Just finished reading the report at 2021 Security Awareness Report at SANS.
Most companies aware of human risk in Cybersecurity. And "User Education" is always the "only" solution to address human risk.
My 2 cents:
- The company risk is not determined most intelligence employee but the lowermost.
- Simplicity should be more important than "user education" in addressing human risk.