A Multi-attribute Evaluation of Information Security Controls in Organizations Using Grey Systems Theory

A Multi

-

attribute Evaluation of Information Security

Controls in Organizations Using Grey Systems Theory

A. Ejnioui

, A. R. Otero

, G. Tejay

, C. E. Otero

and A. A. Qureshi

1

_{Information Technology, University of South Florida Lakeland, Lakeland, Florida, USA}

2

_{Computer and Information Sciences, Nova Southeastern University, Fort Lauderdale, Florida, USA}

3

_{Mathematics & Computer Science, University of Virginia’s College at Wise, Wise, Virginia, USA}

Abstract – Although the protection of information is critical, organizations have endured information losses that affected the values of their assets. As a result, organizations are currently driven to find ways to implement effective information security controls to protect their critical and sensitive information. Methods to implement these controls such as risk analysis or best practice guidelines have been proposed in the past. However, these methods tend to be limited due to their subjective nature and fail to take into account specific constraints such as implementation costs, resource availability, and scheduling limitations. This paper proposes a new approach where the problem of implementing information security controls is formulated as a multi-attribute decision making using grey system theory. The problem is addressed by devising a utility function for ranking different possible implementations of information security controls. This approach is applied in a case study where it is clearly shown how effective and highly customizable this approach is in evaluating the quality of information security controls with regard to the security needs of an organization.

Keywords: information security; information security controls; risk analysis and management; baseline manuals; best practice frameworks; grey systems; multi-attribute decision.

1

Introduction

Protecting information is of utmost importance in most organizations. Many organizations have endured substantial information losses that impacted significantly the value of their assets and information. In fact, losses related to information security will continue to occur with a devastating effect on organizations [1]. In 2004, the CCI/FBI Computer Crime and Security Survey stated that total losses in the United States attributable to computer security breaches reached $141,496,560. These alarming figures point to an inadequacy in today's information security practices and serve as motivation for finding new ways to help organizations improve their capabilities for securing valuable information. In today's organizational culture, the use of security tools and technologies, such as encryption, firewalls, and access management are used to address security challenges [2, 3]. Although tools and technologies are an integral part of

organizations’ information security plans, it is argued that they alone are not sufficient to address information security problems [4]. To improve overall information security, organizations must evaluate (and thus implement) appropriate information security controls (ISC) that satisfy their specific security requirements [5-7]. However, due to a variety of organizational-specific constraints (e.g., cost, schedule, resources availability), organizations do not have the luxury of selecting and implementing all required ISCs. Therefore, the selection, adoption, and implementation of ISCs within organizations' business constraints become a non-trivial task. This paper proposes a novel approach for evaluating and identifying the most appropriate ISCs based on organization specific criteria. The proposed approach uses an attribute-based utility measure in grey systems theory to quantify the desirability of each ISC taking into account benefits and penalties (restrictions) associated with implementing the ISC. This provides Management with a measurement that is representative of the overall quality of each ISC based on organizational goals. The derived quality measurement can be used as the main metric for selecting ISCs. The remainder of the paper is organized as follows. Section 2 provides a summary of previous work on ISC selection. Section 3 briefly describes the proposed solution approach. Section 4 provides detailed explanations of grey systems theory and how it is used in multi-attribute decision making. Section 5 presents the results of a case study. Finally, Section 6 provides summarized conclusions and highlights of the proposed approach.

2

Related Work

Various reasons have been put forth for explaining the lack of effectiveness in the evaluation, selection, and implementation process of ISCs. Sometimes, the implementation of ISCs in organizations may constitute a barrier to progress [8]. Employees may view ISCs as interrupting their day-to-day tasks and therefore, may ignore implementing them in order to be effective and efficient with their daily job tasks [9]. According to [10], organizations are required to identify and implement appropriate controls to ensure adequate information security. Others place emphasis on the fact that “different organizations have different security needs, and thus different security requirements and objectives” [11]. In

[12], the authors stress that there is no single information security solution that can fit all organizations. As a result, ISCs must be carefully selected to fit the specific needs of the organization.

