Defining the Security Awareness Maturity Model (SANS)


Last week we introduced the Security Awareness Maturity Model. Established in 2011, this maturity model enables organizations to identify where their security awareness program is currently at, where a qualified leader can take it and the path how to get there. Below we describe each stage of the maturity model. As you go through each stage, identify where your organization is currently at and where you want to go short term and long term.

• Non-Existent: Program does not exist. Employees have no idea that they are a target, that their actions have a direct impact to the security of the organization, do not know or understand organization policies, and easily fall victim to attacks.

• Compliance Focused: Program is designed primarily to meet specific compliance or audit requirements. Training is limited to annual or ad-hoc basis. Employees are unsure of organizational policies and/or their role in protecting their organization’s information assets.

• Promoting Awareness & Behavior Change: Program identifies the training topics that have the greatest impact in supporting the organization’s mission and focuses on those key topics. Program goes beyond just annual training and includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behavior change at work, home and while traveling. As a result, people understand and follow organization policies and actively recognize, prevent and report incidents. You can begin to change behavior as early as in several weeks, depending on the behavior you are targeting.