Mental Models, informal representations of reality, provide an appealing explanation for the apparently non-rational decisions of users. Although users may be attempting to make secure decisions, the use of incomplete or incorrect information security mental models as a shortcut to decision making may lead to undesirable results. We describe mental models of Viruses and Hackers drawing on data from a survey of 609 adult computer users and link these to security behaviours and perceptions. We find that there are potentially just a small number of common security beliefs and suggest that accommodating these mental models during security design may be more beneficial to long-term security than expecting users to change to accommodate security requirements.