In [5], the authors claim that the process of identifying and selecting the most effective ISCs in organizations has been a challenge in the past, and plenty of attempts have been made to come up with the most effective way possible. Risk analysis and management (RAM) is just one example. RAM has been recognized in the literature as an effective approach to identify ISCs [5]. RAM would list the information security requirements as well as the proposed ISCs to be implemented to mitigate the risks resulting from the analyses and assessments performed. RAM, however, has been described as a subjective, bottom-up approach, not taking into account organizations’ specific constraints [13]. Management must, therefore, explore new ways to determine/measure the relevancy of these ISCs considering the various constraints experienced by organizations.

Another option that has been considered by many organizations for introducing security controls is to adopt best practice frameworks [5]. Based on [10], best practice frameworks assist organizations in identifying appropriate ISCs. Some best practices include: Control Objectives for Information and related Technology (COBIT); Information Technology Infrastructure Library (ITIL); Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE); International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 177995 and ISO/IEC 27001; PROTECT; Capability Maturity Model (CMM); and Information Security Architecture (ISA) [6].

The process of selecting the most effective set of ISCs from these best practice frameworks can be challenging. According to [13], best practice frameworks leave the choice of controls to the user, while offering little guidance in terms of determining the best controls to provide adequate security for the particular business situation. Additionally, frameworks do not take into consideration organization specific constraints, such as, costs of implementation, scheduling, and resource constraints. Other less formal methods used in the past, such as, ad hoc or random approaches, could lead to the inclusion of unnecessary controls and/or exclusion of required/necessary controls [5]. Identifying and selecting ISCs based on the above may result in organizations not being able to protect the overall confidentiality, integrity, and availability of their information [10]. In order to increase the effectiveness of the selection and prioritization process for ISCs, new methods need to be developed that save time while considering major factors (e.g., constraints, restrictions, etc.) that undoubtedly affect the selection of ISCs.

From the reviewed literature, it is evident that the selection of ISCs is mostly driven by cost, scheduling, and resource

availability. In other words, ISCs at organizations will be selected by management when the benefits of implementing them surpass the costs of establishing the control. Equally important, scheduling issues may affect whether ISCs should be selected. Implementation of ISCs may require specific scheduled times, not necessarily planned by the organization. Finally, availability of personnel often determines whether ISCs can be selected or not. Effective information system security implementation requires the identification and adoption of the most appropriate and effective set of ISCs taking into account the issues presented above [13].

3

Solution Approach

To properly evaluate the quality, importance, and priority of ISCs in organizations, management must follow a methodology that takes into consideration the quality attributes of the ISCs that are considered relevant. The methodology must provide capabilities to determine the relative importance of each identified quality attribute. This would allow the methodology to provide an ISC selection scheme that represent how well these ISCs meet quality attributes and how important those quality attributes are for the specific organization. To achieve this, a methodology using grey systems theory to solve a multi-attribute decision problem is proposed. First, a set of quality attributes is identified as evaluation criteria for all possible ISCs. These attributes are defined in terms of different features, where the importance of each feature is expressed as a grey number. ISCs that satisfy the highest number of features would expose a higher level of quality for that particular quality attribute. After all ISCs are evaluated and measurements computed for all features, the proposed approach uses an additive weighted utility function to fuse all measurements into one unified value that is representative of the overall quality of the ISC. This unified value is computed by using a set of utility values that take into consideration the importance of each quality attribute. Therefore, the resulting ranking of each ISC is derived based on the goals and specific needs of the organization. This results in an ISC ranking approach based on how well ISCs meet quality attributes and how important those quality attributes are for the organization.

