Strategically Managing Your Human Risk – Leverage the Security Awareness Maturity Model

Established in 2011 through a coordinated effort by over 200 security awareness officers, the Security Awareness Maturity ModelTM has become the industry standard which organizations use to not only benchmark the maturity of their program, but leverage as a strategic roadmap to both plan and communicate the impact of their program. What makes this model so powerful is that organizations can quickly determine why their program may not be having the impact they want, proven steps they can take to mature their program, and how to communicate the value of the program to their leadership. Ultimately, this model enables organization’s to effectively manage their human risk.


To help organizations better understand and leverage the model, we have created the Maturity Model Indicators Matrix. This detailed spreadsheet enables you to quickly determine the current stage of your program, the value of that stage, metrics to use for each stage, and steps to achieve the next stage. As for each of the five stages, here is a brief overview of each one.


  • Nonexistent: A security awareness program does not exist in any capacity. Employees have no idea that they are a target, that their actions have a direct impact on the security of the organization, do not know or follow organization policies, and easily fall victim to attacks.

  • Compliance Focused: The program is designed primarily to meet specific compliance or audit requirements. Training is limited to being offered on an annual or ad-hoc basis. Employees are unsure of organizational policies and/or their role in protecting their organization’s information assets.

  • Promoting Awar ..