HumanRisk SEAT
Home / Free Tools / Maturity Self-Check
Free Tool · 2 minutes · No account needed

Where does your program sit on the maturity curve?

Eight quick questions across the four SEAT pillars give you a directional maturity level, from Reactive to Embedded, and show your weakest pillar. It is a snapshot, not the full assessment, but it tells you where to look first.

0 of 8 answered
Your directional maturity level
84%
of organizations still measure effectiveness by training completion, an activity metric
12%
of practitioners can actually demonstrate program ROI (SANS, 2,700+ respondents)
5 × 4
five maturity levels across four pillars: the SEAT map of where a program can go

The security awareness maturity model, briefly

Maturity is a spectrum, not a pass or fail. A program moves from reacting to compliance deadlines toward an embedded function that changes behavior and proves it works. SEAT maps that journey across five levels and four pillars, so "improve the program" becomes a specific, sequenced set of moves rather than a vague ambition.

The five levels

1 · Reactive
Compliance-driven. Activity happens because a deadline or auditor demands it. Little structure, no measurement beyond completion.
2 · Developing
Taking shape. A real program is forming, with some planning and more than just the annual training, but it is inconsistent and lightly resourced.
3 · Defined
Documented and consistent. Clear ownership, role-aware content, a repeatable calendar. The program runs on intent, not luck.
4 · Integrated
Measured and risk-tied. Outcomes are tracked, content responds to real risk and incidents, and feedback loops drive change.
5 · Embedded
Part of how work happens. Security is cultural, effectiveness is proven continuously, and the program is defensible to regulators and the board.

The four pillars

Strategy is the plan, ownership, and executive backing. Engage is how you reach and motivate people. Assess is how you measure understanding and risk. Train is the content and delivery. A program is only as mature as its weakest pillar, which is why this snapshot shows all four rather than a single score.

Why maturity, not completion

Completion rates tell you something happened, not whether risk went down. Regulations like NIS2 now require proof that controls actually work. Measuring maturity is how you show a program is reducing human risk over time, which is the difference between a busy program and an effective one.

Frequently asked questions

What is a security awareness maturity model?

A description of how a program progresses from reactive, compliance-driven activity toward an embedded, measurable program that changes behavior. SEAT uses five levels (Reactive, Developing, Defined, Integrated, Embedded) across four pillars (Strategy, Engage, Assess, Train).

What are the security awareness maturity levels?

Reactive (compliance-driven), Developing (a program is forming), Defined (documented and consistent), Integrated (measured and risk-tied), and Embedded (cultural, with effectiveness proven continuously).

How accurate is this self-check?

It is a directional snapshot from eight questions, not a substitute for the full SEAT assessment, which uses 26 questions and produces a defensible baseline with a prioritized roadmap.

Why measure maturity instead of training completion?

Completion measures activity, not effectiveness. Regulations like NIS2 require proof that controls work. Maturity measurement shows whether a program is actually reducing human risk.

More free tools

All Free Tools
The full set of HumanRisk practitioner tools.
Compliance Requirements
Awareness obligations across 22 frameworks.
ROI Calculator
Build a defensible business case, math shown.
The SEAT Framework
The full four-pillar, five-level model.

Get the real baseline

This snapshot points the way. The full SEAT assessment is 26 questions, produces a defensible maturity baseline, maps to your compliance frameworks, and gives you a prioritized roadmap. No account needed, 10-15 minutes.

Take the full SEAT assessment