4

Multi-attribute Decision Making in Grey

Systems Theory

Multi-attribute decision making problems occur in situations where a finite set of alternatives need to be evaluated according to a number of criteria or attributes. The evaluation consists of selecting the best alternative or ranking the set of alternatives based on those attributes. However, many decision problems present data that is imprecise or ambiguous leading to conflicting situations in which the evaluation of alternatives becomes difficult. This is the case when implementing ISCs in organizations. In the past, this information uncertainty has been modeled using fuzzy sets [14] or grey numbers [15]. While the former has been around for some time, only recently has interest been growing in the

latter, since uncertainty can be modeled and manipulated in more flexible ways using grey number systems than fuzzy sets [15].

4.1 Grey Numbers and Grey Systems Theory

In practical applications, a grey number represents an indeterminate number that takes its possible value from an interval or a set of numbers. The symbol ⊗ denotes a grey number. The most basic types of grey numbers are [15]:

• Grey numbers with only a lower bound: ∈[𝑎,∞] or

⨂ 𝑎 , where 𝑎 is a fixed number representing the lower bound.

• Grey numbers with only an upper bound: ∈[−∞,𝑎]

or ⨂ 𝑎 where 𝑎 is a fixed number representing the upper bound.

• Interval grey numbers: ⨂∈ 𝑎,𝑎 where 𝑎 and 𝑎 are

the lower and upper bounds respectively.

• Continuous and discrete grey numbers: The former

numbers can take any values within an interval while the latter can take only a finite number of potential values.

• Black and white numbers: When ⨂∈ −∞,∞, that is

when ⨂ has neither an upper nor lower bound, it is knows as a black number. On the other hand, when ⨂∈ 𝑎,𝑎 and 𝑎=𝑎, it is knows as a white number. After three decades of research, grey systems theory emerged as new discipline with contributions in [15]:

• Grey algebraic systems, grey equations, grey matrices,

etc.

• Sequence operators and generation of grey sequences. • System analysis based on grey incidence spaces and

grey clustering.

• Grey prediction models.

• Decision making using grey target decision models.

Optimization models using grey programming, grey game theory and grey control.

4.2 Selection of Information Security Controls

The first step involves identifying a set of ISCs that could be implemented in the organization. These ISCs can be obtained from the best practice frameworks mentioned in Section II. For instance, the ISO/IEC 177995 standard has over 127 ISCs available according to the organizations’ specific needs [10]. Once selected, the results of these ISCs are captured in the ISC vector as:

𝐼=   𝐼! 𝐼! ⋮ 𝐼_!       1 . 4.3 Information Security Attributes

When planning to implement ISCs, it is often necessary to address important aspects of security. These aspects can be viewed as quality attributes in the decision problem. For instance, one can use the following quality attributes that have been defined in the ISO/IEC 177995 standard [10]:

• Restrictions – there are restrictions that Management

must take into account before selecting and implementing ISCs. These may include whether the costs involved in the selection and implementation of the ISC are high, whether resources are not available, and whether there are scheduling constraints associated with implementing the ISCs. The presence of any of the above will negatively affect the specific quality attribute. That is, ISCs with all features present will result in a lower priority; conversely, ISCs with all features missing will result in a higher priority. A high priority scenario will be one where the implementation cost of the specific ISC is considered adequate and/or manageable (i.e., within budget), resources are available to implement the particular ISC, and there are no restrictions in terms of scheduling the ISC (i.e., the ISC can be scheduled anytime during the year). Restrictions are defined as: Costs (C), Availability of Resources (AoR), and Scheduling (T).

• Scope – This quality attribute assesses the impact of

the ISCs on the organization. ISCs that provide security of information in many systems have a higher priority than ISCs that address security of information in a minimal number of systems. Scope is defined as: System 1 (S1), System 2 (S2), …, System n (Sn).

• Organization’s Objectives – the number of

information security objectives the ISC satisfies. As the number of objectives the ISC satisfies, so does its suitability. Organization’s objectives are defined with the following features: Objective 1 (O1), Objective 2 (O2), …, and Objective n (On).

