This lab builds a Security Program Maturity Benchmarking toolkit using a weighted maturity model across key security domains (governance, risk, IR, awareness, and technical controls).
I created a benchmarking environment, defined an assessment framework in YAML, ran maturity scoring, and generated reports + charts.
By the end of this lab, I was able to:
- Understand security program maturity assessment frameworks and methodologies
- Install and configure a benchmarking environment on Linux (Ubuntu 24.04)
- Analyze security program maturity using standardized metrics
- Develop Python scripts to automate security benchmarking processes
- Generate maturity reports and identify improvement opportunities
- Basic knowledge of cybersecurity frameworks (NIST, ISO 27001)
- Linux command-line familiarity
- Python basics (functions, loops, file I/O)
- Understanding of governance and security program concepts
- OS: Ubuntu 24.04.1 LTS
- User: toor
- Tools:
- Python 3 + pip
- python3-venv
- nano editor
- pandas, pyyaml, matplotlib, seaborn
lab07-security-benchmark/
├── README.md
├── commands.sh
├── output.txt
├── requirements.txt
├── config/
│ └── framework.yaml
├── data/
│ ├── questions.yaml
│ ├── sample_responses.yaml
│ └── interactive_responses_YYYYMMDD_HHMMSS.yaml
├── scripts/
│ ├── benchmark_analyzer.py
│ ├── report_generator.py
│ ├── run_benchmark.py
│ ├── interactive_assessment.py
│ └── compare_assessments.py
├── reports/
│ ├── assessment_report.md
│ ├── domain_scores.png
│ └── assessment_trend.png
├── interview_qna.md
└── troubleshooting.md
You define:
- domains + weights
- maturity levels (1–5)
- thresholds for scoring bands
Each domain has questions with internal weights.
- calculates domain maturity scores
- calculates overall weighted maturity
- maps score → maturity level (1–5)
Generates:
- Markdown report:
reports/assessment_report.md - Bar chart PNG:
reports/domain_scores.png
Collect responses interactively and saves YAML into data/.
Compare multiple YAML assessments and generate:
- Trend chart:
reports/assessment_trend.png
sudo apt update && sudo apt install -y python3-pip python3-venv
mkdir -p ~/security-benchmark && cd ~/security-benchmark
python3 -m venv venv
source venv/bin/activate
pip install pandas pyyaml matplotlib seaborn
pip freeze > requirements.txtpython3 scripts/run_benchmark.py data/sample_responses.yamlpython3 scripts/interactive_assessment.pypython3 scripts/compare_assessments.py data/sample_responses.yaml data/sample_responses.yamlThis tool calculates:
- Domain Scores (0–100%)
- Overall Weighted Score (0–100%)
- Maturity Level (1–5) mapped from thresholds
- Gap analysis to highlight improvement priorities (lowest scoring domains)
Example computed output from sample responses:
- Overall Score: 63.9%
- Maturity Level: 2 – Developing
- Lowest domains: risk_management, incident_response
Security programs often improve slowly because maturity is not measured consistently. This lab demonstrates how organizations can:
- Benchmark progress across security domains
- Identify weak areas objectively
- Track improvements over time
- Create repeatable, evidence-driven reporting for leadership
- ✔ Functional benchmarking environment
- ✔ YAML-based maturity framework
- ✔ Automated maturity scoring scripts
- ✔ Markdown reporting + visualization
- ✔ Interactive assessment collection
- ✔ Multi-assessment trend comparison
This lab demonstrates how maturity models provide structured measurement of a security program using standardized and weighted metrics. By automating scoring + reporting, organizations can improve governance and prioritization decisions while tracking maturity growth over time.