Managing IT-related security incidents are a growing important issue facing the organizations in IT security risk management. We have used design science approach to develop an artifact to measure different organizations capabilities and maturity to handle IT-related security incidents. In this paper, we present how we have tested and will test the artifact on several different Swedish organizations. The participating organizations come from both the private and public sectors and all organizations handle critical infrastructure which can be damaged if an IT-related security incident occurs. Organizations had the opportunity to evaluating the actual model itself but also to test the model by calculating the organization's escalation capability using a query package for self-assessment. In this paper, we present the results of the self-assessment which indicate an overall low level of maturity in Sweden. The most remarkable result was only 20% of the participating organizations in the study had "Knowledge and Education" maturity above the lowest levels.