Security regulations are now considered as a primary driver of efforts for software systems' security lifecycle in an organization. However, with increasing complexity of software systems, understanding the necessity and sufficiency of regulatory security requirements in supporting an environment with "acceptable level of risk" is not a mere checklist exercise. Security breaches most often occur due to a cascading effect of failure among security constraints that work collectively in a socio-technical context. Therefore, while assessing residual risk, certifiers must systematically take into account the nexus of causal chains that exist among security constraints imposed by regulatory requirements. Numerous natural language regulatory requirements specified in documents or listed in spreadsheets/databases do not facilitate such analysis. Furthermore, complex interactions between the software system and its environment are now far beyond the capacity of manual approaches to understand and analyze without additional cognitive aids. This dissertation work outlines a step-wise methodology to discover and understand the multi-dimensional correlations among regulatory security requirements for the purpose of risk assessment. Our lattice algebraic computational model helps estimate the collective adequacy of diverse security constraints imposed by regulatory requirements and their interdependencies with each other to address risks in a bounded scenario of investigation. Abstractions and visual metaphors combine human intuition with metrics available from the methodology to improve the understanding of risks. In addition, a problem domain ontology that classifies and categorizes regulatory requirements from multiple dimensions of a socio-technical environment promotes a common understanding among stakeholders during risk assessment. Our theoretical propositions are empirically validated through a case study designed research in the domain of The United States Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP). Through this work, we contribute to a new theory of regulatory requirements-driven risk assessment during certification and accreditation activities.