In our last post, we covered the SANS Security Awareness Maturity Model. The SANS model rates security awareness programs on a spectrum of 5 steps from Non-Existent to a program that continually updates content and measures the impact of security awareness.

At Haekka, we take a slightly different view of security awareness programs, something we call human risk maturity. We view security awareness from the perspective of the goal, or job to be done (JTBD).

> The JTBD of security awareness is two fold - 1) passing audits and 2) managing human risk.

The first JTBD, passing audits, is straightforward. Security awareness, and sometimes privacy, training is conducted on an annual basis. This addresses the audit requirements for common regulations and frameworks like HIPAA and SOC 2.

The second JTBD, managing human risk, is harder. Beyond audits, the maturity of a security awareness program is the maturity of managing human risk. Before we get into how security awareness manages human risk, we’re going to step up a few levels to address risk generally.

Effective information security programs are built around managing risk. To do this, security programs inventory assets and threats, measure the risk to each asset using a combination of likelihood and impact, and then manage those risks using controls. There is always some risk. You cannot completely eliminate all risk. But you can reduce it to a level that’s acceptable to operate your company.

Humans, your employees and teammates, represent a significant threat to every asset of your company. As such, human risk needs to be managed and mitigated using controls. While there are technical tools to mitigate human risk, good employee decision making is crucial to managing human risk. And good employee decision making is directly tied to your security awareness program.

Human Risk Maturity

We break human risk maturity into 4 stages. None of these stages are marked by metrics, like the SANS Security Awareness Maturity Model. All stages have the metrics required to accomplish the JTBD of that stage.

1. Non-Existent
   

We have this stage in common with SANS. In this stage, security training is not done. There are no tools to help employees with decision making. This is an uncommon stage as companies more and more at least have to pass audits.

2. Awareness
   

In this stage, basic security awareness training is delivered to all employees. The goal of this stage is to meet requirements for audits. This training is generic in nature - all employees receive the same training and the training does not cater to the company, market, or technology; here is a list of common security topics. Security awareness training in this stage is delivered on an annual basis. The only real metrics associated with this stage are evidence of completion of training, usually with a timestamp. Employees know security training is required but also know that the purpose in delivering it is to pass audits.

3. Engagement
   

Engagement is the stage when better employee decision making and security hygiene begin. In this stage, training is delivered in a continual basis. It is also relevant and interactive. Ideally, security topics are discussed between employees. Employees start to realize the importance of security. Metrics at this stage include engagement metrics like how often employees interact with content and security topics, what topics employees find the most useful.

4. Defense
   

In this stage, employees get access to tools, both products and workflows, they can use to make better security decisions. The most common tool used in this stage is phishing simulation. These simulations model real world attacks, measure employee response to these attacks, and then educate employees about sent attacks. These tools are delivered into the workflows where employees reside, most commonly email. The metrics asociated with this stage are use of tools.

5. Effectiveness
   

All too often, security awareness programs are top down only. They miss valuable information from the front lines, from employees. Employees across all groups, not just security personnel, are the best source of information about risk, threats, and controls. Fully mature human risk management programs capture information on an ongoing basis. This bottoms up information can then be used to inform higher level security program decisions and priorities.

----

Mature security awareness is not security awareness at all, but human risk management. Taking this different perspective can help deliver value to your overall security program.