CAESAR8: an agile enterprise architecture approach to managing information security risks in business change projects

Date

2021-12

Advisors

Journal Title

Journal ISSN

ISSN

DOI

Volume Title

Publisher

De Montfort University

Type

Thesis or dissertation

Peer reviewed

Abstract

Implementing an Enterprise Architecture (EA) should enable organizations to increase the accuracy of information security risk assessments. Studies show that EAs provide an holistic perspective that improves information security risk management (ISRM). However, many organizations have been unable or unwilling to fully implement EA frameworks. The requirements for implementation of an EA can be unclear, the full benefits of many commercial frameworks is uncertain and the overheads of creating and maintaining EA artifacts considered unacceptable, especially for organizations following agile business change programs or having limited resource. Following the Design Science Research methodology, this thesis describes a comprehensive and multidisciplinary approach to design a new model that can be used for the dynamic and holistic reviews of information security risks in business change projects. The model incorporates five novel design principles that are independent of any existing EA framework, security standard or maturity model. This new model is called CAESAR8 - Continuous Agile Enterprise Security Architecture Review in 8 domains. CAESAR8 incorporates key ISRM success factors that have been determined from root cause analysis of information security failures. Combining systems thinking with agile values and lean concepts into the design has ensured that the impact of a change is considered holistically and continuously, prioritizing the EA process over the creation of EA artifacts. Inclusion of human behavioral-science has allowed the capture of diverse and often tacit knowledge held by different stakeholders impacted by a business change, whilst avoiding the dangers of groupthink. CAESAR8’s presentation of the results provides an impactive and easy-to-interpret metric that is designed to be shared with senior business executives to improve intervention decisions. This thesis demonstrates how CAESAR8 has been developed into a working prototype and presents case studies that describe the model in operation. A diverse group of experts were given access to a working IT prototype for a hands-on evaluation of CAESAR8. An analysis of their findings confirms the model’s novel scientific contribution to ISRM.

Description

Keywords

Citation

Rights

Research Institute

Collections