Leveraging the

SANS Security Awareness

Maturity Model to
Effectively Manage
Human Risk
Introduction

Organizations and security leaders are beginning

to understand that cybersecurity is no longer just
a technical challenge but also a human challenge.
In fact, people are now the biggest driver of
breaches, with employees involved in over 80% 1 of
breaches globally. In many ways this is the result
of organizations becoming so effective at using
technology to secure technology that in many
ways we have left the human vulnerable and are
in fact driving threat actors to target people.

The key to managing human risk is establishing

a mature security awareness program. Security
awareness programs are a structured approach to
change and secure your workforce’s behaviors. The
most mature programs go beyond just behavior
and ultimately build a strong security culture. The
key to a successful awareness program is following
a proven roadmap that enables you to plan and
measure your efforts. The SANS Security Awareness
Maturity Model enables you to do just that.

1 Verizon 2022 Data Breach Investigations Report

Key to Successful Awareness Programs

The definition of a mature security awareness program is its ability to effectively manage and measure your human
risk. Working with hundreds of organizations at a global level these are key elements to building a strong program.

Team Size: Securing people is a human problem that Effective Engagement: To effectively engage you
requires people as the solution. You need to have a must explain to people why they should care, why
person dedicated full-time to leading your security is security their responsibility and how do they
awareness program. For organizations over 1,000 benefit? Explain in people terms so security is
people in size, you may need more than one and easy to do. The easier a behavior is, the
most likely a dedicated security awareness team. The more likely people will exhibit it.
most mature programs often average 3-5 Full Time
Employees dedicated to managing human risk.

Integration with Security Team: Security awareness

is no longer just a compliance effort to check
the box, it is about managing human risk. As
such the security awareness team should be
a part of and report to the security team.

Continuous Training: To effectively manage human

risk you must be continuously communicating
to, engaging and training your workforce.
The SANS Security Awareness Maturity Model

The SANS Security Awareness

Maturity Model is a powerful tool
and detailed roadmap for building
your security awareness program, no
SANS Security Awareness Maturity Model TM
matter what stage your organization
is at in your development.

The model helps organizations self-

evaluate their current place on the
cybersecurity evolutionary scale, learn
to develop security operations further,
and determine how to communicate
strategy and results to leadership
and sustain their support.

The following pages not only describe

each stage of the model, but also the
value of each stage, the indicators to
determine which stage you are in, and
metrics to use for each stage and steps
to achieve the next level. The model
is not only a way to benchmark your
Non-existent Compliance- Promoting Long-term Metrics
current program, but a roadmap on how focused Awareness & Sustainment & Framework
to grow and mature your program. Behavior Change Culture Change
Stage 1 No Security Awareness

Description
Stage 1 is the most basic level of security awareness. In Stage 1, your security
awareness program does not exist. Employees have little knowledge that they could
be a target, or what to do if they are, and don’t understand that their actions directly
impact the organization’s security. There are no tracking metrics and no thought
given to how the organization can evolve its security awareness.

Value
Unsurprisingly, employees at Stage 1 companies don’t know or understand
security policies and best practices and are easy victims of cyberattacks.
Stage 1 organizations are at an incredibly high risk of failing to meet
compliance requirements and being compromised by human-driven
security incidents.

Program Indicators
There is no security awareness program and leadership does not
discuss security awareness.

People Indicators
Employees discuss security and exhibit secure behaviors
extremely rarely or never at all.
Stage 2 Compliance Focused

