Security Awareness Maturity Model - Levels 1 & 2

In my previous post I introduced the Security Awareness Maturity Model, a tool to help you and your organization identify how mature your security awareness program is and where you can take it.  I would like to cover this model in more detail, specifically the first two of the five levels. Level 1:  No Security Awareness Program Okay, this is pretty simple, there is no awareness program, there is no attempt to train and educate the organization.  As a result people do not know or understand organizational policies and procedures, do not realize they are a target, and are highly vulnerable to most human based attacks. Only about 30% of the organizations I run into have absolutely no awareness program.  Instead I find most organizations are at Level 2.  This actually may not be a good thing. Level 2: Compliance Focused This is an awareness program designed primarily to meet specific compliance or audit requirements.  Training is limited to annual or ad-hoc basis, such as an onsite presentation once a year or quarterly newsletters.  There is no attempt to change behavior.  A a result, employees are unsure of organizational policies, their role in protecting their organization's information assets and how to prevent, identify or report a security incident.  To be honest this is where I find most organizations are at.  If you ask if they have a security awareness program they say "Kind of".   The danger with this is management believes you are doing 'something', that since you have some type of awareness program employees are secure and there is nothing else to be concerned about.  In other words, this creates a false sense of security.  In reality you are most likely just as vulnerable, and have the same amount of risk as Level 1.  Management just does not realize it.