The SANS Institute’s 10th-edition Security Awareness Report confirms a troubling trend: 80% of organizations now name social engineering as their top human cybersecurity risk. The rise of AI-powered threats has made this danger more acute, enabling attackers to scale convincing phishing, smishing, and vishing attacks.
Based on survey responses from over 2,700 security awareness professionals in more than 70 countries, Embedding a Strong Security Culture serves as a global benchmark for organisations seeking to reduce human risk and build resilient security cultures.
Lance Spitzner, Technical Director of SANS Workforce Security & Risk Training, says: “This edition is our most ambitious and wide-reaching to date. It’s designed not just to help professionals change behaviour across organizations, but also to advance their careers.”
Key findings:
- Top threats: Social engineering still leads, with mishandling of sensitive information, weak passwords, and poor authentication trailing close behind.
- Programmatic barriers: Staffing shortages and lack of time remain the biggest obstacles. Generative AI is emerging as a tool that helps awareness teams scale up their efforts.
- Program maturity: Teams with about 2.8 full-time equivalent (FTE) staff tend to influence behaviour effectively; having four or more helps shift culture more deeply.
- Career & compensation: The global average pay for security awareness roles is US $116,091, with North America at about $129,961.
Spitzner adds: “With threats like deepfakes and sophisticated AI attacks on the rise, this report offers urgently needed data about what’s working — and where the gaps remain.”
