On Feb. 10, OIT workers began to patch all the state's SQL Server installations to block SQL Slammer. On Feb. 15, the state announced the Cain & Abel "breach," and Oliver was put on paid leave two days later.

Why was Oliver fingered? Probably because he installed Cain & Abel under his security credentials, just as he was supposed to. But why did the OIT identify Cain & Abel as the big problem rather than SQL Slammer, which posed a more direct threat?

It's hard to say for sure, because OIT officials aren't talking. It might have been, say, a clever ruse to mislead potential attackers. More likely, executive-level types were just confused over what kind of malware was involved, who might have put it on the state's systems, and how and where the real risks were.

No matter. Confused or not, those officials didn't try to cover up the problem. They took quick action and risked embarrassment by going public. Good for them.

But now that the security mess appears to be cleaned up, there's something they should do to prevent future, um, excitement.