The level of compliance with security certification requirements is the primary driver of the decision to accredit a software system into operation with an acceptable level of risk. However, given the complexity of current software systems, numerous natural language Certification and Accreditation (C&A) requirements, and ad-hoc processes to assess compliance, this decision is often based on the subjective judgment of the designated officials rather than well-designed metrics and measures. This chapter presents our ongoing research on ontology guided process of building "formal metrics" for understanding risk from the informal specification of security requirements and related evidence collected from the C&A process. The transformation of informal sources (in the problem space) into a representation that supports well-defined metrics (in the solution space) is realized through a combination of knowledge engineering and requirements engineering techniques. Our research outlines a methodological approach for metrics development and understanding using the structured representation of regulatory security requirements in a problem domain ontology. The metrics derived from the domain ontology create a traceable chain of analytical thoughts with software artifacts (e.g. requirements, design, and code). We provide concrete examples for the feasibility of our research findings through its application to a security C&A process and the resulting tool suite.