search menu icon-carat-right cmu-wordmark

Discerning the Intent of Maturity Models from Characterizations of Security Posture

White Paper
In this paper, Rich Caralli discusses how using maturity models and characterizing security posture are activities with different intents, outcomes, and uses.

Software Engineering Institute


Maturity models, in their simplest form, are intended to provide a benchmark against which a characterization of achievement can be made. Maturity models typically represent a set of attributes, characteristics, patterns, or practices that are arranged in an evolutionary scale that represents measurable transitions from one level to another. In other words, maturity models depict the evolution or scaling of attributes, characteristics, patterns, or practices from some primitive state to a more advanced or “mature” state.

The “measurable transitions” in maturity models should be based on empirical data that has been validated in practice; that is, each step in the model should be able to be validated as being more “mature” than the previous step. This is very difficult to do and is often lacking in maturity model representations.