SANS 2025 Security Awareness Report

10 Years On, a Decade of Data Reframes Human-Centric Cyber Resilience

In its tenth edition, the SANS 2025 Security Awareness Report offers a sobering yet insightful longitudinal view into the evolving state of human risk in cybersecurity. Drawing on responses from over 2,700 security awareness practitioners across 70+ countries, this year’s report affirms a long-standing reality: technology alone cannot mitigate behavioural risk. It must be matched by deliberate cultural transformation—driven by dedicated, embedded programs and sustained leadership support.

For CISOs and security program leaders, the findings provide data-backed clarity on where to allocate resources, how to measure maturity, and which strategic levers—people, time, and communication—are most effective in embedding a security-first culture.

Key Insights for Security Leaders

1. Security Awareness Maturity is Predictable—but Underfunded

The report reinforces that program maturity scales with team size and longevity. A minimum of 2.8 full-time equivalents (FTEs) is required to shift user behaviour at scale, while 4+ FTEs over 5–10 years is typically needed to truly embed a resilient security culture.

Strategic takeaway: Without sustained investment in people, not just platforms, organisations will remain stalled in “compliance mode,” unable to meaningfully reduce human cyber risk.

2. Social Engineering Reigns as Top Human Risk—Again

Social engineering continues to dominate as the top human-centric threat vector, particularly phishing, vishing, and smishing. These attack types are being accelerated by the misuse of AI-driven deepfakes and voice cloning, creating new vectors of manipulation across mobile and hybrid workforces.

CyberPulse relevance: Our Managed Security Awareness Education and Dark Web Monitoring services help organisations prepare their workforce for modern social engineering, including deepfake simulations and targeted phishing drills.

3. AI is Rising—But Guidance is Lacking

Security teams are grappling with how to integrate AI responsibly. AI was cited as a growing risk area, with confusion about policy, governance, and user education strategies. While not inherently insecure, AI’s rapid adoption is outpacing internal risk governance structures.

CyberPulse point of view: We advise clients via vCISO services and cloud maturity assessments on secure GenAI adoption and AI policy design that aligns with their threat exposure profile.

4. Awareness is Not Entertainment—It’s Risk Management

One of the report’s most powerful reframes is the shift in narrative: security awareness is not an “internal marketing” function. It’s a strategic enabler of business resilience. Security professionals who contextualise their impact in terms of risk reduction and culture change gain stronger executive buy-in and sustained funding.

Recommendation: Align messaging to business KPIs. Frame training outcomes in terms of risk-adjusted ROI, not just participation metrics.

5. Operational Challenges Persist: Time, Staff, and Leadership Gaps

The top three challenges for program leaders remain consistent year over year:

• Lack of staffing
• Lack of time
• Lack of leadership support

Crucially, these gaps don’t just delay progress—they erode resilience over time. Without clear ownership and visibility, cultural initiatives stall or regress.

Actionable insight: Consider staffing augmentation through on-demand experts or leveraging Generative AI to scale workforce engagement: a capability CyberPulse builds into our Managed Security Awareness Education offering.

CyberPulse Perspective

The findings echo what we see across our client engagements: sustainable cyber resilience is a cultural outcome, not just a technological one. Our approach—blending security awareness training with real-time threat intelligence, red teaming, breach simulation, and vCISO advisory—ensures that workforce enablement is embedded within the broader enterprise risk strategy.

Whether it’s embedding long-term culture, optimising awareness ROI, or scaling workforce education with AI-assisted engagement, CyberPulse helps you build not just a safer organisation, but a stronger one.

Recommended Next Steps for Cyber Leaders

• Evaluate your awareness program’s current maturity using the SANS model.
• Audit your FTE allocation vs. risk exposure—are your people investments proportional to your threat surface?
• Reframe awareness outcomes in business and risk language to win stakeholder support.
• Partner with CyberPulse to operationalise continuous security culture improvements, from strategy to execution.

Useful Links

The ROI of Security Awareness Programs: https://www.sans.org/blog/roi-case-sans-how-cybersecurity-training-pays-itself

CyberPulse Services: https://www.cyberpulse.com.au/services/

[formidable id=1]