Federal inspectors posing as IT help desk staffers trying to correct a network problem called 100 IRS managers and employees and asked them to provide their network log-in names and temporarily change their passwords to ones they suggested. Inspectors persuaded 35 IRS workers to do just that.

This success came despite IRS efforts to educate employees.

Dan Galik, the IRS's chief security officer, says his agency "re-energized the awareness program" following the report. In addition to annual reviews, posted announcements and online courses mandated under the 2002 Federal Information Security Management Act, Galik says the agency has added some innovative approaches.

One was a Jeopardy-style game held last November during which workers tried to give the right answers on security-related topics.

"You've got to come up with something that will stick," Galik says.