SANS Security Awareness Report Offers New Insights with Record Number of Respondents

Bethesda, Md. – SANS Security Awareness, the leading provider in security awareness training, and a division of SANS Institute, announced today that they have released their 2018 Security Awareness Report. This report entitled "Building Successful Security Awareness Programs" is focused on the primary issues security awareness professionals face: lack of time, budget and resources.

"Security awareness can be challenging, but it's necessary and it's worth the effort," says Lance Spitzner, Director, SANS Security Awareness. "With support, and by investing the necessary time, budget and resource in communicating the purpose and the value of security awareness to a business, it's possible to overcome any obstacles, and achieve a mature program that has a measurable impact on comprehension and competence across the entire organization."

The SANS Security Awareness Report was developed to enable security awareness professionals to make data-driven decisions on how to improve their security awareness programs. It also allows them to benchmark these programs against others. In short, its aim is to more definitively answer the question of what makes great security awareness programs a success. This year, data was analysed from over 1,718 respondents providing even greater insight into how to benchmark and mature a security awareness program.

Working with researchers from The Kogod Cybersecurity Governance Center (KCGC), an initiative of American University's Kogod School of Business (KSB), the survey data was examined in detail to provide information on:

  • Security awareness program maturity by industry - Defense being the most mature, and manufacturing being the least.
  • Key blockers within an organization - Finance and operations departments contributing to the biggest challenges awareness professionals face.
  • Actionable insights and program initiatives awareness professionals should consider when growing their program.

"The report reveals that a clear majority (80%) of security awareness professionals see their awareness program activity as being only a portion of their overall job responsibilities," says Dan DeBeaubien, Product Director as SANS Security Awareness. "Many claim to have no budget for an awareness program, or to not know what their budget is; and most lack the skills or background required to effectively communicate the program to and engage with the workforce."

This report highlights those challenges, utilizing the Security Awareness Maturity Model(c) as a guide to identify an organization's level of a program's impact and how to measure human risk and change end-user behaviour.

For more detailed analysis and recommended action on improving security awareness, you can download the SANS 2018 Security Awareness Report here.

About SANS Security Awareness

SANS Security Awareness, a division of the SANS Institute, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their 'human' cyber security risk. SANS Security Awareness has worked with over 1,300 organizations and trained over 6.5 million people around the world. Security awareness training content is translated into over 20 languages and built by a global network of the world's most knowledgeable cyber security experts. Organizations trust that SANS Security Awareness content and training is world-class and ready for a global audience. The SANS Security Awareness program includes everything security awareness officers need to simply and effectively build a best-in-class security awareness program. For more information about training programs, please visit:

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (