Updates to Security Awareness Maturity Model

As we continue to grow and mature as a community, so to does our tools and resources. As such we have made some minor changes to the Security Awareness Maturity Model to better clarify what each stage is with more precise titles. The steps are the exact same to achieving each level. All we have done is better clarify what each one means. These changes are especially useful for when communicating to senior management about the status of your program and where you want to take it.

Non-Existent
Compliance Focused
Promoting Awareness & Behavior Change
Long Term Sustainment & Culture Change
Metrics Framework

As always, feedback appreciated. For more resources on planning your security awareness program, check out the Planning Resources section. Also, heads up I’m working on some ideas to tweak the Lessons Learned documents to be more behavior focused. More on that coming soon :)

About the Author

Lance Spitzner

Director, SANS Security Awareness

Lance Spitzner has over 20 years of security experience in cyber threat research, system defense and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation honeynets and founding of the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and