Rick Wash from Michigan State wrote a great paper, "Folk Models in Home Computer Security," which uses interviews with users of varying levels of sophistication to create a taxonomy of the way that regular people think about the security of their computers. Wash finds that primarily, users' models relate to the pre-botnet era of malicious software, and he goes on to see what happens when those models are applied to modern malware. From the abstract:
Home computer systems are frequently insecure because they are administered by untrained, unskilled users. The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I investigate how home computer users make security-relevant decisions about their computers. I identify eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which security advice to follow: four different conceptualizations of 'viruses' and other malware, and four different conceptualizations of 'hackers' that break into computers. I illustrate how these models are used to justify ignoring some security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they have been cleverly designed to take advantage of gaps in these models so that many home computer users do not take steps to protect against them.
Folk Models of Home Computer Security (PDF)
(via Schneier)