10th edition of SANS Security Awareness Report® reveals growing urgency to strengthen human defenses as AI amplifies deception tactics.
The SANS Institute has released the 10th edition of its Security Awareness Report®, revealing that 80% of organizations now identify social engineering as the top human-related cybersecurity risk. The report highlights how AI-powered threats are intensifying the challenge, making it easier for attackers to craft convincing phishing, smishing, and vishing campaigns at scale.
Based on insights from over 2,700 security awareness professionals across 70+ countries, this year’s report—titled Embedding a Strong Security Culture—is the most comprehensive to date. It provides a global benchmark for organizations aiming to reduce human risk and build resilient security cultures.
“The launch of the 10th edition of our Security Awareness Report is a major milestone for us and our most ambitious and far-reaching report to date,” said Lance Spitzner, Technical Director of SANS Workforce Security & Risk Training. “Designed as a dual-purpose playbook, it empowers security awareness professionals to not only drive organization-wide behavior and culture change but also advance their careers.”
Key findings include:
- Top risks: Social engineering remains the dominant threat, followed by mishandling of sensitive data, weak passwords, and poor authentication practices.
- Program challenges: Time and staffing shortages continue to hinder program effectiveness, though tools like generative AI are helping teams scale their efforts.
- Maturity metrics: Programs with at least 2.8 full-time staff show greater success in influencing behavior, while sustained efforts over time correlate with cultural transformation.
- Career insights: The global average salary for security awareness professionals is \$116,091, with North America leading at \$129,961.
Spitzner added, “This year’s findings come against the backdrop of rising threats like deepfakes and generative AI. The report delivers timely, data-driven insights into how security teams are adapting and where gaps remain.”
