RAISING EFFECTIVENESS OF ACCESS CONTROL SYSTEMS BY APPLYING MULTI-CRITERIA DECISION ANALYSIS: PART 1 – PROBLEM DEFINITION

. Currently, control of access to information and physical resources has become extremely important. Numerous methods and solutions for architecture of systems aimed at controlling physical access are available; however, there is little information about application of Multi-Criteria Decision Analysis methods when evaluating separate logical components, needed for the design of access control systems and their interconnection in the final architecture.This paper is the first part of a two-part article, discussing application of multi-criteria decision making for architecture of access control systems. The first part defines the problem and discusses the possibility to use Multi Criteria Decision Making techniques when designing access control systems, including risk analysis for specific criteria and practical application of the developed model. In the second part, the possible solution model will be presented.


Introduction
Rapid growth of networking technologies has increased risks of information security. As the platform of interacting technologies becomes more advanced, the composition and characteristics of infrastructure and data accessing are becoming more dynamic and more unpredictable (Jung, Joshi 2012). Access control systems (ACS) have different descriptions in the literature, but the main principle that remains the same -access control is the selective restriction of access to a place or other resource (RFC 4949 2007). They can be constructed in a variety of manners and based on physical attributes, sets of rules, lists of individuals or systems, or factors that are more complex. Recent developments of information technologies were very dynamic. Characteristics are (Tao, Zhang 2012) as follow: -The number of transacting entities is not fixed; -The relationship between these entities is very dynamic; -It is possible that the transaction is conducted in a fully automatic approach. Access control (AC) is one of critical security issues facing multi-agent systems. ACS aims at risk control, allowing or denying, limiting and revoking access. ACS can range from simple locks that keep outsiders away from private property to complex integrated security systems that combine different security methods -biometric systems, pin codes, radio frequency identification (RFID) cards, etc. Modelling of security policies, along with their realisation, must be an integral part of the network development process, to achieve an acceptable level of security for specific resources (Pavlich-Mariscal et al. 2010). Physical security takes a wider aspect. It also prevents unauthorised access to equipment, installations, material and documents, also protects against espionage, sabotage, damage or theft (FM 3-19.30 2001).
Effectiveness of ACS depends on multiple criteria. Nwamadi et al. (2012) proposed a multi-criteria ranking greedy algorithm for physical resource block allocation in multi-carrier wireless communications systems. Each of the criteria has different measurement units, different importance factors and depends on user rights and accessed object. Decision-making requires taking various points of view when dealing even with simplest objectives in design of ACS -finance, convenience, ethics, security, human resources, human rights, quality of service and more, depending on stake-holders or different requirements of the client. Development of ACS is a multi-criteria decision analysis (MCDA) problem. Ability of MCDA to solve problems of high uncertainty and deficiency of certain data is very important. One of the most important aspects of MCDA to be used in development of access control systems -it can deal with mixed sets of data, both quantitative and qualitative, including expert opinions. There are only few attempts (Azhar et al. 2012) to use MCDA when choosing a suitable access control system. There has been no methodology yet proposed for MCDA use in architecture of access control systems.
With increasing exposure and vulnerability to cyber-attacks and attacks related to security, it has become necessary to develop methodologies and systems that are capable of dealing with complex and multifaceted nature of decision situations encountered in security planning and management. For this reason El-Gayar and Fritz (2010)

Basic model of an access control system
The first generation of electronic security systems dates back as far as to the middle of the 19th century when McCulloh loop alarm system was designed. The first generation of ACS is still widely used (Trimmer 1999). ACS from this generation are mostly standalone card readers. The second generation of ACS with centralised card readers and little use of CCTV emerged at the end of World War II and is still used today. The fourth generation (the third since one is obsolete and not used anymore) is important in terms of technical advances of separate AC units, their integration and merging. The basic scheme of the fourth generation model for access control systems is presented in Fig. 1. The main objectives and their priorities that are the basis for MCDA must be determined taking into account possible countermeasures, policies and procedures, budget and other factors.
There are three self-explanatory categories of countermeasures (Norman 2007): -High tech countermeasures -electronic security systems, IT systems, phone security systems; -Low tech countermeasures -locks, landscape, lighting, etc.; -No tech countermeasures -policies and procedures regarding specific activities, security awareness, training, etc. There are different methodologies that are used to determine countermeasures, but the main points that are outlined in them are as follow: -Determination of critically sensitive areas with consequences and their weight (importance) values such as life loss, monetary loss, injuries, loss of business continuity, etc.; -Threat analysis, including possible threat actors and attack vectors with their weight values -such as small thieves, terrorists, activists, anarchists or other actors; -Evaluation of natural and existing countermeasures that do not need new implementations, but perhaps improvements -such as redistribution of lighting spots, etc.; -Determination of likelihood of attack and risks; -Determination of additional needed countermeasures and their prioritisation.

