Rising SAT budgets fail to curb workplace security incidents

A new report from Huntress has highlighted a persistent disconnect between rising investment in security awareness training and its effectiveness in reducing incidents driven by human error in the workplace.

The report, entitled 'Mind the (Security) Gap: SAT in 2025', is based on an independent survey conducted by UserEvidence involving 262 IT and security professionals responsible for security awareness training (SAT) programmes, along with 260 employees undergoing such training, all based in the United States.

According to the findings, 93% of organisations surveyed increased their SAT budgets over the past three years. Despite this, 94% of those organisations experienced a rise in security incidents traced to human error during the same period.

Dima Kumets, Principal Product Manager at Huntress, said,

"Old-school security awareness training isn't working. Organisations are pouring more money into it than ever, and yet, human error incidents are on the rise. This gap between expectation and reality exists because training content is often developed in isolation, without meaningful collaboration with security experts. As a result, generalists without hands-on security experience create content that meets compliance requirements, but doesn't drive meaningful behavior change or lead to security outcomes that last."

The survey examined the perceptions of security training effectiveness among both administrators and employees, revealing key inconsistencies and limitations in legacy SAT programmes.

Perception and reality

Among the administrators surveyed, 93% believe their security awareness training programme is effective. However, over half (57%) acknowledged that improved employee awareness could have prevented most or nearly all of the security incidents at their organisation. This points to a situation where practices may fulfil compliance but do not necessarily reduce actual human risk.

On the employee side, 88% felt their training was effective and, similarly, 92% expressed they would respond correctly to a security incident. Despite this confidence, 44% of SAT administrators admitted their programme content is often or always outdated or irrelevant, suggesting that workers may be overconfident in their abilities due to insufficient or outmoded training.

Administrative burden

The management of legacy SAT programmes was identified as an operational challenge by respondents. While 95% of programme administrators described their SAT management as technically manageable, 61% said they spent 10 or more hours each month on these activities. Further, 72% considered it a burden, regarding SAT as a time-consuming administrative task rather than a strategic security measure.

Relevance and engagement

The Huntress report also references research conducted at UC San Diego Health, which found that annual security awareness training on its own was ineffective in reducing incidents such as phishing. These findings were discussed at Black Hat USA 2025 and reinforce the view that compliance-focused training does not translate into better outcomes for organisations, as the methodology fails to address evolving and increasingly complex threats.

The feedback from learners shows a preference for training that is up-to-date, engaging, and relevant to the modern threat landscape. However, the report indicates a prevalent reliance on training materials developed by generalists, with content not reflecting the realities of current cyber risks.

The report argues that managed, expert-backed SAT solutions could address these gaps by providing more regular, relevant, and effective training without creating additional internal management overhead for organisations.

Kumets further noted,

"Just because legacy SAT solutions have been ineffective in reducing human risk doesn't mean SAT itself isn't a valuable and necessary tool. The answer certainly isn't to throw more budget at the same ineffective training methods. But, by shifting to more outcome-driven training that is timely, relevant, and expertly managed, organisations can cultivate a proactive and resilient security culture that actually reduces human risk."