HumanRisk SEAT
Home / Free Tools / Staffing Calculator
Free Tool · No account needed

How many people does a program actually need?

SANS data puts a mature security awareness program near 4.2 full-time equivalents. Most organizations run on a fraction of one person. This calculator estimates your need by headcount and ambition, and shows the gap you are quietly carrying.

Your program

The model is guidance grounded in SANS staffing benchmarks, not a mandate. Read the math below.

The estimate

Recommended = baseline (by maturity) + headcount scaling. SANS benchmark for a mature program is about 4.2 FTE.

Recommended staffing
Your current staffing
Staffing gap
Status

Adjust headcount, ambition, and current staffing to see the gap. This is directional guidance, not a hiring mandate.

4.2
FTEs in a mature security awareness program, on average (SANS staffing research)
10-20%
of one person's time is what most organizations actually allocate to the program
10% / 90%
roughly 10% of users drive 90% of incidents, so targeted effort beats blanket effort

The staffing gap nobody budgets for

Ask most organizations who runs security awareness and the answer is "we have someone." Look closer and that someone is a security analyst, an IT manager, or a compliance lead spending 10 to 20 percent of their week on it. SANS staffing research puts a genuinely mature program near 4.2 full-time equivalents. The distance between those two numbers is the reason so many programs do the annual training, run a few phishing tests, and then plateau.

How the estimate works

The model starts with a baseline that rises with ambition: a developing program needs less dedicated staff than one chasing behavior change and measurement. It then adds a scaling factor tied to headcount, because a program covering 5,000 people is a different job than one covering 500. The numbers are calibrated so a mature program at a mid-to-large organization lands near the SANS 4.2 benchmark. It is guidance to frame a staffing conversation, not a precise headcount order.

Why under-staffing shows up as a year-two plateau

A fraction of one person can sustain compliance. It cannot simultaneously build engagement, run real assessment, and mature strategy. So the program does the part that fits the time available, which is usually training delivery, and the rest quietly never happens. The plateau is not a motivation problem. It is a capacity problem wearing a motivation costume.

When you can't hire, buy leverage

Most teams cannot close this gap with headcount. The realistic move is leverage: concentrate effort where risk concentrates, since roughly 10 percent of users drive 90 percent of incidents; automate delivery; and use a maturity model to spend your limited hours on the few moves that reduce the most risk. That is the difference between a busy program and an effective one.

Frequently asked questions

How many FTEs does a security awareness program need?

SANS staffing research puts a mature program near 4.2 full-time equivalents on average. Most organizations run on far less, often one person at 10 to 20 percent of their time, which is why programs plateau.

Why do most security awareness programs stall?

Under-staffing. A program treated as a fraction of one job can sustain compliance training but cannot build engagement, run assessment, or mature strategy. The work outgrows the staffing, often in year two.

How is the recommended number calculated?

A baseline by target maturity plus a per-headcount scaling factor, calibrated so a mature mid-to-large program lands near the SANS 4.2 benchmark. It is guidance, and the model is described on the page.

We can't hire more people. What do we do?

Buy leverage instead of headcount: focus where risk concentrates (about 10 percent of users drive 90 percent of incidents), automate delivery, and use a maturity model to prioritize the highest-impact moves.

More free tools

All Free Tools
The full set of HumanRisk practitioner tools.
ROI Calculator
Build a defensible business case, with the math shown.
Compliance Requirements
Awareness obligations across 22 frameworks.
Free SEAT Assessment
Measure your program's maturity baseline.

Staffing follows strategy

The free SEAT assessment shows where your program actually stands and which moves reduce the most risk, so you can argue for the right resourcing with evidence. No account needed, 10-15 minutes.

Take the free SEAT assessment