Even with good user education programs, users sometimes open e-mail-based viruses. Are these people being malicious?...
There is a difference between wishing to cause major damage and curiosity. I have heard of people actually going out to the Web, downloading a virus and then running it to see what it will do. They are often disappointed when they don't see a picture. Fictional virus portrayals have made people think that they have a graphical interface. Most are not graphical at all. This is one area where education would help. What should a user do if they think they have a virus? I always advise users to run a virus scan. I don't go in for looking at specific files or keys for a virus. A complete scan is much better. What does the future hold for virus management? When will users become savvier? I think we'll see operating systems and applications becoming more secure. Security software will also become better. But I also think we'll see users become more sophisticated. I see computer usage becoming more like driving. Driving is a complicated dance that has a lot of flavors to it that people have learned. For example, we know what flashing lights on a car on the side of the road means.
The first thing should be to explain that information is property, and that data on their machines belongs to the company and should be protected like any other asset. One of the biggest hurdles in educating users is getting the information about security out to them. Actually, the best opportunity to do this is during a virus outbreak. But won't threats advance as well?
If you look at it long enough you will have a security flaw in the Roman alphabet. There is a tug of war between technology and society. Users will still need to be educated as attacks become smarter. User's social awareness will need to key in line as technology continues to advance. But we must remember technology is just another method for social interactment between people.