Issue link: https://insights.oneneck.com/i/1476870
15 The CMIs used in this representation are as follows: • Basic awareness program: If this were the only input, this organization would be at level 2. • Security survey score: The results of this organization's security awareness assessment (on its own) would lead a model to believe they were in level 3. • Phishing program structure and results: Strong results would indicate level 4. • Other observed behaviors: Bringing in other observed behaviors (e.g. password hygiene and document sharing) provided evidence that this organization is in level 3. Each of these CMIs, on their own, provide only part of the picture. But, by looking at multiple CMIs, and because each CMI will have an associated weighting, the model will much more accurately arrive at an organization's score and maturity level. In this instance, the model would place the organization at level 3, "Programmatic Security Awareness & Behavior" because that's the aggregated score achieved by evaluating the available CMIs. Other Ways of Using the Model Other Ways of Using the Model Another way the model can be used is in a more "unplugged" mode. This is how most non-KnowBe4 customers can leverage the SCMM. They can aggregate several of their own representative CMIs and anecdotes, and then use the model's maturity level descriptions as a guide. Level 1 Basic Compliance Level 2 Security Awareness Foundation Level 4 Security Behavior Management Level 5 Sustainable Security Culture The dashed red line represents breach likelihood and relative cost remediation The solid blue line represents awareness/culture maturity gains at each stage of the model Source: KnowBe4 Level 3 Programmatic Security Awareness & Behavior Other Observed Behavior (CMI) Phishing Program (CMI) Current Maturity Given Available Data = Level 3 Basic Program (CMI) Survey Score (CMI) Figure 6: Example of the SCMM multiple CMIs of a single organization before arriving at the composite/average SCMM level.