PraxIS September 2002

Managing reality in Information Systems - strategies for success       ISSN 1649-2374

Systems Modelling Ltd.




    To e or not to e?

Risk Management

    Do you think "It couldn't happen to us" ?
    Is Your Email List *Really* Secure?
    The biggest Word 97 security hole yet?

Software Quality

    SoftTest Ireland - new Software Testing SIG
    European Spreadsheet Risks (EuSpRIG) Symposium, Dublin 2003
    Extreme Spreadsheet Engineering (XSE) - full article

Euro features

    Euro coin swapping
    Flash Eurobarometer 107: Entrepreneurship
    EU Accounts, Accountants, Accountability, and Auditors
    UK Euro information forums close

On the lighter side 

    Believe it or not
    Murphy's Laws

25 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information



This month features a full article on "eXtreme Spreadsheet Engineering" - applying the lessons of the XP process to building spreadsheets. It has featured in a Cutter Advisory and on

I have a different kind of question in this month's request for feedback. Try it!

Thanks for your interest,

Patrick O'Beirne




To e or not to e?

Check out the new Forfás report at 

eBusiness: Where Are We and Where Do We Go From Here 

Case studies can be read at 



Risk Management

Do you think "It couldn't happen to us" ?

In an article "Website Security Flaw Costs ZD",1367,54817,00.html 
Brian McWilliams of reported:

Ziff-Davis Media has agreed to revamp its Web site's security and pay affected customers $500 each after lax security exposed the personal data of thousands of subscribers last year. The settlement, announced on 28 Aug 2002 by New York's Attorney General, could spur other online companies to do a better job securing their sites.

The agreement came after Web surfers discovered an unprotected data file on Ziff Davis' site in November. The file contained names, addresses, e-mail addresses -- and, in some instances, credit card numbers -- of 12,000 people who signed up for a special promotion to receive Electronic Gaming Monthly magazine. After the location of the data file was published in a Web discussion forum, at least five consumers had fraudulent credit card charges made on their accounts, according to the settlement agreement.



Is Your Email List *Really* Secure?

MarketingSherpa share what they learned when their subscriber list was stolen recently.

Check out this Special Report to learn:
a. How they discovered their lists were stolen
b. Three general notes about data security
c. Five actions you can take to make your lists more secure
d. Six things to ask your list host to do to increase security
e. What's worth doing and what's not
f. Last note: The Reality of (In)Security


The biggest Word 97 security hole yet? 

Alex Gantman reported last week on Bugtraq that he's discovered what he calls "Document Collaboration Spyware" to use Word fields to pilfer a file. The hole he describes only affects Word 97. The thief has to know the precise name of the file they wants to retrieve (say, c:\Documents and Settings\yourname\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst). Woody says "If you use Word 97, and somebody sends you a document asking you to modify it, realize that when you return it, the document may have scarfed up files from your PC."


Software Quality

SoftTest Ireland - new Software Testing SIG

This special interest group is open to all in Ireland interested in software testing. The first meeting is September 12: at the Burlington Hotel, Upper Leeson Street, Dublin  at 5.45pm. The meeting is sponsored by EuroSTAR Conferences and Novell.

6.30 - Case study 1 - Fergal O'Riordan, Eircom
'Managing Integration Testing in the large- The Cluster Approach'

7.00 - Case study 2 - Pat O'Sullivan, IBM
'Merits/Demerits of developing GUI automation for use in Corporate Environments'

If you're coming to Dublin for the SIG meeting on the 12th, here's an afternoon event that may well fit in...  a F R E E  SCATE Briefing Session at 2.30pm at the Centre for Software Engineering, Dublin City University. Small Company Action Training and Enabling (SCATE) is a training and mentoring programme specifically designed to help small organisations improve their management of software  development.



European Spreadsheet Risks (EuSpRIG) Symposium, Dublin July 24/25 2003

I am looking for a corporate sponsor who would be interested in working with me to bring this prestigious event to Dublin in July 2003. Please contact me if you would like to be associated with this group. Further information:

I provide training for best practice and accelerated productivity, and expert consultancy in spreadsheet modelling and auditing. To request a private in-company course or consultation, simply contact me by email to: spreads (at) sysmod (dot) com.


Extreme Spreadsheet Engineering (XSE)

Extreme Programming (XP) was created in response to problem domains whose requirements change. Spreadsheet development is often done in conditions of intense time pressure, for example in merger and acquisition analysis. The spreadsheet development itself is often used to develop an understanding of what is being modelled, and therefore change is constant.

Key features of XP

1) Customer satisfaction through frequent visibility of increments of functionality;
2) Constant communication with customers to set and reset expectations, acceptance criteria, scope, priorities, and schedules;
3) Risk reduction from test-first development;
4) Defect reduction from continuous review with fellow spreadsheet developers;
5) Maintenance reduction through simplification;
6) Increased productivity through focus on delivery of real needs as they are needed.

