As technology users, assailed with security threats such as viruses and hackers, increasingly look to vendors to help protect their systems, they may find the vendors staring right back at them.

"One just needs to look out the window to see the confusion out there," PricewaterhouseCoopers Partner Jonathan Tate says, motioning to the attendees on the floor of the InfoSecurity Europe 2004 conference in London this week.

Tate and PwC have just released a study saying that three-quarters of U.K. businesses, hampered by skill shortages and a lack of investment in security, are condemned to security breaches.

And UK businesses are not alone, as users worldwide are being targeted in educational campaigns by technology heavyweights like Microsoft, which claims it can only do so much to reduce security threats without more user cooperation.

Jonathan Perera, Microsoft's senior director of product management in the Security Business and Technology Unit and a speaker at the conference, calls it "the grey matter bug," referring to users clicking on buttons they shouldn't, inadvertently downloading viruses, and opening the door for other security breaches unawares.

Microsoft is fighting this particular bug through broad educational campaigns, targeting both IT students by supplying educational materials for IT security course work, and end users via its software.
"I think we can use software to educate users about software security," Perera says, speaking after his address at the conference.

That is what the company is planning to do with Windows XP Service Pack 2, due out later this year. Among other bolstered security features, Service Pack 2 includes prompts to help users establish firewalls, block pop-up ads, and update antivirus software.

Microsoft Chairman and Chief Software Architect Bill Gates laid out some of the security focus areas in a recent executive e-mail to customers.

Gates outlined moves to isolate threats and increase product resiliency and quality, as well as broad educational efforts.

The company has said that it is also working with an increasing amount of third-party software vendors and security researchers to reduce security threats.

David Litchfield, managing director of Next Generation Security Software (NGSS), says that Microsoft is doing an enormous amount to improve the security of its products.

NGSS is working with the company to detect and analyze potential threats. And two and a half years into its Trusted Computing initiative, Microsoft is citing a decrease in the number of critical and important security bulletins it has released as proof that the measure is working.

Windows Server 2000 had 42 critical and important security bulletins, whereas Windows 2003 has had 13, Perera says.

"And 13 is still too many for me," he added during his address to conference attendees.

But although Microsoft looks to end users to help further reduce threats, user frustration at the large amounts of lost time and money to patch systems appears to remain.

"Microsoft needs to do more," says conference attendee Richard Holt, who works in IT support for a London company he preferred not to name.

"Each patch is a headache," he says.

While Holt gazed at the conference exhibitor rooms on the second floor ablaze with Microsoft logos for answers, it was unclear if he knew they were also looking to him.