One of the biggest challenges I feel we face in security awareness is its lack of maturity. Many fields within information security have developed and matured over the years with entire frameworks built around them, fields such as penetration testing, system hardening, secure software development and digital forensics. However we have no framework or maturity model for awareness. The Security Awareness Maturity Model is an important first step to help address this. Developed by consensus from over twenty different organizations, this model helps organizations identify how mature (or immature) their program is and where they can take it. Learn more about each level by following the links below.
Level 1: Non-Existant Program
Level 2: Compliance Focused
Leven 3: Promoting Awareness & Change
Level 4: Long Term Sustainment
Level 5: Metrics
If you would like to get involved in the development of this model, or other free security awareness resources for the community, shoot me an email and I will add you to the STH-Community maillist.
About the Author
Lance Spitzner
Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, system defense and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation honeynets and founding of the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and