Maturity Model

Use the industry's de-facto model to identify and benchmark the current maturity level of your security awareness program and determine a path to improvement.

Measuring Program Maturity


Established in 2011 through a coordinated effort by over 200 awareness officers, the Security Awareness Maturity Model™ enables organizations to identify and benchmark the current maturity level of their security awareness program and determine a path to improvement. The most successful and mature security awareness programs not only change behavior and culture but can also measure and demonstrate their value via a metrics framework.

Security Awareness Program Levels


A security awareness program does not exist in any capacity. Employees have no idea that they are a target, that their actions have a direct impact on the security of the organization, do not know or follow organization policies, and easily fall victim to attacks.

Compliance Focused 

The program is designed primarily to meet specific compliance or audit requirements. Training is limited to being offered on an annual or ad-hoc basis. Employees are unsure of organizational policies and/or their role in protecting their organization’s information assets.

Promoting Awareness & Behavior Change 

The program identifies the target groups and training topics that have the greatest impact in managing human risk and ultimately supporting the organization’s mission. The program goes beyond just annual training and includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behavior change. As a result, people understand and follow organization policies and actively recognize, prevent, and report incidents.

Long-Term Sustainment & Culture Change 

The program has the processes, resources, and leadership support in place for a long-term life cycle, including (at a minimum) an annual review and update of the program. As a result, the program is an established part of the organization’s culture and is current and engaging. The program has gone beyond changing behavior and is changing people’s beliefs, attitudes, and perceptions of security.

Metrics Framework 

The program has a robust metrics framework aligned with the organization’s mission to track progress and measure impact. As a result, the program is continuously improving and able to demonstrate return on investment. Metrics are an important part of every stage, and this level simply reinforces that to truly have a mature program, you must be able to demonstrate value to the organization.