...

A more powerful risk-based testing strategy (at the parameter level) is generating Mixed-Strength test sets, as described in the following example. This feature can be helpful to use in many (if not most) of the models you will create.

Why does such risk-based testing makes sense conceptually?

There are only two possible reasons that a set of 2-way tests could fail to trigger a software defect:

1. There was a missing test "idea" (e.g., the only way the defect could be found is if the application were tested using a specific operating system and that specific system was not included as one of the parameters/values).
   
   

2. All of the test ideas and test conditions were included as values, but the defect could only be triggered by the scenario that included three or more of those existing test conditions together at the same time.

In our experience working with hundreds of software teams, the first reason (not thinking to include a particular test idea) is responsible for more defects slipping by testing than the second one (specific combinations of 3 or more already-included ideas).

Accordingly, this is what is recommended for testers who are planning to manually execute sets of 3-way scenarios:

• Don't*

At least not until you first experiment a bit with executing well-thought-through sets of Mixed-Strength scenarios

Why?  90% 90% of the extra thoroughness you might be looking for can probably be achieved by a well-thought-out set of mixed-strength tests. These tests might be half as numerous as the full, "regular" higher-strength test set.

With the extra time that the team saves by not executing all of those additional tests, they should use it to add more wrinkles/ideas into their testing.  

...

Examples of good sources for additional testing ideas include these:

• J. Michael Hunter's "You Are Not Done Yet" (Link to PDF)

• Elisabeth Hendrickson's Test Heuristics Cheat Sheet - Data Type Attacks & Web Tests (Link to PDF)

• Bug reports

• Your business rules and technical specs

• Adding more scope (e.g., adding in an additional type of user, even when different types haven't previously been considered in scope)

Let’s set up the use case we’re trying to address

We have a mission-critical application that includes several large changes in this release. We’ve filled in parameters for our System Under Test, and we see that a 2-way solution based on our variation ideas would require 87 scenarios.

...

Curious to see how many tests would be needed for a more thorough test model? Generate a set of 3-way tests! Unfortunately, this more-thorough solution requires almost 5 times as many tests. Ugh! We don’t have time all of those!

Determine what Parameters we want to devote more thorough testing to

What we want to do now is to generate a set of scenarios that will focus extra coverage on the high-priority parameters below, while maintaining pairwise coverage for every Value in our model. Creating a “Mixed-strength” model will allow us to do exactly that!

...

Another way to look at the set of Risk-Based Scenarios that we have just created is to imagine temporarily removing everything from our model except for the high-priority Parameters.

With 3 values for "User Type", 6 for "Customer Authorization Limit", and 14 for "Transaction Exchange (Country)", simple math tells us that to test every possible combination we require 3×6×14 = 252 tests. All 252 of these 3-way combinations are included in the Mixed-Strength (“Risk-Based Testing”) scenarios that we created…

...