Established in 2011 through a coordinated effort by over 200 security awareness officers, the Security Awareness Maturity ModelTM has become the industry standard which organizations use to not only benchmark the maturity of their program, but leverage as a strategic roadmap to both plan and communicate the impact of their program. What makes this model so powerful is that organizations can quickly determine why their program may not be having the impact they want, proven steps they can take to mature their program, and how to communicate the value of the program to their leadership. Ultimately, this model enables organization’s to effectively manage their human risk.
To help organizations better understand and leverage the model, we have created the Maturity Model Indicators Matrix. This detailed spreadsheet enables you to quickly determine the current stage of your program, the value of that stage, metrics to use for each stage, and steps to achieve the next stage. As for each of the five stages, here is a brief overview of each one.
- Nonexistent: A security awareness program does not exist in any capacity. Employees have no idea that they are a target, that their actions have a direct impact on the security of the organization, do not know or follow organization policies, and easily fall victim to attacks.
- Compliance Focused: The program is designed primarily to meet specific compliance or audit requirements. Training is limited to being offered on an annual or ad-hoc basis. Employees are unsure of organizational policies and/or their role in protecting their organization’s information assets.
- Promoting Awareness & Behavior Change: The program identifies the target groups and training topics that have the greatest impact in managing human risk and ultimately supporting the organization’s mission. The program goes beyond just annual training and includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behavior change. As a result, people understand and follow organization policies and actively recognize, prevent, and report incidents.
- Long-Term Sustainment & Culture Change: The program has the processes, resources, and leadership support in place for a long-term life cycle, including (at a minimum) an annual review and update of the program. As a result, the program is an established part of the organization’s culture and is current and engaging. The program has gone beyond changing behavior and is changing people’s beliefs, attitudes, and perceptions of security.
- Metrics Framework: The program has a robust metrics framework aligned with the organization’s mission to track progress and measure impact. As a result, the program is continuously improving and able to demonstrate return on investment. Metrics are an important part of every stage, and this level simply reinforces that to truly have a mature program, you must be able to demonstrate value to the organization.
To learn more about leveraging the Security Awareness Maturity Model and establishing mature awareness programs, consider taking the two-day SANS course MGT433: Managing Human Risk: Mature Security Awareness Programs and earning the SANS Security Awareness Professional (SSAP) credential.