Respondents to the survey, conducted by the New York-based Deloitte Touche Tohmatsu consulting firm, included 28 of the top 100 banks, nine of the top 50 insurers and 26 of the 120 financial institutions among the 500 largest companies in the world. The study, released today, is the third annual report by Deloitte on security at financial-service companies.

The study's release came five days after MasterCard International Inc. and Visa international Inc. reported the Federal Bureau of Investigation is probing a security breach that exposed 40 million accounts to possible fraud in what has been labeled the largest violation of its kind.

``For the first time, the number of organizations who have experienced internal attacks is higher than the number who have experienced them externally,'' said the report, which was compiled before the credit-card breach.

Almost nine out of 10 firms participating in the survey reported concern ``about employee misconduct involving information systems,'' the study said.

Yet only 64 percent of the firms concerned about employee misconduct staged training and awareness programs for workers in the preceding 12 months, the report said.

``Continual education should be a mainstay within the business and employees should be indoctrinated into the security system,'' the report said. ``The goal is to establish and maintain an organizational culture where information security is second nature to all employees within the organization.''