TY - CHAP
T1 - Ontology guided risk analysis
T2 - From informal specifications to formal metrics
AU - Gandhi, Robin
AU - Lee, Seok Won
PY - 2009
Y1 - 2009
N2 - The level of compliance with security certification requirements is the primary driver of the decision to accredit a software system into operation with an acceptable level of risk. However, given the complexity of current software systems, numerous natural language Certification and Accreditation (C&A) requirements, and ad-hoc processes to assess compliance, this decision is often based on the subjective judgment of the designated officials rather than well-designed metrics and measures. This chapter presents our ongoing research on ontology guided process of building "formal metrics" for understanding risk from the informal specification of security requirements and related evidence collected from the C&A process. The transformation of informal sources (in the problem space) into a representation that supports well-defined metrics (in the solution space) is realized through a combination of knowledge engineering and requirements engineering techniques. Our research outlines a methodological approach for metrics development and understanding using the structured representation of regulatory security requirements in a problem domain ontology. The metrics derived from the domain ontology create a traceable chain of analytical thoughts with software artifacts (e.g. requirements, design, and code). We provide concrete examples for the feasibility of our research findings through its application to a security C&A process and the resulting tool suite.
AB - The level of compliance with security certification requirements is the primary driver of the decision to accredit a software system into operation with an acceptable level of risk. However, given the complexity of current software systems, numerous natural language Certification and Accreditation (C&A) requirements, and ad-hoc processes to assess compliance, this decision is often based on the subjective judgment of the designated officials rather than well-designed metrics and measures. This chapter presents our ongoing research on ontology guided process of building "formal metrics" for understanding risk from the informal specification of security requirements and related evidence collected from the C&A process. The transformation of informal sources (in the problem space) into a representation that supports well-defined metrics (in the solution space) is realized through a combination of knowledge engineering and requirements engineering techniques. Our research outlines a methodological approach for metrics development and understanding using the structured representation of regulatory security requirements in a problem domain ontology. The metrics derived from the domain ontology create a traceable chain of analytical thoughts with software artifacts (e.g. requirements, design, and code). We provide concrete examples for the feasibility of our research findings through its application to a security C&A process and the resulting tool suite.
UR - http://www.scopus.com/inward/record.url?scp=70350247375&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70350247375&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-04141-9_11
DO - 10.1007/978-3-642-04141-9_11
M3 - Chapter
AN - SCOPUS:70350247375
SN - 9783642041402
T3 - Studies in Computational Intelligence
SP - 227
EP - 249
BT - Advances in Information and Intelligent Systems
A2 - Ras, Zbigniew
A2 - Ribarsky, William
ER -