Despite increasing awareness of IT security threats, many IT administrators are reduced to using scare tactics to get management support for tighter security procedures, research has revealed.

A recent poll conducted by security firm WatchGuard showed that IT managers typically take one of the following approaches:

The poll of IT network and security administrators in SMEs to determine how they persuade management to change security practice found that almost half of respondents admit to advocating the fear factor.

Many respondents indicated that they have to present worst case scenarios involving confidentiality breaches, lost customers or liability charges to justify investments in information security technology.

The use of scare tactics may be prompted by the fact that, according to additional findings from the poll, more than one in four (29 per cent) network administrators claim that senior management rarely, or never, change standard practices in response to security recommendations alone.

However, an encouraging 30 per cent indicated that rational facts, including cost-based analysis, productivity statistics and industry articles, are sufficient to prompt a reaction.

Additionally, 51 per cent of respondents reported that senior management implement changes to security practices based on their recommendations most or all of the time.

"This survey shows that SMEs can vary greatly in their approach to security. Despite high profile attacks and regulatory pressure, a strong security-conscious culture is still not second nature to all organisations," said Mark Stevens, chief strategy officer at WatchGuard.

"While many organisations treat security as a priority from the top down, and are very proactive in their approach, others require more persuasion to implement and update secure practices.

"To protect against the threat of attack, executive sponsorship is critical. Organisations need to adopt an approach that incorporates not only technology solutions, but ongoing user education as well as development and enforcement of security policies."