Bethesda, MD, Aug. 14, 2025 (GLOBE NEWSWIRE) — The latest survey data from SANS Institute, the world's most trusted provider of cybersecurity training, reveals that 80% of organizations rank social engineering as the number one human-related risk–an already formidable threat now supercharged by AI. As attackers use artificial intelligence to craft more convincing and scalable deception tactics, the stakes for human error have never been higher. The data was a key insight from the 10th anniversary edition of SANS Institute's Security Awareness Report(R): Embedding a Strong Security Culture.
The report is based on SANS's largest survey ever, with feedback from over 2,700 security awareness practitioners from more than 70 countries who shared their unique perspectives to create the most comprehensive and revealing report yet.
Lance Spitzner, Technical Director of SANS Workforce Security & Risk Training, highlights the report's significance on its 10th anniversary: “The launch of the 10th edition of our Security Awareness Report is a major milestone for us and our most ambitious and far-reaching report to date. Designed as a dual-purpose playbook, it empowers security awareness professionals to not only drive organization-wide behavior and culture change but also advance their careers.”
Key Findings and Insights
- Top human risks: This year's data makes it clear: social engineering remains the top human risk by a wide margin (according to 80% of respondents), with phishing still leading, and smishing and vishing attacks growing in both frequency and sophistication. In a shift from last year's results, incorrect handling of sensitive data has now taken the second spot, followed by weak passwords and poor authentication. These changes reflect the evolving ways in which humans remain the primary attack vector, and why targeted, behavior-focused training continues to be essential.
- Program challenges: Lack of time and staffing remain the two biggest challenges limiting industry professionals from building and managing an effective program. The report emphasises the use of tools like Generative AI to help security teams accelerate their impact at a global scale.
- Benchmarking and maturity: For the sixth year in a row, the data confirms that larger security awareness teams drive more mature programs. On average, it takes at least 2.8 dedicated FTEs to meaningfully influence behavior–and four or more FTEs to begin shifting organizational culture. But staffing isn't everything. Sustained effort over time matters just as much. The longer your program has been in place, the more likely it is to be improving processes, strengthening partnerships and effectively engaging the workforce to reduce human risk.
- Career development: In 2025, the average global annual salary for individuals working in security awareness is $116,091. In terms of geography, North America has the highest average annual salary at $129,961, almost identical to 2024's findings. In Europe, the average annual salary is $93,661.
Spitzner concludes: “This year's findings come against the backdrop of organisations facing rising threats like generative AI, deepfakes and other emerging threats. The report delivers timely, data-driven insights into how security teams are adapting, where gaps remain and which strategies are moving the needle. In a field where human risk is still under-reported, this report shines a spotlight on one of cybersecurity's most urgent challenges.”
To read the full report and benchmark your program against industry standards, download the report here.
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 85 courses at in-person and virtual cybersecurity events and OnDemand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 50 hands-on technical certifications in cybersecurity. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's and bachelor's degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS also delivers a wide variety of free resources to the InfoSec community, including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners representing varied global organizations, from corporations to universities, working together to support and educate the global information security community. sans.org
Ioiana Pires LuncheonSANS Institute+31615357364Iluncheon@sans.org