• Physical Access – ISCs will prevent and/or record unauthorized access to the organization’s building facilities, including data centers where information processing takes place, the finance/accounting department, human resources department, etc. As the number of physical locations addressed by the ISC, so does it suitability for selection. Physical access is defined as: Location 1 (L1), Location 2 (L2), …, Location n (Ln).

• Access Controls – implementation of an ISC for this

quality attribute will promote appropriate levels of access controls to ensure protection of the organization’s systems/applications against unauthorized activities. Organizations may implement network access controls (N), operating systems access controls (O), and application controls (A) based on their specific needs.

• Human Resources – implementation of an ISC

supports reductions of risk of theft, fraud, or misuse of computer resources by promoting information security awareness (Aw), training (Tn), and education of employees (E). Depending on the particular situation, costs involved, and availability of personnel, organizations may select which of these to employ.

• Communications and Operations Management – ISCs

will ensure the correct and secure operation of information processing facilities, which includes addressing for adequate segregation of duties (SoD), change management (CM), and network security (NS).

Organizations may select ISCs to address all of these or just some depending on their particular needs.

• Systems Acquisition, Development, and Maintenance –

ISCs will support security related to the organization’s in-house and/or off-the-shelf systems or applications (e.g., ensuring personnel with authorized access can move changes into production environments, etc.). As the number of systems or applications addressed by the ISC increases, so does the suitability of selecting the ISC. Systems Acquisition, Development, and Maintenance is defined as: Systems or Applications 1(SoA1), Systems or Applications 2 (SoA2), …, and Systems or Applications n (SoAn).

• Incident Management – ISC will ensure that

security-related incidents (e.g., attempts to change/manipulate financial data, etc.) identified within the organization’s processing of information are communicated in a timely manner, and that corrective action is taken for any exceptions identified. Incident management may apply to online processing and/or batch processing. Incident Management is defined as Processing 1 (P1), Processing 2 (P2), …, and Processing n (Pn).

The above quality attributes can be represented in the following vector:

𝐴= 𝑞!  𝑞!  ⋯  𝑞!      (2)

for j = 1, 2, …, m.

4.4 Feature Aggregation

Once the ISC vector is identified, each ISC implementation can be evaluated against a set of m quality attributes q1, q2, …

qm. The evaluation process takes place as follows. First, each

attribute is defined in terms of f features, where f > 1. Because of the uncertain nature of data, the evaluation of each feature is represented as a grey number. For example, the implementation of an ISC plan must consider possible restrictions as described in the Restrictions attribute above. These restrictions can be defined in terms of costs (C), availability of resources (AoR), and scheduling and timing constraints (T). As such, the number of features in the restrictions attributes is f = 3. With these features in place, evaluating the importance of the Restrictions attribute qj for an

ISC implementation Ii can be computed as follows:

𝑑!"=   𝑙!",𝑢!" = 1 𝑓 𝑙!, ! !!! 1 𝑓 𝑢! ! !!!       3

where k is the number of features identified for attribute qj.

This computation is the arithmetic mean of the values assigned to the features in attribute qj. As this mean increases, so does

the importance of the attribute. This computation is performed for all features in each attribute. The overall assessment of the

n ISCs based on all m quality attributes is captured using the following decision matrix D:

𝐷=   𝑙!!,𝑢!! 𝑙!",𝑢!" …   𝑙!!,𝑢!! 𝑙!",𝑢!" 𝑙!!,𝑢!! …   𝑙!!,𝑢!! ⋮ ⋮ ⋮ 𝑙!!,𝑢!! 𝑙!!,𝑢!! …   𝑙!",𝑢!"      (4)

where the rows represent alternatives considered in ISC implementation while the columns represent the attributes of the same problem. Note that the lij and uij represent

respectively the lower and upper bounds of grey number dij

for i = 1, 2, .., n and j = 1, 2, .., m.

