Sans Security Awareness Maturity Model

One of the key take-aways from the 2018 Security Awareness Summit is how awareness programs are maturing, and yet organizations struggle to both measure and communicate that maturity to their leadership. The Security Awareness Maturity Model can help. Established in 2011 through a coordinated effort of over 200 awareness officers, more and more organizations are finding this to be a simple yet powerful tool both as a roadmap for their own program and a communication tool for leadership. Below is an overview of the model and how you can leverage it. The most successful, most mature, security awareness programs not only change behavior and culture but can also measure and demonstrate their worth via a metrics framework.

1. Nonexistent:

Program does not exist. Employees have little or no idea that they are a cyber target and that their actions have a direct impact on the security of the organization. They do not know or understand organization policies and easily fall victim to attacks.

2. Compliance-Focused:

Program is designed primarily to meet specific compliance or audit requirements. Training is limited to annual or on an ad-hoc basis. Program success is based on participation. Employees are unsure of organizational policies and/or their role in protecting their organization’s information assets.

3. Promoting Awareness & Behavior Change:

Program identifies the training topics that have the greatest impact in supporting the organization’s mission and focuses on those key topics. It goes beyond annual training and often includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behavior change at work and home. As a result, people understand and follow organization policies and actively recognize, prevent, and report incidents. Program success expands to include a reduction in risk related behavior and increased knowledge of policies.

4. Long-Term Sustainment & Culture Change:

Program has the processes, resources, and leadership support in place for a long-term life cycle, including at a minimum an annual review and update of the program. As a result, the program and the core principals of good cyber security behavior and learning are an established part of the organization’s culture. Program success extends to include widespread, cultural acceptance of good cyber-behavior (and rejection of poor behaviors) as well as general understanding and acceptance of the security awareness program and its value.

5. Metrics Framework:

Program is robust enough to provide metrics, such as progress and behavioral impact. As a result, the program is continuously improving and able to demonstrate return on investment. While noting that a metrics framework is listed as the last stage of the model, metrics are an important part of every stage. This stage further reinforces that to truly have a mature program, you must not only sustain a change in behavior and culture but have the metrics to demonstrate that change and the value to your organization.

Your leadership knows and understand maturity models, it is the basis of how they do much of their strategic planning regardless of their field (finance, operations, legal, etc). To leverage the model, download our Security Awareness Maturity Model kit. The kit includes not only the model itself, but the Maturity Indicators Matrix which identifies all of the indicators of each stage so you know what stage you are in, what metrics to use for that stage and how to achieve the next level. Finally, what is great about the maturity model is it also enables you to benchmark your program against others, as seen from the 2018 Security Awareness Report

Establishing mature awareness programs is the foundation of everything we do at SANS Security Awareness, from leveraging the latest threat intel so we know precisely what behaviors to focus on, to using the latest learning modalities to engage and communicate those behaviors and measure their impact.  To learn more about leveraging the maturity model and building next generation awareness programs, attend the SANS two day course on Establishing Mature Awareness Programs.