
Measuring Program Maturity
SECURITY AWARENESS MATURITY MODEL™
Established in 2011 through a coordinated effort by over 200 awareness officers, the Security Awareness Maturity Model™ enables organizations to identify and benchmark the current maturity level of their security awareness program and determine a path to improvement. The most successful and mature security awareness programs not only change behavior and culture but can also measure and demonstrate their value via a metrics framework.
Security Awareness Program Levels
NonexistentA security awareness program does not exist in any capacity. Employees have no idea that they are a target, that their actions have a direct impact on the security of the organization, do not know or follow organization policies, and easily fall victim to attacks. |
Compliance FocusedThe program is designed primarily to meet specific compliance or audit requirements. Training is limited to being offered on an annual or ad-hoc basis. Employees are unsure of organizational policies and/or their role in protecting their organization’s information assets. |
Promoting Awareness & Behavior ChangeThe program identifies the target groups and training topics that have the greatest impact in managing human risk and ultimately supporting the organization’s mission. The program goes beyond just annual training and includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behavior change. As a result, people understand and follow organization policies and actively recognize, prevent, and report incidents. |
Long-Term Sustainment & Culture ChangeThe program has the processes, resources, and leadership support in place for a long-term life cycle, including (at a minimum) an annual review and update of the program. As a result, the program is an established part of the organization’s culture and is current and engaging. The program has gone beyond changing behavior and is changing people’s beliefs, attitudes, and perceptions of security. |
Metrics FrameworkThe program has a robust metrics framework aligned with the organization’s mission to track progress and measure impact. As a result, the program is continuously improving and able to demonstrate return on investment. Metrics are an important part of every stage, and this level simply reinforces that to truly have a mature program, you must be able to demonstrate value to the organization. |