4.5 Attribute Weights

In general, an ISC attribute will also be characterized by very specific goals. For example, the goals of an alternative may consist of minimizing restrictions while maximizing the rest of the attributes listed in the ISCs above. Optimization goals consist mostly of minimizing or maximizing one or more attributes associated with a given decision problem. However, these goals may not have the same importance in some cases. To assess the relative importance of each quality attribute, the following weight vector W is created:

𝑊= 𝑤!  𝑤!  ⋯  𝑤!      (5)

where wj represents the importance of attribute qj. These

weights can be decided by one or more experts in a subjective manner or synthesized objectively from the matrix A. In this paper, weights are synthesized from the decision matrix using the concept of statistical variance. In contrast to other approaches for synthesizing weights such as the entropy method [16, 17], statistical variance is effective and easy to implement [18]. Unlike statistical analysis where focus is placed on the extremes, variance examines how data points are scattered around the mean. As such, variance provides useful information about how important an attribute is to a decision problem.

Definition 1. Let 𝑑=   𝑙,𝑢 be a grey number with 𝑙<  𝑢. If d

is continuous, then,

𝑑=  1

2 𝑙+𝑢      (6)

is the core of a [15]. The cores of all grey numbers in the

matrix D can be used to compute the weights from D using statistical variance as follows:

𝑣!= 1 𝑛 𝑑!"−𝑑!" !      (7) ! !!!

where 𝑑!" is the core of grey number 𝑑!" while 𝑑!" is the statistical mean of the cores of all grey numbers in attribute

qj. The synthetic weight of attribute qj can be computed as

follows: 𝑤!=   𝑣! 𝑣! ! !!!      (8) for j = 1, 2, …, m.

4.6 Normalization of the Decision Matrix

Grey numbers in the matrix can be normalized by using the sum of the cores in each matrix column as follows [15]:

𝑙!"=   𝑙!" 1 2 !!!!𝑙!"+ !!!!𝑢!" = 2𝑙!" 𝑙!"+𝑢!" ! !!!      (9) 𝑢!"=   𝑢!" 1 2 !!!!𝑙!"+ !!!!𝑢!" = 2𝑢!" 𝑙!"+𝑢!" ! !!!      (10) for i = 1, 2, .., n and j = 1, 2, .., m where lij and uij are as

defined in equation (3) and (4). The resulting normalized matrix is 𝐷.

4.7 Weighting of the Normalized Matrix

The normalized matrix can be weighted by multiplying the bounds of each grey numbers in the matrix by the weight of its attribute. Let 𝑑_!"= 𝑙_!",𝑢_!" be a grey number in the normalized matrix. Each grey number in the matrix is multiplied by its attribute weight as follows [19]:

𝑑!"=𝑑!"×𝑤!= 𝑤!𝑙!",𝑤!𝑢!" = 𝑙!",𝑢!"      (11)

for i = 1, 2, .., n and j = 1, 2, .., m. The resulting weighted normalized matrix is 𝐷.

4.8 Benefits and Costs in the Weighted Normalized Matrix

A simple weighted additive approach, similar to the COPRAS-G method, can be used to compute the benefits and costs of the attributes for each ISC implementation in 𝐷 as follows [19, 20]: 𝑃_!=1 2 𝑙!"+𝑢!" ! !!!      (12) 𝑅_!=1 2 𝑙!"+𝑢!" ! !!!!!      (13)

assuming that the first k attributes are benefits while the remaining (m–k) attributes are costs in 𝐷.

4.9 Relative Weights of Each ISC Implementation

The importance of each ISC implementation in the weighted normalized matrix can be calculated as follows [19, 20]:

𝑄!=𝑃!+ 𝑅_! ! !!! 𝑅! _𝑅1 ! ! !!!       14 . 4.10 Utility of Each ISC Implementation

The utility degree of each implementation can be calculated based on its relative weight as follows [19, 20]:

𝑈_!= 𝑄! max !!!!!𝑄!

     (15)

for i = 1, 2, .., n. The implementation with the highest utility degree is considered the best ISC choice given the m security attributes.

