Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training, Courses, and Resources
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

SANS Report Finds Humans Still The Main Attack Vector as 80% of Organizations Flag Social Engineering as Their Number One Risk

SANS Institute releases 10th edition of its Security Awareness Report®, used by cybersecurity teams to benchmark maturity and strengthen human defense against threats.

Bethesda, MD, Aug 13, 2025 – The latest survey data from SANS Institute, the world’s most trusted provider of cybersecurity training, reveals that 80% of organizations rank social engineering as the number one human-related risk—an already formidable threat now supercharged by AI. As attackers use artificial intelligence to craft more convincing and scalable deception tactics, the stakes for human error have never been higher. The data was a key insight from the 10th anniversary edition of SANS Institute’s Security Awareness Report®: Embedding a Strong Security Culture.

The report is based on SANS’s largest survey ever, with feedback from over 2,700 security awareness practitioners from more than 70 countries who shared their unique perspectives to create the most comprehensive and revealing report yet.

Lance Spitzner, Technical Director of SANS Workforce Security & Risk Training, highlights the report's significance on its 10th anniversary: "The launch of the 10th edition of our Security Awareness Report is a major milestone for us and our most ambitious and far-reaching report to date. Designed as a dual-purpose playbook, it empowers security awareness professionals to not only drive organization-wide behavior and culture change but also advance their careers."

Key Findings and Insights

  • Top human risks: This year’s data makes it clear: social engineering remains the top human risk by a wide margin (according to 80% of respondents), with phishing still leading, and smishing and vishing attacks growing in both frequency and sophistication. In a shift from last year’s results, incorrect handling of sensitive data has now taken the second spot, followed by weak passwords and poor authentication. These changes reflect the evolving ways in which humans remain the primary attack vector, and why targeted, behavior-focused training continues to be essential.
  • Program challenges: Lack of time and staffing remain the two biggest challenges limiting industry professionals from building and managing an effective program. The report emphasises the use of tools like Generative AI to help security teams accelerate their impact at a global scale.
  • Benchmarking and maturity: For the sixth year in a row, the data confirms that larger security awareness teams drive more mature programs. On average, it takes at least 2.8 dedicated FTEs to meaningfully influence behavior—and four or more FTEs to begin shifting organizational culture. But staffing isn’t everything. Sustained effort over time matters just as much. The longer your program has been in place, the more likely it is to be improving processes, strengthening partnerships and effectively engaging the workforce to reduce human risk.
  • Career development: In 2025, the average global annual salary for individuals working in security awareness is $116,091. In terms of geography, North America has the highest average annual salary at $129,961, almost identical to 2024’s findings. In Europe, the average annual salary is $93,661.

Spitzner concludes: “This year’s findings come against the backdrop of organisations facing rising threats like generative AI, deepfakes and other emerging threats. The report delivers timely, data-driven insights into how security teams are adapting, where gaps remain and which strategies are moving the needle. In a field where human risk is still under-reported, this report shines a spotlight on one of cybersecurity’s most urgent challenges.”

To read the full report and benchmark your program against industry standards, download the report here.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 85 courses at in-person and virtual cybersecurity events and OnDemand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 50 hands-on technical certifications in cybersecurity. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s and bachelor’s degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS also delivers a wide variety of free resources to the InfoSec community, including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security practitioners representing varied global organizations, from corporations to universities, working together to support and educate the global information security community.