Huntress Study Reveals Widespread Failure of Legacy Security Awareness Training in Reducing Human Risk

Despite increased security awareness training spending, 94% of businesses saw a rise in security incidents due to human error over the past three years

Columbia, MD – September 23, 2025 — Today, Huntress released Mind the (Security) Gap: SAT in 2025, a new report revealing a critical disconnect between the perceived effectiveness of security awareness training (SAT) programs and their actual impact on reducing human risk. The report reveals that while 93% of organizations have increased SAT budgets over the past three years, 94% saw a rise in security incidents caused by human error.

“Old-school security awareness training isn’t working. Organizations are pouring more money into it than ever, and yet, human error incidents are on the rise,” said Dima Kumets, Principal Product Manager at Huntress. “This gap between expectation and reality exists because training content is often developed in isolation, without meaningful collaboration with security experts. As a result, generalists without hands-on security experience create content that meets compliance requirements, but doesn't drive meaningful behavior change or lead to security outcomes that last.”

Commissioned by Huntress, the comprehensive report is informed by an independent UserEvidence survey of 262 IT and security professionals who administer SAT and 260 employees whose companies provide SAT, across the United States. It exposes significant flaws in legacy SAT programs, including poor outcomes, time-consuming management, and outdated training.

Key findings:

• Legacy SAT programs don’t reduce human risk: A staggering 93% of SAT admins believe their program is effective, yet over half (57%) admit that better employee awareness could have prevented most, the majority, or nearly all of the security incidents at their organization. This suggests that legacy SAT programs may appear effective on the surface, but are failing to reduce human risk in a meaningful way.
• Outdated content doesn’t prepare learners: While 88% of learners believe their SAT programs are effective and 92% believe they would respond correctly if faced with a security incident, nearly half (44%) of SAT administrators confess their content is often or always outdated or irrelevant. This outdated training leaves learners overconfident and unprepared to deal with modern threats they’re likely to face, leading to more security incidents caused by human error.
• Managing SAT is a burden: Administrators are bogged down by the process. While 95% of admins report that their SAT program is manageable to maintain, 61% spend 10 or more hours each month on it, and 72% view it as a burden. This signals that while technically possible to manage, administrators often see managing SAT as a time-consuming and painful chore rather than a meaningful tool to improve security outcomes.

These findings are further validated by research conducted at UC San Diego Health and discussed at Black Hat USA 2025, which expose the ineffectiveness of relying solely on annual security awareness training. The study found that this conventional, check-the-box approach fails to meaningfully reduce the likelihood of employees falling for phishing scams. This underscores the clear need for a strategic shift from compliance-focused training to an outcome-based human risk management approach. Learners want training that is not only more engaging and consumable but also tailored to address current cybersecurity threats. Legacy SAT programs are often built by generalists and fail to keep pace with evolving threats, leaving organizations vulnerable. Managed, expert-backed programs are key in solving these challenges, giving organizations current, frequent, and relevant training without the burden of costly internal management. This shift can lead to meaningful behavior change and significantly reduce human risk exposure.

“Just because legacy SAT solutions have been ineffective in reducing human risk doesn’t mean SAT itself isn’t a valuable and necessary tool," Kumets explained. “The answer certainly isn’t to throw more budget at the same ineffective training methods. But, by shifting to more outcome-driven training that is timely, relevant, and expertly managed, organizations can cultivate a proactive and resilient security culture that actually reduces human risk.”

Additional resources:

• Start a free trial of Huntress Managed SAT to experience our expert-backed, headache-free training firsthand.
• Get your copy of the “Mind the (Security) Gap: SAT in 2025” report or see the infographic to discover what admins and learners really think about their security awareness training program.
• Read the Huntress blog to stay updated on the latest hacker tradecraft and tips to protect your business. 
  

Survey Methodology

The data for this report was gathered through a comprehensive, independent market survey commissioned by Huntress and administered by UserEvidence. The online survey, conducted in July 2025, collected responses from two primary audience segments across the United States. The first segment consisted of 262 IT and security professionals from 23 different industries. The second segment included 260 full-time professionals from 36 industries whose companies have implemented security awareness training (SAT). The research was designed to be vendor-neutral, with no specific vendor targeting from either Huntress or UserEvidence.

About UserEvidence

UserEvidence is a software company and independent research partner that helps B2B technology companies produce original research content from practitioners in their industry. All research completed by UserEvidence is verified and authentic according to their research principles: Identity verification, significance and representation, quality and independence, and transparency. All UserEvidence research is based on real user feedback without interference, bias, or spin from our clients.