5

Case Study

This section presents the results of an ISC evaluation case study using the proposed approach. The case study evaluates 10 ISCs based on the quality attributes identified in section 4.3. Using synthetic data for the identified quality attributes, an input matrix is generated for the features of the 10 ISCs listed above. After the features of all attributes have been aggregated using equation (3), the input matrix is reduced to a decision matrix represented by equation (4). Table 1 shows this reduced decision matrix. Next, the method based on statistical variance is applied on the decision matrix to synthesize attribute weights using equations (7) and (8). These weights (wj) are shown below the decision matrix in

Table 1. Next, the decision matrix is normalized using equations (9) and (10), after which the matrix is weighted using equation (11). Table 2 shows the weighted normalized matrix. Among the nine attributes considered in this case study, the importance of the features in the restrictions attribute ought to be minimized while that of the features in the remaining attributes ought to be maximized. As such, the restrictions attribute can be viewed as a cost while the remaining attributes can be viewed as benefits. Based on these considerations, equation (12) is applied to all attributes with the exception of the restrictions attribute on which equation (13) is applied. The obtained results are shown in the columns labeled Pj and Rj in Table 3. The computations

of determining costs and benefits of the appropriate attributes are used to compute the relative weights and utility of each ISC implementation as the columns labeled Qj and Uj in

Table 3 show.

As Table 3 shows, the most desirable ISC implementations are ISC 4 (100%), followed by ISC 2 (99.1%) and ISC 9 (98.4%). It is important to note that the evaluation of ISCs using this approach is fully dependent on the particular organization and its security objectives. This approach is highly customizable since it can accommodate different features and attributes for ranking ISC implementations. This is possibly the most meaningful contribution from this research. In addition, this approach can be easily implemented in a spreadsheet or software tool to help management select the right ISC implementation.

6

Conclusion

The research presented in this paper develops an innovative approach for evaluating the quality of ISCs in organizations based on a multiple quality evaluation criteria. Specifically, it presents a methodology that uses grey systems theory to create a unified measurement that represent how well an ISC implementation meets quality attributes and how important these attributes are for organizations. Through a case study, the approach is proven successful in providing a way for measuring the quality of ISCs for the security objectives of an organization.

Table 1. Decision matrix and synthesized weights after feature aggregation.

Table 2. Weighted normalized matrix.

Table 3. Relative weights and utility values of all ISC implementations.

There are several important contributions from this research. First, the approach is simple and can be easily implemented. This can promote usage in practical scenarios, where highly complex methodologies for ISCs selection are impractical. Second, the approach fuses multiple evaluation criteria and features to provide a holistic view of the overall ISC quality. Third, the approach is easily extended to include additional quality attributes not considered within this research. Finally, the approach provides a mechanism to evaluate the quality of ISCs in various domains. Overall, the approach presented in this research proved to be a feasible technique for efficiently evaluating the quality of ISCs in organizations.

7

References

[1] M. Schwartz, “Computer security: Planning to protect corporate assets,” Journal of Business Strategy, vol. 11, no. 1, pp. 38-41, January-February 1990.

[2] L. Volonino and S. R. Robinson, Principles and Practice of Information Security, Pearson Prentice Hall, Inc., New Jersey, 2004.

[3] E. Vaast, “Danger is in the eye of the beholders: Social representations of information systems security in healthcare,” Journal of Strategic Information Systems, vol. 16, no. 2, pp. 130-152, June 2007.

[4] T. Herath and H. R. Rao, “Encouraging information security behaviors in organizations: Role of penalties, pressures, and perceived effectiveness,” Decision Support Systems, vol. 47, no. 2, pp. 154-165, May 2009.

[5] L. Barnard and R. Von Solms, “A formalized approach to the effective selection and evaluation of information security

controls,” Computers & Security, vol. 19, no. 2, pp. 185-194, February 2000.

[6] A. Da Veiga and J. H. P. Eloff, “An information security governance framework,” Information Systems Management, vol. 24, no. 4, pp. 361-372, 2007.

