"We just did a phishing [definition link] exercise to 10,000 desktops," said William F. Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination. "We sent out a generic advisory on phishing, and no one was aware there would be an exercise to follow."

About a month after the advisory, an e-mail arrived on those agency desktops. It came from outside, but appeared to be from state government. It said that since security was so important, and that passwords were the first line of defense, the state had developed a password checker for state employees. "It asked them to enter their personal password and user ID to see how good their passwords were," said Pelgrin. "Out of 10,000 employees, we had about 17 percent that fell prey to it at that time. A month or so later we went back to the same cohort of individuals to see if they learned from the educational component of this, and we cut our numbers down to about seven percent. Now," he said, "the job is to get to those seven percent."

Pelgrin said the approach was "warm and fuzzy." Commissioners of affected agencies signed off on the exercise beforehand and looked at all documents before they were sent. And no information was collected on who fell for the ruse, just aggregate statistics. Those that provided a password and user ID got a message telling them what the exercise was all about, a video explaining the dangers of providing the information, and a survey.

"From the survey," said Pelgrin, "We got a lot of responses that it taught them something about phishing, not only at work -- since we filter out a lot of that crud here -- but at home where you get much more of it."

"This is about vigilance and resilience," he said. "One hundred percent security will never be obtainable. If you think you're safe, you're not secure. 9/11 taught us not to say things won't occur. Vigilance has to be there. Cars are becoming safer every day but you still need to buckle your seat belt."

In keeping with that premise, Pelgrin has expanded the efforts of his office to educate and inform state and local government, law enforcement, and the public. His office -- along with the Department of Homeland Security's National Cyber Security Division and other organizations -- developed a cyber-security awareness program for New York, that other state and local governments around the country are invited to use.

New York Governor E. Pataki proclaimed October as Cyber Security Awareness Month for the state, and Pelgrin and others are working to expand the idea nationwide, providing materials and programs to state and local governments.

"We do a Web cast every other month," said Pelgrin. "It started out as a New York State effort and quickly became a national one, and is now international. We've had up to nine countries participate in those Web casts. I choose the topic area, and we look for vendors that could do the presentation. They are not unique to any vendor, they have to be generic ... things that people could take and actually implement to make themselves more secure than they were the day before.

"We've done vulnerability risk assessments," he said, "taught people how to identify spyware, adware, and what to do about it. Over the last year, we've done about seven of those.

Protecting Children
"For October," said Pelgrin, "our theme is protecting children on the Internet. The slogan is: 'It's everyone's responsibility' Parents, teachers, law enforcement, government -- everyone needs to take a role to ensure our children are protected and also that children don't become