Description People Indicators

Steps to the Next Level
A security program exists, but is designed to meet specific Because leadership doesn’t take security seriously, security
compliance or audit requirements and nothing more. training is essentially a box-ticking exercise viewed as Because a strong security-driven culture must start
at the top, it isn’t easy to evolve your organization
Training is limited to an annual or ad hoc basis. something to be gotten over with or even a waste of time. past Stage 2 without leadership buy-in.
Employees typically perceive security as solely an IT 1. That means your first and most important step
Value is identifying and gaining the support of the
problem that has little to do with them. They sometimes
Most employees are unsure of organizational policies and have a negative perception of security and even the right C-suite and management stakeholders.
their role in protecting their organization’s information assets. security team, and if employees can figure out and 2. Next, create a project charter identifying
While the program meets legal compliance requirements, implement workarounds to security protocols, they will. essential elements such as scope, goals,
objectives, assumptions, and constraints.
the organization is still at significant risk of breaches
because it’s not effectively managing its human risk. Time to Achieve: Within a Month 3. Identify who is responsible for the awareness
program – this person should have a mix of soft
Time to achieve depends on the standards, regulations, or and hard skills and be part of the security team
Program indicators – and dedicate them to the job full-time.
legal requirements to which the organization must adhere,
No strategic plan: Training topics are ad hoc and random. but typically is relatively short and the overall effort minimal. 4. Create an advisory board, a team of people that
can help security awareness professionals plan
Training frequency is usually annual or sporadic.
and maintain the program. Ideally your advisory
Potential Metrics board has individuals from various departments,
Limited leadership support: Leadership aims to
including HR, marketing, and the C-suite.
maintain compliance at minimum costs, with security Metrics are basic and typically focus on process rather than
awareness only considered during audits. Leadership effectiveness, including: 5. Identify the top human risks you need to manage. This
exercise may require a Behavioral Risk Assessment.
perceives security as purely a technical issue. • Percentage of employees that have completed training
• Percentage of employees that have 6. Identify critical behaviors to mitigate these risks
Limited resources: The program lead is typically one and how you’ll communicate to, engage, and
signed the acceptable use policy
person with additional (usually primary) responsibilities. train your workforce in these behaviors.
• Number of on-site training sessions conducted annually
Program leadership is a part-time job that often 7. Create an execution plan that includes milestones and the
• Number and frequency of security awareness materials
reports to compliance, audit, or governance teams. metrics you’ll use to gauge effectiveness (not just process).
(such as newsletters or lunchroom posters) distributed
8. Develop or purchase your training materials.
Limited coordination: Partnerships with other departments
and business units, such as communications and 9. Have senior leadership announce your security
awareness program, ideally at an all-hands meeting.
human resources, are nonexistent. Communication to
the broader workforce is limited to annual training.
Stage 3 Promoting Awareness
and Behavior Change
Description Ongoing engagement: The program works to positively engage the Potential Metrics
workforce, going beyond annual training in favor of continuous
Your program identifies and focuses on the target groups Stage 3 metrics focus primarily on program effectiveness
reinforcement throughout the year. Companies at Stage 3 also
and training topics that have the most significant impact and ultimately depend on the behaviors you identify
often conduct phishing and social engineering awareness training.
on keeping the organization safe. The program goes as being most important for managing human risk.
beyond sporadic or annual training in favor of regular and Keep in mind that at every stage of the maturity model,
People Indicators
ongoing engagement, with content encouraging behavior it’s important to add new metrics while continuing to
change at work and home communicated effectively. Employees understand that security isn’t just a problem to be track the metrics implemented in previous stages.
left to technology and the IT team and that everyone has a
New metrics in Stage 3 include:
Value responsibility to protect themselves and the organization’s assets.
• Phishing simulation click and report rates
Employees understand and follow organizational policies Employees proactively report any suspected attacks and • Number of infected computers and devices each month
and actively recognize, prevent, and report incidents. Your incidents, and employees are engaged and ask meaningful • Number of lost or stolen computers and devices each month
organization meets its compliance requirements and questions after consuming security awareness information. • Number of security policy violations
can effectively manage and measure its human risk. Employees exhibit the behaviors learned in training during their
day-to-day jobs and bring these behaviors home with them.
Program indicators Steps to the Next Level
Time to Achieve: 3-6 months Because leadership is already engaged and the program can at least
Leadership support and active planning: Leadership understands partially demonstrate its effectiveness through meaningful metrics,