[7] M. Karyda, E. Kiountouzis, and S. Kokolakis, “Information systems security policies: A contextual perspective,” Computer Security, vol. 24, no. 3, pp. 246-260, May 2004.

[8] C. Wood, “An unappreciated reason why security policies fail,” Computer Fraud and Security, vol. 2000, no. 10, pp. 13-14, October 2000.

[9] G. V. Post and A. Kagan, “Evaluating information security tradeoffs: Restricting access can interfere with user tasks,” Computers & Security, vol. 26, no. 3, pp. 229-237, May 2007. [10] R. Saint-Germain, “Information security management best

practice based on ISO/IEC 17799,” The Information Management Journal, pp. 60-66, July-August 2005.

[11] R. Baskerville and M. Siponen, “An information security meta-policy for emergent organizations,” Journal of Logistics Information Management, vol. 15, no. 1, pp. 337-346, 2002. [12] M. E. Whitman, A. M. Towsend, and R. J. Alberts,

“Information systems security and the need for policy,” in G. Dhillon, Eds. Information security management: Global challenges in the new millennium, pp. 9-18, Hershey, Pennsylvania, Idea Group Publishing, 2001.

[13] H. Van der Haar and R. Von Solms, “A model for deriving information security controls attribute profiles,” Computers & Security, vol. 22, no. 3, pp. 233-244, April 2003.

[14] G. J. Klir and B. Yuan, Fuzzy Sets and Fuzzy Logic: Theory and Applications, Prentice Hall, Upper Saddle River, NJ, 1995. [15] S. Liu and Y. Lin, Grey Systems: Theory and Applications,

Springer-Verlag, Berlin Heiderlberg, 2011. 1 2 3 4 5 6 7 8 9 10 u 3.78 9.92 8.97 12.61 13.34 9.57 8.30 12.90 9.04 16.23 8.53 5.00 2.67 2.85 u 4.46 3.24 5.15 5.24 l 6.97 19.10 11.47 12.46 10.60 16.40 12.21 11.39 12.00 13.18 10.95 1.43 3.16 6.20 3.43 2.86 4.35 2.69 12.28 9.02 9.31 15.28 11.27 11.06 14.44 14.06 15.54 17.36 l u 2.69 7.29 6.24 l u l u l u 7.04 14.23 11.30 17.18 18.49 13.91 7.42 15.73 12.54 16.42 8.88 4.60 3.03 3.00 7.03 6.60 7.87 5.12 3.83 4.46 8.00 16.55 6.81 13.87 14.91 14.24 10.15 7.96 12.95 12.54 11.44 4.27 4.58 5.67 5.91 6.68 2.09 6.20 5.34 3.81 3.84 16.23 16.45 7.91 10.43 10.23 10.39 15.23 9.30 13.73 16.46 3.39 3.61 7.01 6.06 7.64 4.71 4.84 2.42 6.20 2.39 4.34 4.48 l 4.34 11.78 16.35 13.93 15.99 13.54 9.74 11.46 16.94 14.56 12.08 3.87 3.61 2.20 5.98 2.56 u 7.50 5.04 4.87 5.38 5.19 8.11 3.48 3.56 u 4.46 6.95 2.74 6.98 l 4.80 5.85 13.69 10.64 12.29 10.60 11.45 12.22 10.50 12.12 15.80 14.01 6.77 4.20 5.45 2.53 6.49 6.39 3.94 l 3.95 8.59 10.9215.22 3.52 4.12 16.53 16.44 5.81 6.34 13.728.81 5.70 3.17 13.73 9.49 4.25 13.41 A9

C AoR T S1 S2 Sn O1 O2 On L1 SoA2 SoAn P1 P2 Pn

3.66 10.05 L2 Ln N O A Aw Tn E SoD l u 3.57 CM NS SoA1 ISC A1 A2 A3 A4 A5 A6 A7 A8 Wj 0.111 0.039 0.118 0.134 0.136 0.183 0.139 0.073 0.067 1 2 3 4 5 6 7 8 9 10

