Imagine a perfect situation, in which you work for a large company with a lot of information security measures in place. There is antivirus software on every desktop, updated automatically; there are firewalls and intrusion detection systems protecting the perimeter of the network; and host-based sensors scattered strategically throughout the system. The helpdesk staff have been warned of the risk from social engineering attacks, and the building itself is well-provided with CCTV and an alert set of security guards in the lobby.

Periodically, a full review of information security is undertaken by an external audit company, and there is a well-managed programme of patching and network maintenance. Moreover, the organisation has a clear security policy, and has appointed an information security officer to report to the head of internal audit.

A good situation, made even better as - in a rare example of largesse - the board has agreed to a one-off extended security budget to improve the situation further still. But what should the extra money be spent on for the best results?

It's a nice problem to have, admittedly, but it is a problem. Most of the technology measures are in place, and are established to prevent intrusions - whether by hackers or by viruses and worms. But though such intruders present problems, most surveys indicate internal users are the major source of difficulties for data security. Clumsy, curious, malicious or criminal insiders account for a huge variety of problems - including pilfered databases, badly-configured systems and polluted information sources. So, perhaps the windfall should be spent on beefing up internal monitoring tools?

But the firm already has host-based intrusion detection system (IDS) sensors, which should raise the alarm if insiders or intruders are detected performing unwarranted activities. The technology that can help is already deployed.

For most staff working in information security, the central observation is this: technology doesn't create problems; people create problems, and technology amplifies them. A good way to spend the windfall, therefore, is not on technology but on people. An education and awareness campaign is not an expensive option: a few thousand pounds for the exercise, tutoring key individuals not simply in current measures, but more importantly in the consciousness of security; a "hearts and minds" approach that lets them help themselves.

But perhaps the best way to spend that money is not on a campaign directed at the users but on one directed at board members and the most senior managers.

In any organisation, there is a correlation between the seriousness with which top managers are perceived to treat security, and the seriousness with which it is treated at lower levels. If senior managers neglect the issue, other users will find ways around security measures. If senior managers are seen to take it seriously, other users will not just comply, they will positively help.

Security must not just be done: it must be seen to be done.