Security Awareness Blog

Defining the Security Awareness Maturity Model

STH-Slide-SecurityAwarenessMaturityModelLast week we introduced the Security Awareness Maturity Model. Established in 2011, this maturity model enables organizations to identify where their security awareness program is currently at, where a qualified leader can take it and the path how to get there. Below we describe each stage of the maturity model. As you go through each stage, identify where your organization is currently at and where you want to go short term and long term.

  • Non-Existent: Program does not exist. Employees have no idea that they are a target, that their actions have a direct impact to the security of the organization, do not know or understand organization policies, and easily fall victim to attacks.
  • Compliance Focused: Program is designed primarily to meet specific compliance or audit requirements. Training is limited to annual or ad-hoc basis. Employees are unsure of organizational policies and/or their role in protecting their organization's information assets.
  • Promoting Awareness & Behavior Change: Program identifies the training topics that have the greatest impact in supporting the organization's mission and focuses on those key topics. Program goes beyond just annual training and includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behavior change at work, home and while traveling. As a result, people understand and follow organization policies and actively recognize, prevent and report incidents. You can begin to change behavior as early as in several weeks, depending on the behavior you are targeting.
  • Long-Term Sustainment & Culture Change: Program has the processes, resources and leadership support in place for a long-term life cycle, including at a minimum an annual review and update of the program. As a result, the program is an established part of the organization's culture and is current and engaging. It takes a minimum of 3-5 years before you can effectively change culture.
  • Metrics Framework: Program has a robust metrics framework to track progress and measure impact. As a result, the program is continuously improving and able to demonstrate return on investment. This stage does not imply metrics are not part of every stage (they are), this stage reinforces that to truly have a mature program, you must have metrics to demonstrate success.

In the coming weeks we are going to cover the key findings from the 2016 Security Awareness Report (to be released soon) and how organizations can leverage those lessons learned to build and measure a mature awareness program. To learn more about how your organization can leverage the Security Awareness Maturity Model, check out these upcoming webcasts and two-day courses.