Security specialists rank management support of security policies as the most important factor in corporate security, according to a report by security certification body ISC2.
The study, conducted jointly by ISC2 and IDC, was based on interviews with more than 4,000 IT security professionals in Europe, the US and Asia.
After management backing, the specialists see persuading users to follow established policies as most important to effective security.
The report found that companies were spending more than 40% of their information security budgets on personnel, education and training - highlighting a growing recognition of the importance of human factors in security.
"This year's study further validates the conventional wisdom, long-held by security professionals, that people are the critical component of an effective information security programme," said Ed Zeitler, executive director of ISC2.
The survey shows that, with experienced security staff in short supply, a growing number of companies are hiring less experienced staff and investing in training.
Information risk management remains the top training priority for IT security staff in Europe and the US. This is likely to continue as organisations work to manage corporate risks, says IDC.