnerabilities, an open redirect and a reflected Cross Site Scripting (XSS) vulnerability. Both types of vulnerabilty are in the OWASP Top 10 and can be used to manipulate and phish users of a website. As well has potentially hijack a user's session. Compromised URLs, that exp