Despite a surge in spending on security awareness training (SAT), most organisations are still experiencing more incidents caused by human error, according to new research from Huntress.
The report, Mind the (Security) Gap: SAT in 2025, reveals that while 93% of organisations have increased their SAT budgets in the past three years, 94% saw a rise in security incidents linked to mistakes made by employees. The findings suggest that traditional training methods are not delivering the improvements businesses expect.
“Old-school security awareness training isn’t working. Organisations are pouring more money into it than ever, and yet, human error incidents are on the rise,” said Dima Kumets, Principal Product Manager at Huntress. “This gap between expectation and reality exists because training content is often developed in isolation, without meaningful collaboration with security experts. As a result, generalists without hands-on security experience create content that meets compliance requirements, but doesn’t drive meaningful behaviour change or lead to security outcomes that last.”
The study, based on an independent UserEvidence survey of 262 IT and security professionals who administer SAT and 260 employees whose companies provide it, exposes widespread weaknesses in legacy programmes. Among the main issues identified were ineffective outcomes, outdated content, and excessive administrative burden.
Key findings include:
-
Perceived vs. real effectiveness: 93% of SAT administrators believe their programmes are effective, but more than half (57%) acknowledge that improved employee awareness could have prevented most or nearly all of their organisation’s security incidents.
-
Outdated content: 88% of learners believe their training is effective, and 92% feel confident they would respond correctly in a security incident. Yet, 44% of administrators admit their training materials are often outdated or irrelevant, leaving staff overconfident and unprepared for modern threats.
-
Administrative challenges: While 95% of administrators say their SAT programme is technically manageable, 61% spend at least 10 hours a month maintaining it, and 72% view it as a burden, suggesting the programmes are a time drain with limited return on security outcomes.
The Huntress findings align with research presented by UC San Diego Health at Black Hat USA 2025, which showed that annual, compliance-focused training alone does little to reduce the likelihood of employees falling for phishing scams. Experts argue that this “check-the-box” approach leaves organisations vulnerable, and that training should evolve into a more tailored, outcome-driven model.
According to Huntress, managed SAT programmes developed with security experts can ease the burden on administrators while ensuring that training is current, frequent, and relevant. This shift, the company argues, is critical to driving real behavioural change and reducing risk.
“Just because legacy SAT solutions have been ineffective in reducing human risk doesn’t mean SAT itself isn’t a valuable and necessary tool,” Kumets explained. “The answer certainly isn’t to throw more budget at the same ineffective training methods. But, by shifting to more outcome-driven training that is timely, relevant, and expertly managed, organisations can cultivate a proactive and resilient security culture that actually reduces human risk.”
The post Legacy Security Awareness Training Failing to Reduce Human Risk, Huntress Study Warns appeared first on IT Security Guru.
The original article found on IT Security Guru Read More
