Ontology guided risk analysis: From informal specifications to formal metrics

Robin Gandhi, Seok Won Lee

Research output: Chapter in Book/Report/Conference proceedingChapter

1 Scopus citations


The level of compliance with security certification requirements is the primary driver of the decision to accredit a software system into operation with an acceptable level of risk. However, given the complexity of current software systems, numerous natural language Certification and Accreditation (C&A) requirements, and ad-hoc processes to assess compliance, this decision is often based on the subjective judgment of the designated officials rather than well-designed metrics and measures. This chapter presents our ongoing research on ontology guided process of building "formal metrics" for understanding risk from the informal specification of security requirements and related evidence collected from the C&A process. The transformation of informal sources (in the problem space) into a representation that supports well-defined metrics (in the solution space) is realized through a combination of knowledge engineering and requirements engineering techniques. Our research outlines a methodological approach for metrics development and understanding using the structured representation of regulatory security requirements in a problem domain ontology. The metrics derived from the domain ontology create a traceable chain of analytical thoughts with software artifacts (e.g. requirements, design, and code). We provide concrete examples for the feasibility of our research findings through its application to a security C&A process and the resulting tool suite.

Original languageEnglish (US)
Title of host publicationAdvances in Information and Intelligent Systems
EditorsZbigniew Ras, William Ribarsky
Number of pages23
StatePublished - 2009

Publication series

NameStudies in Computational Intelligence
ISSN (Print)1860-949X

ASJC Scopus subject areas

  • Artificial Intelligence


Dive into the research topics of 'Ontology guided risk analysis: From informal specifications to formal metrics'. Together they form a unique fingerprint.

Cite this