10th edition of Security Awareness Report highlights AI-driven threats, program maturity, and the state of workforce resilience
The SANS Institute has released the 10th anniversary edition of its Security Awareness Report®, Embedding a Strong Security Culture, revealing that 80% of organizations identify social engineering as their number one human-related cyber risk. The findings come as generative AI tools enable attackers to launch more sophisticated and scalable phishing, smishing, and vishing campaigns, raising the stakes for human error.
Based on survey input from over 2,700 security awareness professionals across 70 countries, the report provides the most comprehensive benchmark to date on human risk and awareness program maturity. Notably, mishandling of sensitive data has now overtaken weak passwords as the second biggest human risk, reflecting evolving attack patterns and workforce challenges.
“Social engineering remains the top human risk by a wide margin, and AI is making these attacks more convincing and scalable than ever.”
— Lance Spitzner, Technical Director, SANS Workforce Security & Risk Training
The report also underscores persistent obstacles, with lack of time and staffing cited as the top barriers to building effective security awareness programs. According to the data, organizations require at least 2.8 full-time equivalents (FTEs) to meaningfully influence employee behavior, and four or more FTEs to shift organizational culture. Longevity also matters: sustained programs are more effective in building resilience and reducing human risk.
On career development, the survey found that the average global salary for security awareness professionals in 2025 is $116,091, with North America leading at $129,961.
“This year’s findings come against the backdrop of organizations facing rising threats like deepfakes and AI-enabled deception,” Spitzner added. “Our goal is to provide data-driven insights that help teams close gaps and strengthen human defense.”
