Skip to main content

Research Repository

Advanced Search

CAESAR8: An agile enterprise architecture approach to managing information security risks

Loft, Paul; He, Ying; Yevseyeva, Iryna; Wagner, Isabel

CAESAR8: An agile enterprise architecture approach to managing information security risks Thumbnail


Paul Loft

Ying He

Iryna Yevseyeva

Isabel Wagner


In theory, implementing an Enterprise Architecture (EA) should enable organizations to increase the accuracy of information security risk assessments. In reality, however, organizations struggle to fully implement EA frameworks because the requirements for implementing an EA and the benefits of commercial frameworks are unclear, and the overhead of maintaining EA artifacts is unacceptable, especially for smaller organizations. In this paper, we describe a novel approach called CAESAR8 (Continuous Agile Enterprise Security Architecture Review in 8 domains) that supports dynamic and holistic reviews of information security risks in IT projects. CAESAR8’s nonlinear design supports continuous reassessment of information security risks, based on a checklist that assesses the maturity of security considerations in eight domains that often cause information security failures. CAESAR8 assessments can be completed by multiple stakeholders independently, thus ensuring consideration of their tacit knowledge while preventing groupthink. Our evaluation with experienced industry professionals showed that CAESAR8 successfully addresses real-world problems in information security risk management, with significant benefits particularly for smaller organizations.

Journal Article Type Article
Acceptance Date Aug 15, 2022
Online Publication Date Sep 6, 2022
Publication Date Nov 1, 2022
Deposit Date Sep 16, 2022
Publicly Available Date Sep 7, 2023
Journal Computers and Security
Print ISSN 0167-4048
Publisher Elsevier BV
Peer Reviewed Peer Reviewed
Volume 122
Article Number 102877
Keywords Law; General Computer Science
Public URL
Publisher URL


Downloadable Citations