Rick Wash from Michigan State wrote a great paper, "Folk Models in Home Computer Security," which uses interviews with users of varying levels of sophistication to create a taxonomy of the way that regular people think about the security of their computers. Wash finds that primarily, users' models relate to the pre-botnet era of malicious software, and he goes on to see what happens when those models are applied to modern malware. From the abstract:
Home computer systems are frequently insecure because they are administered by untrained, unskilled users. The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I investigate how home computer users make security-relevant decisions about their computers. I identify eight 'folk models' of security threats that are used by home computer users to decide what security software to use, and which security advice to follow: four different conceptualizations of 'viruses' and other malware, and four different conceptualizations of 'hackers' that break into computers. I illustrate how these models are used to justify ignoring some security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they have been cleverly designed to take advantage of gaps in these models so that many home computer users do not take steps to protect against them.