It is said that a lightweight methodology has only a few rules and practices or ones which are easy to follow. In fact XP is actually a deliberate and disciplined approach to software development. In a traditional software development environment, users may be uncomfortable with the amount of availability that XP demands of them; they would rather hand everything over to the programmers and complain later. With spreadsheets, the developers are often also the users, which is a big advantage to begin with.

User-defined tasks

The customers write down what XP calls “user stories”, a few sentences in their own words saying what the system needs to do for them. These high-level (that is, not at the level of detailed screen & report design) tasks are used to create the acceptance tests – that is, does the system do each of these things? The developer guesses (frankly, a more honest term than “estimating”) how long each of these tasks will take to implement. If any one is more than three weeks effort, they should be decomposed into smaller tasks. The actual time chunk, of course, depends on the environment.

Release and Iteration planning

In XP, a release planning meeting is used to creating a release plan, which lays out the overall project in terms of iteration plans. The customer decides what story is the most important or has the highest priority to be completed. In spreadsheet development, this is likely to be a major shift in thought – away from building up pieces to an overall model that answers the big questions first, however crudely. Each task includes its acceptance test, without which it cannot proceed. Therefore, you are always working with a correct model; initially oversimplified, but it gets more detailed as time permits.

The other meeting style that is used is a daily “stand-up” meeting; this avoids wasting time on stultifying meetings where only a few contribute.

Project velocity

XP’s measure of progress is “project velocity” – the number of tasks that were finished during an iteration compared to the total of the estimates that these stories or tasks received. This data is then used in a release planning meeting to re-estimate and re-negotiate the release plan if project velocity changes dramatically for more than one iteration. Don’t fudge estimates; that is just a flight from reality.

Another discipline is to avoid the “I’ll just do this too as I’m at it” syndrome, adding any functionality before it is scheduled. In practice, these guesses at what might be needed in the future are often not justified. Just add what you need for today, anything extra will slow you down.

Moving pairs

One of the most distinguishing features of XP is “Pair programming”. This has the effect of continuous peer review. Advocates [1] say “It is counter intuitive, but 2 people working at a single computer will add as much functionality as two working separately except that it will be much higher in quality.” Ray Panko [2] in his study of spreadsheet error rates also finds that “[pairs] reduced errors by about a third”.

This practice is linked to “moving people around”, where changing one pf a pair ensures continuity of thought. People are moved around to spread knowledge across the team, keep thinking fresh, and avoid bottle necks. When a new person joins a task, the questions that they ask to get up to speed show up what needs to be clarified or simplified in the task, which ultimately makes the system easier to maintain.

In some financial industry environments, where there are performance bonuses or competitive pressures, pair working may be unacceptable to the users. In that case, the managers need to decide to what extent the spreadsheets are personal assistance tools or corporate assets. Look at whether they always disappear with each project or person, or whether they are handed on and re-used.


This drive towards simplicity starts with the imperative “do the simplest thing that could possibly work”. It's always faster and cheaper to replace complex logic now, before you waste a lot more time on it. There is a formal process called “refactoring” where you remove redundancy, eliminate unused functionality, and rejuvenate obsolete designs. The process is written up in scenarios where experienced people describe how they make complex logic and structures more simple so that the spreadsheet is easier to understand, modify, and extend. For example, “make sure everything is expressed once and only once”, “put constants in their own cells”. Such techniques get passed around quickly in the “moving pairs” team structures, lifting everybody’s skill level.

Exploratory solutions

XP’s approach to tough technical or design problems is to create “spike solutions” reduce the risk of a technical problem or increase the reliability of an estimate. Again a difference from common spreadsheet practice is that people normally hate to throw away work; but XP recognises that spikes are usually not good enough to keep, so it is expected that these experiments are thrown away and a clean solution written in.

Test-first development

XP creates the test before the code. In spreadsheets, there is no code/compile/integrate cycle; there is immediate feedback of any change, so it should be actually easier in that environment. For example, you could add cross-check calculations to verify that the answers are as expected. The users are required to have a set of test data and an expected answer first. Even if the answer is not known (which is the reason for building the spreadsheet), there must be some existing data and some expectation of what the result might be. If the expectation is wrong, that in itself is a useful outcome.

A large system developed from multiple spreadsheets does have a need for integration tests. In this environment, you are nearer a conventional systems development project.


There is an equivalent to XP’s coding standards: spreadsheet design standards. These are common conventions and practices that make it easier to pick up a worksheet and know where everything is, to navigate easily, and to follow its logic clearly.

Finally, the XP practice is 40 hour weeks – no overtime, no fuzzy eyes, fogged thinking, and wasted time from going down the wrong road from tiredness. Think about it!