ISC _{C AoR}A1 _{T S1} A2_{S2 Sn O1 O2}A3 _{On L1} A4_{L2 Ln N} A5 _{O A Aw} A6_{Tn E SoD CM}A7 _{NS SoA1 SoA2}A8 _{SoAn P1} A9_{P2 Pn}

l u l u l u l u l u l u l u l u l u 0.016 0.004 0.263 0.017 0.017 0.002 0.016 0.004 0.009 0.005 0.013 0.002 0.006 0.006 0.016 0.011 0.253 0.008 0.013 0.012 0.353 0.022 0.022 0.006 0.009 0.003 0.008 0.005 0.017 0.003 0.005 0.009 0.022 0.008 0.308 0.008 0.021 0.011 0.319 0.021 0.021 0.005 0.010 0.005 0.011 0.007 0.017 0.002 0.006 0.004 0.018 0.007 0.240 0.004 0.020 0.008 0.361 0.024 0.024 0.001 0.009 0.005 0.012 0.004 0.012 0.003 0.005 0.009 0.021 0.008 0.291 0.010 0.018 0.008 0.279 0.026 0.026 0.003 0.013 0.004 0.009 0.007 0.011 0.002 0.005 0.005 0.018 0.008 0.322 0.004 0.027 0.008 0.337 0.019 0.019 0.005 0.010 0.002 0.007 0.008 0.017 0.002 0.005 0.005 0.013 0.012 0.319 0.005 0.008 0.005 0.021 0.003 0.005 0.008 0.022 0.005 0.224 0.011 0.011 0.009 0.305 0.014 0.014 0.003 0.009 0.003 0.012 0.004 0.021 0.001 0.005 0.003 0.015 0.005 0.322 0.006 0.005 0.014 0.002 0.007 0.003 0.019 0.007 0.253 0.010 0.022 0.011 0.369 0.014 0.014 0.002 0.010 0.004 0.023 0.013 0.334 0.017 0.017 0.006 0.009 0.003 0.008 0.011 0.019 0.003 0.006 0.006 0.016 0.007 0.251 0.012 0.024 0.012 0.383 0.023 0.023 0.006 0.011 0.002 0.015 1 0.324 0.009 0.338 0.806 2 0.405 0.011 0.416 0.991 3 0.352 0.012 0.362 0.863 4 0.405 0.008 0.420 1.000 5 0.375 0.009 0.376 0.897 6 0.399 0.013 0.408 0.972 7 0.368 0.013 0.377 0.900 8 0.367 0.013 0.376 0.897 9 0.400 0.009 0.413 0.984 10 0.365 0.015 0.373 0.889 Pj Rj Qj Uj ISC

[16] D. H. Jee and K. J. “A method for optimal material selection aided with decision making theory,” Material Design, 21, no. 3, pp. 199–206, June 2000.

[17] A. Shanian and O. Savadogo, “TOPSIS multiple-criteria decision support analysis for material selection of metallic bipolar plates for polymer electrolyte fuel cell,” Journal of Power Sources, vol. 159, no. 2, pp. 1095–104, September 2006. [18] R. V. Rao and B. K. Patel, “A subjective and objective

integrated multiple attribute decision making mehtod for material selection,” Materials and Design, vol. 31, no. 10, pp. 4738-4747, December 2010.

[19] E. K. Zavadskas, A. Kaklauskas, Z. Turskis, and J. Tamosatitiene, “Multi-attribute decision-making model by applying grey numbers,” Informatica, vol. 20, no. 2, pp. 305-320, 2009.

[20] E. K. Zavadskas, Z. Turskis, J. Tamosaitiene, and V. Marina, “Selection of Construction Project Managers by Applying COPRAS-G Method,” International Conference on Reliability and Statistics in Transportation and Communication, Riga, Latvia, pp. 344-350, October 2008.