The SANS Security Awareness & Culture Maturity Model – Now Easier to Use and More Actionable

The human element remains one of the most targeted and vulnerable areas in cybersecurity. As attackers continue shifting their tactics from targeting technology to targeting people, organizations are working hard to evolve how they secure the human element. The SANS Security Awareness & Culture Maturity Model offers a clear, structured framework to guide that evolution. It helps security teams benchmark their current program and provides a proven roadmap for building long-term impact and ultimately embedding a strong security culture.

What Is the SANS Maturity Model?

First developed in 2011 by a community of over 200 security awareness and culture professionals, the SANS model has been used by security teams worldwide. Over the years, we have learned a great deal and are excited to announce a new version of the model. While the majority of the model remains the same, two key updates stand out:

• Stage 5 Renamed: Stage five, previously called “Strategic Metrics Framework,” is now “Optimization and Resilience.” While most of the steps remain the same, this renaming better aligns with how leaders perceive and leverage maturity models.
• Stronger Emphasis on Culture: Stage four has been expanded to highlight building a strong security culture. As organizations have become far more effective at changing behaviors and managing human risk, this stage provides a clear path toward influencing how the workforce thinks and feels about security culture.

Here’s a closer look at each stage:

1. Non-Existent: The program does not exist. Employees have no idea that they are targets, that their actions have a direct impact on the security of the organization, do not know or follow organization policies, and easily fall victim to attacks. Value: None
2. Compliance-Focused: The program is designed primarily to meet specific compliance or audit requirements. Training is limited to an annual or ad hoc basis. Employees are unsure of organizational policies and their role in protecting their organization’s information assets. Value: Meets audit, compliance and legal requirements.
3. Promoting Awareness and Behavioral Change: The program identifies the top human risks to the organization and the behaviors that manage those risks. It goes beyond annual training and includes continual reinforcement throughout the year. More mature programs in this stage identify additional roles, departments, or regions with unique risks that require additional or specialized role-based training. Content is communicated in an engaging and positive manner that encourages behavior change. As a result, employees understand their role in cybersecurity, follow organizational policies, and exhibit key behaviors to secure the organization. Value: Changing workforce behavior and managing human risk.
4. Long-Term Culture Change: The program has the processes, resources, and leadership support in place for long-term sustainment. In addition, the security team has moved beyond continuous training and is focusing on additional human related drivers, such as simplifying security policies, improving workforce communications, supporting incentive programs or improving how the security team partners with and enables other departments. As a result, security is an established part of the organization’s culture. Employees believe in, support, and prioritize security in their actions and processes. Value: Security is embedded in daily processes and priorities.
5. Optimization and Resilience: The program has a robust metrics framework aligned with and supporting organizational mission and business goals. It measures not just behavior and culture, but also how these changes reduce risk and support leadership’s strategic priorities. As a result, the program is continuously improving and demonstrates clear return on investment. Value: Security becomes an organization-wide strategic capability.

How to Leverage the Model to Evolve Your Program

The maturity model isn’t just a model—it’s a proven roadmap. Here’s how to put it into practice:

Assess and Benchmark Your Current Maturity Level

Use the Maturity Model Indicators Matrix (included in the SANS 2025 Security Awareness Report®) to benchmark where your program currently stands. Look at factors such as who is involved in your program, what risks are managed, who you partner with, and which outcomes are measured.

Define a Realistic Path Forward

Progress one stage at a time. Jumping from compliance-focused to optimization is not practical or sustainable. Instead, identify structural, scope, or metrics changes required to move to the next stage. Changing behaviors organization-wide can happen within months, but embedding a strong security culture organization wide takes years.

Align Program Goals with Business Risks

To gain leadership support, position your efforts as part of the organization’s broader risk management strategy. Use data to identify top human risks and the behaviors that manage those risks. Determine what leadership cares about and align your initiatives with their priorities. For example, if leadership is focused on innovation, show how your efforts are enabling safe and secure adoption of Artificial Intelligence. If your leadership is focused on risk reduction, demonstrate how your efforts in creating a human sensor network is reducing attacker dwell time.

Build Cross-Functional Partnerships

Culture change requires collaboration; it is a team effort. Partner with departments like HR, Communications, Operations, and Finance to gain their support and embed secure practices into daily processes such as procurement, onboarding, application development, and project management. Building partnerships really means building trust, and this means taking time to meet and listen to others.

Measure What Matters

People often ask me what they should measure. The answer is easy: measure what you care about. In the case of changing people’s behavior and ultimately building a strong security culture, that means measuring behaviors, attitudes, perceptions, and beliefs.

For behaviors, identify the behaviors that contribute to your greatest risks, then measure the people exhibiting those behaviors. Examples include:

• Are employees creating and using strong passwords?
• Are they adopting multi-factor authentication (MFA)?
• Are they securely sharing sensitive data?
• Are they reporting suspected social engineering attacks?

For culture, measure what people think and feel about cybersecurity. Consider questions like:

• Do employees feel security is their responsibility?
• Do they trust the security team?
• Do they find training relevant and useful?
• Do they see policies as actionable or as blockers?

Final Thoughts

The SANS Security Awareness & Culture Maturity Model provides you more than a way to categorize your security program—it enables strategic growth. By using it to guide your initiatives, communicate value to leadership, and build partnerships across departments, you can mature your program from reactive compliance to a proactive driver of organizational resilience.

A strong security culture is not built overnight. But with the right structure, support, and long-term vision, you will have an impact.

Download the SANS 2025 Security Awareness Report® for in-depth benchmarks, expert insights, and the full Maturity Model Indicators Matrix. See how your program compares to peers worldwide and get practical guidance to drive measurable change in behavior and culture.