search menu icon-carat-right cmu-wordmark

Discerning the Intent of Maturity Models from Characterizations of Security Posture

January 2012 White Paper

In this paper, Rich Caralli discusses how using maturity models and characterizing security posture are activities with different intents, outcomes, and uses.


Software Engineering Institute


Maturity models in their simplest form are intended to provide a benchmark against which a characterization of achievement can be made. Maturity models typically represent a set of attributes, characteristics, patterns, or practices that are arranged in an evolutionary scale that represents measureable transitions from one level to another. In other words, maturity models depict the evolution or scaling of attributes, characteristics, patterns, or practices from some primitive state to a more advanced, or “mature” state.

The “measurable transitions” in maturity models should be based on empirical data that has been validated in practice; that is, each step in the model should be able to be validated as being more “mature” than the previous step. This is very difficult to do, and is often lacking in maturity model representations.