Gain Insight Into Where Your Organization Stands With the Security Culture Maturity Model

The Security Culture Maturity Model is an evidence-driven framework for understanding and benchmarking the current security-related maturity of an organization, industry vertical, region, or any measurable group.

Security Culture Maturity Model
Get This Resource

Introducing the Security Culture Maturity Model

The data-driven and evidence-based Security Culture Maturity Model, developed by KnowBe4 Research, is the industry’s first maturity model specifically geared to measure security culture. The model is fueled by KnowBe4’s massive security awareness, behavior, and culture dataset.

Security Culture is defined as the ideas, customs, and social behaviors of a group that influence its security. Organizational leaders can use the model to visualize their current level of security culture and plan the steps required to progress from one level to another.

Download the Security Culture Maturity Model to explore:

  • The five levels of security culture maturity to help gauge where your organization stands
  • Details on how the model was built using KnowBe4’s deep expertise into data modeling and analysis
  • The framework behind Culture Maturity Indicators (CMI), such as phishing test results and knowledge assessments, and how these data points flow into the model

Get your copy of the maturity model now!

Get This Resource

KnowBe4 Research Model for Visualizing Security Culture Maturity


The Five Maturity Levels

The model’s range accounts for organizations with no formal or intentional awareness, behavior, or culture plan other than to achieve basic compliance (Level 1) all the way up to the most sophisticated organizations who seek to push beyond the pack and are actively working to shape even the unwritten rules and social dynamics of how their employees value security. Learn more about these levels below.

Level 1

Basic Compliance

  • Bare minimum of training
  • Limited metrics
  • “Check the box”

Level 2

Security Awareness Foundation

  • At least annual and onboarding training
  • Occasional phishing simulations
  • Focus on variety of content

Level 3

Programmatic Security Awareness & Behavior

  • Intentional awareness program with integrated tools
  • Quarterly training with simulated phishing
  • Focus on security-aware behaviors

Level 4

Security Behavior Management

  • Continuous training across varied delivery methods and audiences
  • Heavy use of integrated tools to inform training strategy
  • Program focused on real behavior change

Level 5

Sustainable Security Culture

  • Program that intentionally measures, shapes and reinforces security culture
  • Multiple methods of behavior-based encouragement
  • Security values woven through fabric of entire organization

The research provided a security culture score, which is a measurement that describes the overall security culture of an organization. By aggregating the scores of organizations in each industry, we can learn how each industry compares across the seven outlined dimensions of security culture. In general, a score below 80 is considered moderate, and a score below 60 is poor to moderate.

Why Is Security Culture So Important?

Your employees may have bad security-related behaviors either acquired on their own or through a lack of organizational focus and discipline. These habits can be hard to break. But in this case, favorably changing employee behaviors by architecting a meaningful and relevant security culture could protect your organization and executives from brand damage, reputational loss, and financial hardship.

"Your employees’ knowledge, beliefs, values, and behaviors will be the difference between protection and breach."

Your employees’ knowledge, beliefs, values, and behaviors will be the difference between protection and breach. That’s why focusing on security culture is so important. An organization’s employees are at the center of everything; they can either be easy prey, or they can become an effective human layer of defense.

KnowBe4’s Security Culture Expertise

KnowBe4 has more security culture experts and has invested more in the study of security culture than any other vendor. For example, KnowBe4 employees Kai Roer, Perry Carpenter, and Joanna Huisman are three of the world’s most well-known and respected security culture experts. Before Kai’s firm CLTRe merged with KnowBe4 to become KnowBe4 Research, he and his team had been providing consulting services, studying, and creating tools and processes to measure security culture for over a decade. Kai is also the author of the 2015 book “Build A Security Culture,” a go-to resource for security professionals looking to gain greater control of their organization’s security culture.

While at Gartner, Perry and Joanna headed up Gartner’s research efforts into security awareness, behavior management, and culture. As part of that, they worked with thousands of CISOs and security awareness leaders around the world, advised dozens of vendors, and spent hundreds of hours reading and authoring research into these topics.

Ready to explore the Security Maturity Model and see where your organization fits in?

Get your copy of the maturity model now!

Get This Resource

Get the latest about social engineering

Subscribe to CyberheistNews