and has committed to the need for managing human risk, and the Most organizations will see organization-wide behavior change moving to the next level isn’t as complex as the previous stage.
program has an executive champion. A strategic plan identifies within three to six months. For example, focused phishing 1. Establish regular and engaging leadership updates
the project scope, goals, objectives, and reason for being. training and simulations will likely result in a dramatic on the program, its metrics, and effectiveness.
drop in phishing click-through rates within that period. 2. Constantly evaluate emerging and changing technologies, threats,
Enhanced situational awareness: The security team business requirements, or standards to include in your program.
knows the organization’s top human risks and any However, keep in mind that it’s vital to be selective in the
3. Conduct regular surveys and assessments to determine the current
desired behaviors to manage those risks. number of behaviors you’re trying to change. Not only does state of awareness and associated behaviors in the organization.
changing more behaviors take more time, but it can also
Baked-in security awareness: Security awareness is 4. Schedule a comprehensive program review date,
become a change management issue if not handled properly. where the advisory board can closely examine the
considered part of the organization’s overall security effort.
program and update elements as necessary.
The program lead works full-time on the project, has strong That’s why it’s important to prioritize your top human
communication skills, and is part of the security team. risks and the behaviors that help manage those risks. 5. Expand your modalities to scale and even better
engage the workforce through initiatives such as
The fewer behaviors on which you focus, the more ambassador programs, gamification, and open-source
Cross-organizational effort: The program lead
likely you’ll be able to change those behaviors. intelligence (OSINT) briefs for senior executives.
collaborates with various departments within the
organization, including communications, HR, and the 6. Build outreach and communication efforts into as many security
initiatives as possible to build engagement and momentum.
IT help desk, typically via the advisory board.
Stage 4 Long-term Sustainment
and Culture Change
Description Organization-wide engagement: Training modalities, Potential Metrics
such as security ambassador or gamification
Your program has the processes, resources, and leadership Stage 4 focuses on impacting culture and can take 3–10
programs, engage employees from every department
support required to live indefinitely and has become years depending on the size, complexity and age of your
and business unit across the organization.
an established part of your organization’s culture. It’s organization and its culture. For this stage, we
current, engaging, constantly evolving, and goes beyond recommend not focusing on changing your
People Indicators
simply changing behavior in favor of changing employee organization’s culture, but embedding security into and
beliefs, attitudes, and perceptions of security. Good security practices are part of every employee’s aligning with your organization’s existing culture.
day-to-day operations and attitudes, with many
New metrics in Stage 4 include:
Value employees taking the initiative to educate their peers
• Periodic surveys measuring people’s attitudes,
on good security practices. Employees often suggest
Your organization easily meets compliance requirements, perceptions, and beliefs toward information security
new ways the organization can improve security.
manages its human risk, and has developed a strong security- • Number of employees or departments
driven culture that enables and promotes the success of all Departments and business units ask for security briefings requesting security briefings or updates
other security initiatives in a virtuous cycle. Security is built and updates, with department leads requesting security • Number of employees submitting ideas
into almost all operational aspects of the organization. reviews and audits and a spirit of competition emerging on how to improve security
between departments over who has the best security • Number of employees attending optional events
Program indicators practices and discipline. The security team and their efforts • Number of requests for immediate family to take the training
are perceived positively by the rest of the workforce.
Strong leadership support: Leadership believes in
and has invested in the program for the long term.
Time to Achieve: 3-10 years Steps to the Next Level
The program lead actively updates leadership every
month, and multiple FTEs work on the program. Reaching this level typically takes between three Set up a comprehensive metrics dashboard combining all
information and measurements from the various maturity
to 10 years of development, depending on your levels, combined with technical security metrics, and
Regular reviews and engagement: The program is
organization’s size, complexity, age, and culture. aligned with the organization’s overall mission of tracking
actively reviewed and updated annually and engages with
progress, measuring impact, and continuous improvement.
multiple target groups with unique training requirements We recommend not focusing on changing your
(including skills-based training for IT and developers). organization’s culture during this stage. Indeed, to
reach Stage 4 of the Security Awareness Maturity Model,
A symbiotic relationship: The security team believes
security is already a significant cultural driver in your
in investing in human awareness as much as technical
organization. Instead, we recommend aligning any further
controls, and employees view the security team
changes within your organization’s existing culture.
as a trusted partner in their day-to-day jobs.
Stage 5 Metrics Framework

