SANS report finds humans still the main attack vector as 80% of organizations flag social engineering as their number one risk

Al Bawaba

2 days ago

The latest survey data from SANS Institute, the world's most trusted provider of cybersecurity training, reveals that 80% of organizations rank social engineering as the number one human-related risk—an already formidable threat now supercharged by AI. As attackers use artificial intelligence to craft more convincing and scalable deception tactics, the stakes for human error have never been higher. The data was a key insight from the 10th anniversary edition of SANS Institute's Security Awareness Report®: Embedding a Strong Security Culture. The report is based on SANS's largest survey ever, with feedback from over 2,700 security awareness practitioners from more than 70 countries who shared their unique perspectives to create the most comprehensive and revealing report yet. Lance Spitzner, Technical Director of SANS Workforce Security & Risk Training, highlights the report's significance on its 10th anniversary: "The launch of the 10th edition of our Security Awareness Report is a major milestone for us and our most ambitious and far-reaching report to date. Designed as a dual-purpose playbook, it empowers security awareness professionals to not only drive organization-wide behavior and culture change but also advance their careers."Key Findings and Insights• Top human risks: This year's data makes it clear: social engineering remains the top human risk by a wide margin (according to 80% of respondents), with phishing still leading, and smishing and vishing attacks growing in both frequency and sophistication. In a shift from last year's results, incorrect handling of sensitive data has now taken the second spot, followed by weak passwords and poor authentication. These changes reflect the evolving ways in which humans remain the primary attack vector, and why targeted, behavior-focused training continues to be essential.• Program challenges: Lack of time and staffing remain the two biggest challenges limiting industry professionals from building and managing an effective program. The report emphasises the use of tools like Generative AI to help security teams accelerate their impact at a global scale.• Benchmarking and maturity: For the sixth year in a row, the data confirms that larger security awareness teams drive more mature programs. On average, it takes at least 2.8 dedicated FTEs to meaningfully influence behavior—and four or more FTEs to begin shifting organizational culture. But staffing isn't everything. Sustained effort over time matters just as much. The longer your program has been in place, the more likely it is to be improving processes, strengthening partnerships and effectively engaging the workforce to reduce human risk. • Career development: In 2025, the average global annual salary for individuals working in security awareness is $116,091. In terms of geography, North America has the highest average annual salary at $129,961, almost identical to 2024's findings. In Europe, the average annual salary is $93,661. Spitzner concludes: 'This year's findings come against the backdrop of organisations facing rising threats like generative AI, deepfakes and other emerging threats. The report delivers timely, data-driven insights into how security teams are adapting, where gaps remain and which strategies are moving the needle. In a field where human risk is still under-reported, this report shines a spotlight on one of cybersecurity's most urgent challenges.'
To read the full report and benchmark your program against industry standards, download the report here.