 |
 |
|
|
|
 |
|
|
 |
 |
|
|
r-AnalytiCA: Requirements Analytics for Certification & Accreditation |
|
|
Project Team Members:
Requirements-driven Risk Assessment: This research contributes to a foundational theory for understanding and reasoning about risks that arise due to cascading effects of a failure in software system features regulated by certification requirements. Emergent risks are difficult to understand and assess based on evidence that only evaluates the compliance of individual system features. This research work establishes a fundamental understanding of regulatory requirements, their compliance evidences and their relationships with risk in the context of system operational needs. Risks in a complex system most often arise due to cascading effects of a failure (e.g. weakest link syndrome) among constraints that collectively contribute to dependability as an emergent property of the system as a whole. To assess these risks, we leverage the semantics of each C&A requirement explicated by its relationships with multi-dimensional concepts in the PDO. Within a bounded and situated scope for risk assessment, correlations among C&A requirements that represent different classes of security constraints are discovered and understood by applying the algebraic model of Formal Concept Analysis (FCA) along with the semantics learned from the PDO. The resulting formal concept lattice, natural language risk explanations, and well-defined risk metrics and measures based on the theory of FCA help to significantly improve the quality of risk assessment artifacts resulting from the C&A process. The associated methodology provides certification analysts with methods and techniques to systematically discover an exhaustive set of applicable C&A requirements in a given scenario of system operation and construct an algebraic model of all potential correlations among them that may lead to a cascading failure in system defenses. Tool support for this methodology is implemented in a prototype workbench, r-AnalytiCA, which enables several meaningful insights for software assurance during the C&A process. A well-designed case-study with real-world C&A experts was conducted to evaluate the claims made through our research. Selected Documents/Publications: (*student co-author) *Robin Gandhi and Seok-Won Lee, “Discovering Multi-dimensional Correlations among Regulatory Requirements to Understand Risk” To appear in the ACM Transactions on Software Engineering and Methodology (ACM ToSEM), ACM Press, Fully accepted on August 2009. (Regular Issue, 35 pages, submitted: March 2008) [PDF] *Robin Gandhi and Seok-Won Lee, “Ontology-guided Risk Analysis: From Informal Specifications to Formal Metrics,” A book chapter accepted to “Advances in Information and Intelligent Systems” by Springer Studies in Computational Intelligence (Editors: Zbyszek Ras & Bill Ribarsky), SCI 251, pp. 227-249, Springer-Verlag Berlin Heidelberg. Nov. 2009, [PDF] *Robin Gandhi and Seok-Won Lee, “Assurance Case Driven Case Study Design for Requirements Engineering Research”, In Proceedings of the Requirements Engineering: Foundation for Software Quality, REFSQ 2009, 15th International Working Conference, Amsterdam, The Netherlands, June 8-9, 2009. Lecture Notes in Computer Science, LNCS 5512, pp. 190-196, Springer. [PDF] Seok-Won Lee, *Robin Gandhi and *Siddharth Wagle “Ontology-guided Service-oriented Architecture Composition to Support Complex and Evolving Process Definitions” To appear in the International Journal of Software Engineering and Knowledge Engineering, World Scientific, Vol. 19, No.6, September 2009. (fully accepted July 14, 2008) [PDF] *Robin Gandhi and Seok-Won Lee, “Visual Analytics for Requirements-driven Risk Assessment” In Proceedings of the second international workshop on Requirements Engineering Visualization (REV ’07) in conjunction with the IEEE 15th International Requirements Engineering Conference (RE '07), pp. 44-48, October 15-19, Delhi, India, 2007. [PDF] [Poster] Seok-Won Lee, *Robin Gandhi, *Siddharth Wagle, and *Ajeet Murty “r-AnalytiCA: Requirements Analytics for Certification & Accreditation” In Proceedings of the IEEE 15th International Requirements Engineering Conference (RE '07), Posters, Demos and Exhibits Session. pp. 383-384, October 15-19, Delhi, India, 2007. [PDF] [Poster] *Robin Gandhi and Seok-Won Lee, “Discovering and Understanding Multi-dimensional Correlations among Certification Requirements with application to Risk Assessment”, In Proceedings of the 15th IEEE International Requirements Engineering Conference (RE 07), pp. 231-240, October 15-19, Delhi, India, 2007. (Acceptance ratio 22+7/172 ≈ 12%) [PDF] Seok-Won Lee, *Robin Gandhi, and *Siddharth Wagle, “Towards a Requirements-driven Workbench for Supporting Software Certification and Accreditation”, In Proceedings of the Third Int’l Workshop on Software Engineering for Secure Systems (SESS 07) in conjunction with the 29th International Conference on Software Engineering (ICSE 07), Minneapolis/St. Paul, MN, USA. IEEE Press. May 19-20. [PDF] Seok-Won Lee and *Robin Gandhi, “Requirements as Enablers for Software Assurance”, CrossTalk: The Journal of Defense Software Engineering, December, Vol. 19, No. 12, pp.20-24, United States Department of Defense, 2006. [PDF] Lee, S. W., *Gandhi, R. A., and Ahn, G., “Certification Process Artifacts Defined as Measurable Units for Software-intensive Systems Lifecycle” International Journal on Software Process: Improvement and Practice, Volume 12, Issue 2, 2007. Pages 165-189 (March/April) , John Wiley & Sons, Ltd. 2007. (Published early view online in Wiley InterScience (www.interscience.wiley.com ) DOI: 10.1002/spip.313. [PDF] Lee, S. W., *Muthurajan, D., *Gandhi, R. A., *Yavagal, D., and Ahn, G., “Building Decision Support Problem Domain Ontology from Security Requirements to Engineer Software-intensive Systems” International Journal on Software Engineering and Knowledge Engineering, Vol. 16, No. 6, pp.851-884, December, World Scientific Publishing Company, 2006. [PDF] |
|
 |
||||||
|