Model for determination of strategies and threats for an access control system
There are many available strategies to ensure AC. Indeterminate methods, such as brainstorming, lateral thinking (advised in De Bono 1977) and variation of inputs (people from different backgrounds offering their ideas), dominate among the methods for listing strategies and creating criteria trees. The aim of this research is to develop the use of attack trees in order to define threats for property and optimise the set of criteria for analysis as well as choose the best security strategies by using risk-based approach. The model consists of two main parts: (1) risk-based approach for selection of strategies and (2) multi-criteria assessment and determination of the most suitable strategies.

Risk based approach for selection of strategies
Risk-based approach is suitable for characterising specific values of an access control system in MCDA because of three strategies of risk-based approaches that can be closely associated with MCDA approach, as it is stated in (Klinke, Renn 2002): -Risk-based approaches include numerical thresholds (quantitative safety goals, exposure limits, standards, etc.); -Reduction activities derive from the application of the precautionary principle (examples are ALARA, i.e. as low as reasonably achievable, BACT, i.e. best available control technology, containment in time and space, or constant monitoring of potential side effects); -Standards derived from discursive processes such as roundtables, deliberative rule making, mediation, or citizen panels. Vandenbrink's flowchart of risk management standard ISO 27005 is shown in Fig. 2. The numerical values that risk analysis presents could be used to find the solution to the MCDA problem.
This method is superior to very loose methodologies such as brainstorming and other, mentioned in the beginning of the chapter, since it has strict rules and step-by-step guide of how and what should be achieved during each step. The chart of the steps is shown in Fig. 3. During the process of risk analysis, tolerable level of risk is determined. This variable is later used to solve the MCDA problem.

Determination of threats using attack trees
General attack trees are constructed and presented in Fig. 4 (Ingoldsby 2009), having in mind the attacker, i.e. from the attacker's point of view. The top-level node represents the root node with the objective that in case of access, control systems will be getting inside the area or facility by using any of the vulnerabilities. The attack-tree approach allows finding all possible attack methods and their implementation scenarios. Fig. 4. General flowchart diagram of attack trees (Ingoldsby 2009) Possibilities to enter an area or facility are very wide and when using non-formal approach, crucial values can be missed resulting in selection of an incorrect strategy and criterion.
Risk is usually calculated by combining two factors -attack probability and impact. This is important since in order to understand the risk and correctly evaluate the weights on criteria and strategies, model needs to include the impact that each of the attack scenarios could have on the victim.

Introduction of MCDA methodology for assessing control strategies
Developed model and determined steps of the methodology for ACS design are presented in Fig. 5. Two steps that need further explanation are listed below. First, the process should focus on the crucially important task: to determine the decision-maker and differentiate one from the problem analysis.
Different points of view are available for optimisation of the criteria tree and synthesising criteria into one optimality criterion (e.g. using cost benefit analysis in the fifth chapter of Getzner et al. 2004). The criteria tree is highly dependent on the priorities and strategies determined during the first step. The criteria set for assessment of ACS was determined based on risk analysis and investigation of attack tree peculiarities. It is presented in Fig. 6. The first step in building a criteria tree is deciding on the top-level criteria for ACS that will be broken down to smaller pieces during the process. These criteria could be cost, quality of service, speed of access, convenience and others. They exist in most other methods of MCDA, including general ones. Each group of criteria has different impact on decision weight (importance). The sub-criteria of each group have specific weights. Additionally, there were six criteria established for ACS, in order to help designing the criteria tree while designing ACS: -Implementation time. There might be additional security threats applicable to the public while the implementation of the system is not finalised; -Degree of risk reduction. It is the most important criterion and it must always be less than the tolerable risk; -Legal criteria. The use of technologies can be limited by legislation or directions of international units; If strategy is unacceptable against criteria, they should be crossed out and marked as blocking criteria.
Checking the strategies that can be dominating against the others.
The value is measured of each of the consequence from the point of view of each criterion. Relative scale can and should be used.
When attributing the best and attributing the best and worst decisions, the boundaries are set to list the values between criteria and value.
The weight values represent the relative importance of each criteria, taking into account the value system.
-The list of strategies are complete -The criteria tree is complete -Scores and weights are on the same scale -Value scores are judgementally independent -No blocking criteria is allowed to have values Fig. 6. Criteria tree for access control systems -Technological criteria. There are not only advantages in using particular technologies, but also disadvantages -the more complex system and technology is used, the more difficult it will be to support and match the technology with existing ones; -Cultural criteria are less strict than legal ones; nevertheless, they should be considered.
For example, in countries of radical Islam, women cover their faces; consequently, the use of biometric ACS based on face recognition is pointless. In some cases, system users may feel treated as criminals (for example, in case of fingerprint based access control systems) and try boycotting the use of such systems; -Geographic criteria are mostly used for bigger enterprises with offices dispersed throughout different geographic locations with different legal and cultural criteria, different technologies and technological freedom. In terms of the tree, it is important to check for overlapping of criteria and ensure that all criteria are included in the tree.
When assessing weights for values for each access control application, the importance of each criterion is not necessarily equal for each user.
Therefore, for each criterion is a number of criteria under consideration. The criteria weights for each user, transaction and problem under consideration could be customised as follows: The customised criteria: where q j -customised criterion weight = ( 1, ) j m ; ≥ 1 m and k j -customisation coefficient.

