Maturity Model SANS SecAwareReport 2018

Last week (13 June) we announced the release of the 2018 Security Awareness Report. You can find an overview of the report in this blog post here. For today we are going to do a deep dive on one of the key findings, benchmarking your program. To do that we leverage the Security Awareness Maturity Model. Established in 2011 through a coordinated effort of over 200 awareness officers, the Maturity Model enables organizations to identify and benchmark the current maturity level of their security awareness program and determine a path to improvement. The most successful, most mature, security awareness programs not only change behavior and culture but can also measure and demonstrate their worth via a metrics framework. You can find and benchmark the maturity of your program using the chart on the left from the report. It shows the maturity level based on the data from over 1,700 awareness professionals. For a description of each of the five stages please see below.

  1. Non-existent: Program does not exist. Employees have little or no idea that they are a cyber target and that their actions have a direct impact on the security of the organization. They do not know or understand organization policies and easily fall victim to attacks.
  2. Compliance-Focused: Program is designed primarily to meet specific compliance or audit requirements. Training is limited to annual or on an ad-hoc basis. Program success is based on participation. Employees are unsure of organizational policies and/or their role in protecting their organization’s information assets.
  3. Promoting Awareness & Behavior Change: Program identifies the training topics that have the greatest impact in supporting the organization’s mission and focuses on those key topics. It goes beyond annual training and often includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behavior change at work and home. As a result, people understand and follow organization policies and actively recognize, prevent, and report incidents. Program success expands to include a reduction in risk related behavior and increased knowledge of policies.
  4. Long-Term Sustainment & Culture Change: Program has the processes, resources, and leadership support in place for a long-term life cycle, including at a minimum an annual review and update of the program. As a result, the program and the core principals of good cyber security behavior and learning are an established part of the organization’s culture. Program success extends to include widespread, cultural acceptance of good cyber-behavior (and rejection of poor behaviors) as well as general understanding and acceptance of the security awareness program and its value.
  5. Metrics Framework: Program is robust enough to provide metrics, such as progress and behavioral impact. As a result, the program is continuously improving and able to demonstrate return on investment. While noting that a metrics framework is listed as the last stage of the model, metrics are an important part of every stage. This stage further reinforces that to truly have a mature program, you must not only sustain a change in behavior and culture but have the metrics to demonstrate it. Success further expands to include metrics that adapt to the security awareness topics at hand which show not only participation, compliance, and behavior improvement, but also indicate changes in comprehension and cyber security competence across the organization.

Use this data to help you (and your leadership) better understand where your program currently is and where to take it. If you want to learn more about the Maturity Model or how to mature your awareness program, consider attending one of our upcoming two day courses or summits.