CAESAR8: an agile enterprise architecture approach to managing information security risks in business change projects




Journal Title

Journal ISSN



Volume Title


De Montfort University


Thesis or dissertation

Peer reviewed


Implementing an Enterprise Architecture (EA) should enable organizations to increase the accuracy of information security risk assessments. Studies show that EAs provide an holistic perspective that improves information security risk management (ISRM). However, many organizations have been unable or unwilling to fully implement EA frameworks. The requirements for implementation of an EA can be unclear, the full benefits of many commercial frameworks is uncertain and the overheads of creating and maintaining EA artifacts considered unacceptable, especially for organizations following agile business change programs or having limited resource. Following the Design Science Research methodology, this thesis describes a comprehensive and multidisciplinary approach to design a new model that can be used for the dynamic and holistic reviews of information security risks in business change projects. The model incorporates five novel design principles that are independent of any existing EA framework, security standard or maturity model. This new model is called CAESAR8 - Continuous Agile Enterprise Security Architecture Review in 8 domains. CAESAR8 incorporates key ISRM success factors that have been determined from root cause analysis of information security failures. Combining systems thinking with agile values and lean concepts into the design has ensured that the impact of a change is considered holistically and continuously, prioritizing the EA process over the creation of EA artifacts. Inclusion of human behavioral-science has allowed the capture of diverse and often tacit knowledge held by different stakeholders impacted by a business change, whilst avoiding the dangers of groupthink. CAESAR8’s presentation of the results provides an impactive and easy-to-interpret metric that is designed to be shared with senior business executives to improve intervention decisions. This thesis demonstrates how CAESAR8 has been developed into a working prototype and presents case studies that describe the model in operation. A diverse group of experts were given access to a working IT prototype for a hands-on evaluation of CAESAR8. An analysis of their findings confirms the model’s novel scientific contribution to ISRM.





Research Institute