According to a survey sponsored by Malta-based security software vendor GFI Software of IT managers at small and midsize businesses in the U.S., their companies' chief security need isn't money or software; it's smarter users.The survey asked 455 CIOs how they could improve security, and 48 percent named more awareness of the issue among employees; 25 percent said more awareness among senior management. "They see the end user as the weakest link," said David Kelleher, project leader for research at GFI. Kelleher said that even at companies with security policies, end users don't often understand the reasoning behind them. He recommended that companies implement rigorous security training programs. Gary Chen, an analyst with Yankee Group, agreed with the diagnosis but not the cure. "Certainly end users are a big hole for most people, because end users are not going to be your most technically competent people....[But] I guess I'm not truly convinced that you can seriously make a dent in that problem," he said. "You can do all the training you want, but people are just going to be stupid and you're not going to be able to do much about it." Chen's prescription: implement technological solutions that assume people are going to do the wrong (or stupid) thing.CIO-Midmarket.com