Security regulations play an important role to promote trust in the acquisition and subsequent operation of software systems. A recent survey representing 1,300 global companies, government, and nonprofit agencies in 55 nations suggests that compliance with regulations has taken the lead as the primary driver of security efforts in an organization, surpassing worms and viruses. However, the process of measuring compliance with security Certification and Accreditation (C&A) requirements is highly irregular, subjective, and unreliable. Often infrastructure-wide standard security C&A processes fail to provide adequate information for authorizing officials to understand risks and make informed decisions.

With increasing complexity of software systems, understanding the necessity and sufficiency of regulatory security requirements in supporting an environment with "acceptable level of risk" is not a mere checklist exercise. Security breaches most often occur due to a cascading effect of failure among security constraints that work collectively in a socio-technical context. Therefore, while assessing residual risk, certifiers must systematically take into account the nexus of causal chains that exist among security constraints imposed by regulatory requirements. Numerous natural language regulatory requirements specified in documents or listed in spreadsheets/databases do not facilitate such analysis. Furthermore, complex interactions between the software system and its environment are now far beyond the capacity of manual approaches to understand and analyze without additional cognitive aids and related tool support.

Dr. Robin Gandhi, Assistant Professor of Information Assurance, began his research by modeling the attributes that classify and categorize regulatory requirements from dimensions relevant to understand risk. To address the diversity of a socio-technical system, rather than relying on any single requirements modeling philosophy, explicate each C&A requirement based on attributes that capture the goals, scenarios, viewpoints and other domain-specific concepts such as threats, assets, countermeasures, and vulnerabilities necessary for precisely establishing their semantics.

The resulting Problem Domain Ontology (PDO) establishes the semantics of each requirement through its relationships with domain concepts in a socio-technical environment. Hierarchies of domain concepts in the ontology further classify and categorize requirements from multiple dimensions at different levels of abstraction. Dr. Gandhi and his team leverage the rich conceptual understanding of C&A requirements available from the PDO to discover and understand the multi-dimensional correlations among them for the purpose of risk assessment. The lattice algebraic computational model helps estimate the collective adequacy of diverse security constraints imposed by C&A requirements and their interdependencies with each other to address risks in a bounded scenario of investigation. Abstractions and visual metaphors combine human intuition with metrics available from algebraic computational model to improve the understanding of risk. Our approach enables intuitive explanations for risk in terms of requirements compliance. In addition, the PDO promotes a common understanding among stakeholders during risk assessment.

Biological networks are complex; they require precise interactions between components with an extremely wide as-sortment of structures. Accurate models for system-wide activity cannot be built solely with theoretical explanation of molecular interactions. Daniel Quest, who just completed his Ph.D. in Bioinformatics, takes steps towards simulating the living cell.

Theoretical propositions of this research are empirically validated through a case study with experts from the government and private sector in the domain of The United States Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP). The results demonstrate strong support for the steps in the methodology towards improving risk assessment during the C&A activities, while providing insights for further improvements.

Finally, the feasibility of the research findings have been demonstrated in a prototype C&A tool suite. This research contributes to a new theory of regulatory requirements-driven risk assessment during software system security C&A activities.