Senior executives need to help companies build an IT security-conscious culture from the top down, according to new research by Ernst & Young.

Respondents to its Global Information Security Survey 2004 named lack of security awareness by users as the top obstacle to information security. But only 28 per cent of them listed raising employee information security awareness as a top initiative in 2004.

"I think the issue of security awareness has been delegated or abdicated to technical professionals some levels down in organisations," said Jan Babiak, managing partner of Ernst & Young's information security services in the UK.

"In general the sorts of people who have strong skills sets don't have the social networks and perspective to communicate policy to staff. I'm a big believer that you need the people at the top to take the lead and repeat the messages to staff."

Ernst & Young advised that companies should place more emphasis on creating a security-conscious culture that includes setting the right 'tone at the top'. But only one in five companies saw it as a chief executive-level priority.

Nearly two thirds of those surveyed did not have a chief information security officer, although more than half (53 per cent) of companies with revenues over over a $1bn a year did.

Viruses and Trojans are still rated the biggest threat overall, but employee misconduct was considered the second biggest threat. Theft of proprietary information was rated the lowest threat.