Reversing method and creating an access control system for optimised multi-criteria decision analysis values
In 2011-2013, while carrying out the project Creation of manifold access control service system, funded by MITA agency in order to create manifold access control system that would be universal and adaptable to otherwise diverse legal, cultural, technical and other requirements, analysis of access control systems according to the above developed model was made. Table 1 presents criteria using the designed manifold access control system. In the current architecture, universal controllers can be used to connect with other controllers, readers, biometric controls or other sort of equipment in hierarchical or parallel way. Because of this sort of functionality, the size of the network of access points can be reduced or expanded on the go without additional grand architectural solutions. Cost depends on client requirements. A network can consist of two controllers and few cheap RFID readers or key code panels. Quality of service It cannot be measured now, but the easy to use design and intuitive appearance should be easily accessible to the staff. Access speed Access speed is mostly determined by the end-point controllers. It depends on other factors identified by the client. If the client needs biometric access control system, it will be slower than RFID as well as more expensive.

Convenience
Convenience mostly depends on the end-point controllers that are used and previous experience of users. Implementation There are various ways to implement the whole network for access control system, but it is easy and intuitive. Degree of risk reduction Technically the degree of risk reduction is satisfactory for most of the small and medium enterprise. Legal It depends on the end-point controllers, but there are no legal issues with simplest RFID or key code locks in most of the countries. Technological Technological implementation and networking of controllers allow the client to avoid any technological issues. Cultural It is possible to avoid any cultural interferences by choosing the correct end-point controllers.

Geographic
Because of the universal character of the controllers of access control systems, they can be matched with almost any other equipment that operates according to widely accepted standards.
It is apparent that adaptation of multi-criteria decision analysis for the design of an access control system resulted in a highly flexible system based on multiple criteria. It can be adapted according to economic or technological needs of the client. In terms of the weighted value, the proposed system is superior to other systems that have been created using only technical evaluation.

Conclusions
The research developed a novel model, which is based on risk analysis and the possibility to apply MCDA of access control systems. The MCDA approach has an advantage versus commonly used purely technical analysis since it allows evaluation of not only technical parameters of access control systems, but also opposes them against economic, cultural, legal and other constraints, providing a balanced and economically reasonable decision.
The bigger part of the security externalities cannot be quantified in completely material manner since there are more components involved, such as prestige of the company, possible loss of clients or loss of service quality. Such factors are impossible to describe in a generalised model, but should also be included into a multi-criteria analysis. Similarly, it is impossible to correctly evaluate the effect of various normalisation methods or incorrect calculations while constructing a decision-making matrix and assigning values of weight.
It has been suggested to combine the multi-criteria evaluation of access control systems with generally used risk-based approach, common in implementation and development of information security measures. The main idea of the approach states that not only threat consequences should be evaluated, but weighted risks as well. Risk analysis should be applied not only while defining the strategy for an access control system, but also while evaluating different limiting criteria. Risk-based approach itself was integrated with attack tree method for identifying threats for access control system. Such integration provides a reliable method for identifying all possible threats and is much more convenient than commonly used brainstorming or checklist methods.
The criteria set for evaluating access control systems was determined. The application of MCDA methods allows making access control system more adaptable to rapidly changing environments. It makes an access control system more efficient in real time and uses extensive application domains.
This model is important in practical and scientific terms since it allows decision making in a complex process aimed at design of an access control system, taking into account different and often conflicting multiple criteria. Adaptation of the model was successfully used while designing a specific access control system.