INTELLIGENT TECHNOLOGY: CYBERSECURITY

SANS Institute releases 10th edition of its Security Awareness Report, used by cybersecurity teams to benchmark maturity and strengthen human defence against threats.

As attackers use Artificial Intelligence to craft more convincing and scalable deception tactics, the stakes for human error have never been higher. The data was a key insight from the 10th anniversary edition of SANS Institute’ s Security Awareness Report: Embedding a Strong Security Culture.

The report is based on SANS’ s largest survey ever, with feedback from over 2,700 security awareness practitioners from more than 70 countries who shared their unique perspectives to create the most comprehensive and revealing report yet.

Lance Spitzner, Technical Director of SANS Workforce Security & Risk Training, highlights the report’ s significance on its 10th anniversary:“ The launch of the 10th edition of our Security Awareness Report is a major milestone for us and our most ambitious and far-reaching report to date. Designed as a dual-purpose playbook, it empowers security awareness professionals to not only drive organisation-wide behaviour and culture change but also advance their careers.”

Key Findings and Insights

• Top human risks: This year’ s data makes it clear: social engineering remains the top human risk by a wide margin( according to 80 % of respondents), with phishing still leading, and smishing and vishing attacks growing in both frequency and sophistication. In a shift from last year’ s results, incorrect handling of sensitive data has now taken the second spot, followed by weak passwords and poor authentication. These changes reflect the evolving ways in which humans remain the primary attack vector and why targeted, behaviourfocused training continues to be essential.

• Programme challenges: Lack of time and staffing remain the two biggest challenges limiting industry professionals from building and managing an effective programme. The report emphasises the use of tools like Generative AI to help security teams accelerate their impact at a global scale.

• Benchmarking and maturity: For the sixth year in a row, the data confirms that larger security awareness teams drive more mature programmes. On average, it takes at least 2.8 dedicated FTEs to meaningfully influence behaviour— and four or more FTEs to begin shifting organisational culture. But staffing isn’ t everything. Sustained effort over time matters just as much. The longer your programme has been in place, the more likely it is to be improving processes, strengthening partnerships and effectively engaging the workforce to reduce human risk.

• Career development: In 2025, the average global annual salary for individuals working in security awareness is US $ 116,091. In terms of geography, North America has the highest average annual salary at US $ 129,961, almost identical to 2024’ s findings. In Europe, the average annual salary is US $ 93,661.

Spitzner concludes:“ This year’ s findings come against the backdrop of organisations facing rising threats like Generative AI, deepfakes and other emerging threats. The report delivers timely, datadriven insights into how security teams are adapting, where gaps remain and which strategies are moving the needle. In a field where human risk is still underreported, this report shines a spotlight on one of cybersecurity’ s most urgent challenges.” p

30 INTELLIGENTCIO MIDDLE EAST www. intelligentcio. com