Copyright © 2002 Patrick O’Beirne, Systems Modelling Ltd. 


[1] “What is Extreme Programming?”

[2]  “What We Know About Spreadsheet Errors” Raymond R. Panko University of Hawai’I





Euro coin swapping

Euro coins are slowly mixing in the pockets of Europeans. For those in a hurry, there is a web site for people to exchange sets. For more related sites, including diffusion research, see: 



Flash Eurobarometer 107: Entrepreneurship

The 2001 survey confirms that most Europeans are much more reserved than people in the US when it comes to the creation of a business. The survey looks into general attitude towards risk taking, and whether failed entrepreneurs should be given a second chance. 



EU Accounts, Accountants, Accountability, and Auditors

There has been quite some interest in the whistleblower case in the Commission recently.

Ms Andreasen has said of the Commission's 100 billion euro budget "Unlike the issues surrounding Enron and WorldCom, where you can at least trace transactions and accounts, you cannot do so within the EU accounts as there is no system in place for tracing adjustments and changes to figures presented. Fraud can, therefore, lie hidden within the system, undetected and untraced. After ignoring the complaints of the court of auditors, the EU's most powerful watchdog, for years, the EU still did not have a global-standard double-entry book-keeping system, its computers were inadequate and there were no qualified accountants supervising it." 

The Guardian reported that "the European Commission's former chief accountant is to be charged with three separate breaches of staff rules after going public with her claims that its accounting procedures leave its massive budget open to fraud. As the row over the suspension of Marta Andreasen deepened, Neil Kinnock, the Commission's vice-president, insisted that action is being taken against her only because she broke internal staff rules by contacting members of the European Parliament and the media. The Commission argues that she is not a "whistleblower" because the weaknesses she cites had long been identified, and that Ms Andreasen was appointed to improve the situation. It also argues that her calls for the installation of a new computer system were impractical. "

For background, double-entry bookkeeping was practised by Venetian merchants 500 years ago: Luca Pacioli published a treatise on it in Venice in 1494 "Summa de Arithmetica, Geometria, Proportioni et Proportionalita". EU suspends former chief accountant

"The harsh treatment of Andreasen was also a factor in the resignation of whistleblowing internal auditor Paul van Buitenen, who has stepped down after becoming disillusioned with reforms at the EC."  Van Buitenen leaves EU Commission

"Mr van Buitenen became known all over Europe, when, as assistant-auditor within the Commission, he decided to co-operate with the European Parliament in investigating the Commission’s poor management of the fight against internal irregularities and fraud. The investigations led directly to the fall of the Santer Commission, 15 March 1999. Paul van Buitenen's book on the affair, 'Blowing the Whistle: One man's fight against fraud in the European Commission', was launched in London in March 2000." (Four Amazon links: )

Interestingly, one of the results of that crisis was the document "Setting the highest standards: The Commission proposes an Advisory Group on Standards in Public Life, an improved disciplinary system and a Whistleblowers' Charter" at|0|RAPID&lg=EN 

"The proposal makes clear that all staff have a duty to report such concerns whenever they arise, and that managers have a responsibility to follow them up when they are reported. It gives officials with concerns about possible wrongdoing a range of options of where they should report in the first instance."

Related articles: article: "The whistleblower's dilemma"



UK Euro information forums close 

"A network of centres set up to help companies cope with the introduction of the euro is being closed, after businesses stopped asking for advice. Tony Blair heralded the launch of the forums in 1999 in a wider speech to the Commons about preparations for the advent of the euro, in which he said: "If we want to keep open the option of making a decision early in the next parliament to join, we need to step up our practical preparations." But Tim Yeo, shadow trade and industry secretary, said: "It's doubtful whether they ever served much function and the government has now admitted that."




We value your feedback.

How would you describe the focus of this newsletter? How do you benefit from it?

Simply send your comments to ISSUES (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor



On the lighter side

Believe it or not

They've banned gaming in Greece. So be careful what games you play on your mobile phone! 

The Greek government introduced the law in an attempt to prevent illegal gambling. According to a report in the Greek newspaper Kathimerini, Greek police will be responsible for catching offenders, who will face fines of 5,000 to 75,000 euros and imprisonment of one to 12 months. "The blanket ban was decided in February after the government admitted it was incapable of distinguishing innocuous video games from illegal gambling machines," the report said.

Murphy's Laws 

This site plays with variations of Murphy's Law, 'If anything can go wrong, it will' such as Murphy's Laws for Love, Murphy's Laws for Cops and Murphy's Laws for Computers. And to be sure, "Knowledge of Murphy's Law is no help in any situation."


Copyright 2002 Systems Modelling Limited, . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to 
EuroIS-subscribe (at) yahoogroups (dot) com
- it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor

"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".


To read previous issues of this newsletter please visit our web site at


This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.

Copyright (c) SML 2002

Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!


We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website