Discovering Multidimensional Correlations among Regulatory Requirements to Understand Risk

摘要

Security breaches most often occur due to a cascading effect of failure among security constraints that collectively contribute to overall secure system behavior in a socio-technical environment. Therefore, during security certification activities, analysts must systematically take into account the nexus of causal chains that exist among security constraints imposed by regulatory requirements. Numerous regulatory requirements specified in natural language documents or listed in spreadsheets/databases do not facilitate such analysis. The work presented in this article outlines a stepwise methodology to discover and understand the multidimensional correlations among regulatory requirements for the purpose of understanding the potential for risk due to noncompliance during system operation. Our lattice algebraic computational model helps estimate the collective adequacy of diverse security constraints imposed by regulatory requirements and their interdependencies with each other in a bounded scenario of investigation. Abstractions and visual metaphors combine human intuition with metrics available from the methodology to improve the understanding of risk based on the level of compliance with regulatory requirements. In addition, a problem domain ontology that classifies and categorizes regulatory requirements from multiple dimensions of a socio-technical environment promotes a common understanding among stakeholders during certification and accreditation activities. A preliminary empirical investigation of our theoretical propositions has been conducted in the domain of The United States Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP). This work contributes a novel approach to understand the level of compliance with regulatory requirements in terms of the potential for risk during system operation.