CAESAR8: An agile enterprise architecture approach to managing information security risks

In theory, implementing an Enterprise Architecture (EA) should enable organizations to increase the accuracy of information security risk assessments. In reality, however, organizations struggle to fully implement EA frameworks because the requirements for implementing an EA and the benefits of commercial frameworks are unclear, and the overhead of maintaining EA artifacts is unacceptable, especially for smaller organizations. In this paper, we describe a novel approach called CAESAR8 (Continuous Agile Enterprise Security Architecture Review in 8 domains) that supports dynamic and holistic reviews of information security risks in IT projects. CAESAR8’s nonlinear design supports continuous reassessment of information security risks, based on a checklist that assesses the maturity of security considerations in eight domains that often cause information security failures. CAESAR8 assessments can be completed by multiple stakeholders independently, thus ensuring consideration of their tacit knowledge while preventing groupthink. Our evaluation with experienced industry professionals showed that CAESAR8 successfully addresses real-world problems in information security risk management, with significant benefits particularly for smaller organizations.