Description People Indicators

Stage 5 is the final evolutionary benchmark on Leadership actively requests, uses, and analyzes
the SANS Security Awareness Maturity Model. As a security awareness metrics to measure organizational
Stage 5 organization, your program’s robust metrics progress and compare the effectiveness of
framework is aligned with the organization’s mission individual departments or business units.
to track progress and measure impact for continuous
improvement. The program can easily demonstrate ROI. Potential Metrics
Although metrics are an essential part of every Metrics include data points from all stages of the
stage, Stage 5 reinforces that a mature program maturity model, and should be combined into a
must be able to demonstrate tangible impact. single dashboard or user-friendly interface that
can provide data visualizations for analysis
Program indicators and stakeholder reporting. Metrics must be
measured over time to demonstrate long-term
Ongoing analysis with intelligent automation: Metrics
impact and uncover trends that may not be
are collected on an ongoing basis and consistently
noticeable within time-limited datasets.
scrutinized to reveal patterns and insights. Most
organizations automate the data collection function Additional Stage-5 metrics can include:
because of the frequency and amount of data collected • Number of incidents
• Time to detect an incident
Framework integration: Metrics are integrated
• Time to recover from an incident
into reputable, third-party security frameworks
such as the NIST Cybersecurity Framework or
the latest version of CIS Controls (formerly
known as Critical Security Controls).

Refined audience: Different target audiences receive

different metrics, depending on relevancy.
Mature Your Program With SANS Security Awareness

SANS is the most trusted and largest source for information security training and security certification in the world. Our Security Awareness
solutions have been built using SANS expertise to help transform your organization’s ability to measure and manage human risk.

EndUser Training Specialized Training

Results-focused Cybersecurity training to manage Support targeted instruction for focused responsibilities
human risk Cybersecurity training is essential for all. Some sectors
Authored by SANS experts and designed by adult learning require even greater specialized training, such as
specialists, our engaging, modular, and multilingual content developing secure web apps, understanding
reduces training fatigue and increases comprehension NERC CIP policy requirements, or handling
by tailoring your security awareness training program Industrial Control System (ICS) incidents.
to the issues relevant to your organization.

SANS Phishing
Reduce Human Risk with real-world phishing
simulation programs
Keep employees at the highest level of security
awareness through continuous training and testing.
The SANS phishing platform allows you to control
every aspect of your phishing awareness program, with
pre-configured or customizable phishing tests, just-
in-time training, and automated remedial courses.
Improve Your Organization’s Security Awareness with SANS
This guide provides an industry proven benchmark SANS Cybersecurity Courses & Certifications About SANS
of your organization’s current level of security
SANS MGT433 Launched in 1989 as a cooperative for information security
awareness, along with guidelines and roadmap for
thought leadership, SANS’ ongoing mission is to empower
developing an ever-more sophisticated approach Managing Human Risk: Mature
cybersecurity professionals with the practical skills and
to managing your organization’s human risk. Security Awareness Programs
knowledge they need to make our world a safer place.
This intense two-day course provides the tools required
Indeed, any organization – no matter where it currently We fuel this effort with high quality training, certifications,
to build a mature awareness program that proactively
lives on the maturity scale – can leverage the SANS scholarship academies, degree programs, cyber ranges, and
engages your workforce and has a measurable impact.
Security Awareness Maturity Model to manage, resources to meet the needs of every cyber professional.
measure, and improve its level of human risk. SANS MGT521 Our data, research, and the top minds in cybersecurity
Leading Cybersecurity Change: Building collectively ensure that individuals and organizations
You can also leverage SANS’ best-in-class security
a Security-Based Culture have the actionable education and support they need.
awareness training solutions to accelerate your
Designed for senior security leaders and experienced
organization’s transformation to a security-driven
awareness officers, this advanced five-day course
culture. Expertly created, timely, and comprehensive
provides the skills, models, and frameworks
training is a strong foundation for building a
necessary to build, manage, and measure a
powerful program that embodies all organizational
strong security culture at your organization.
needs and individual learning levels.
View the complete list of cybersecurity
Find SANS training and certifications
courses and certifications here.
Learn more about SANS security awareness training