Security Culture Maturity Model

Introducing the Security Culture Maturity Model

The data-driven and evidence-based Security Culture Maturity Model, developed by KnowBe4 Research, is the industry’s first maturity model specifically geared to measure security culture. The model is fueled by KnowBe4’s massive security awareness, behavior, and culture dataset.

Security Culture is defined as the ideas, customs, and social behaviors of a group that influence its security. Organizational leaders can use the model to visualize their current level of security culture and plan the steps required to progress from one level to another.

Download the Security Culture Maturity Model to explore:

The five levels of security culture maturity to help gauge where your organization stands
Details on how the model was built using KnowBe4’s deep expertise into data modeling and analysis
The framework behind Culture Maturity Indicators (CMI), such as phishing test results and knowledge assessments, and how these data points flow into the model

Get your copy of the maturity model now!

KnowBe4 Research Model for Visualizing Security Culture Maturity

The Five Maturity Levels

The model’s range accounts for organizations with no formal or intentional awareness, behavior, or culture plan other than to achieve basic compliance (Level 1) all the way up to the most sophisticated organizations who seek to push beyond the pack and are actively working to shape even the unwritten rules and social dynamics of how their employees value security. Learn more about these levels below.

Level 1	Basic Compliance	Bare minimum of training Limited metrics “Check the box”
Level 2	Security Awareness Foundation	At least annual and onboarding training Occasional phishing simulations Focus on variety of content
Level 3	Programmatic Security Awareness & Behavior	Intentional awareness program with integrated tools Quarterly training with simulated phishing Focus on security-aware behaviors
Level 4	Security Behavior Management	Continuous training across varied delivery methods and audiences Heavy use of integrated tools to inform training strategy Program focused on real behavior change
Level 5	Sustainable Security Culture	Program that intentionally measures, shapes and reinforces security culture Multiple methods of behavior-based encouragement Security values woven through fabric of entire organization

The research provided a security culture score, which is a measurement that describes the overall security culture of an organization. By aggregating the scores of organizations in each industry, we can learn how each industry compares across the seven outlined dimensions of security culture. In general, a score below 80 is considered moderate, and a score below 60 is poor to moderate.

Why Is Security Culture So Important?

Your employees may have bad security-related behaviors either acquired on their own or through a lack of organizational focus and discipline. These habits can be hard to break. But in this case, favorably changing employee behaviors by architecting a meaningful and relevant security culture could protect your organization and executives from brand damage, reputational loss, and financial hardship.

Your employees’ knowledge, beliefs, values, and behaviors will be the difference between protection and breach. That’s why focusing on security culture is so important. An organization’s employees are at the center of everything; they can either be easy prey, or they can become an effective human layer of defense.

KnowBe4’s Security Culture Expertise

KnowBe4 has more security culture experts and has invested more in the study of security culture than any other vendor. For example, KnowBe4 employees Kai Roer, Perry Carpenter, and Joanna Huisman are three of the world’s most well-known and respected security culture experts. Before Kai’s firm CLTRe merged with KnowBe4 to become KnowBe4 Research, he and his team had been providing consulting services, studying, and creating tools and processes to measure security culture for over a decade. Kai is also the author of the 2015 book “Build A Security Culture,” a go-to resource for security professionals looking to gain greater control of their organization’s security culture.

While at Gartner, Perry and Joanna headed up Gartner’s research efforts into security awareness, behavior management, and culture. As part of that, they worked with thousands of CISOs and security awareness leaders around the world, advised dozens of vendors, and spent hundreds of hours reading and authoring research into these topics.

Ready to explore the Security Maturity Model and see where your organization fits in?