Updates to Security Awareness Maturity Model

As we continue to grow and mature as a community, so to does our tools and resources. As such we have made some minor changes to the Security Awareness Maturity Model to better clarify what each stage is with more precise titles. The steps are the exact same to achieving each level. All we have done is better clarify what each one means. These changes are especially useful for when communicating to senior management about the status of your program and where you want to take it.

Non-Existent
Compliance Focused
Promoting Awareness & Behavior Change
Long Term Sustainment & Culture Change
Metrics Framework

As always, feedback appreciated. For more resources on planning your security awareness program, check out the Planning Resources section. Also, heads up I’m working on some ideas to tweak the Lessons Learned documents to be more behavior focused. More on that coming soon :)

About the Author

Lance Spitzner

Director, SANS Security Awareness

Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.