A lot of what can be said here is merely practical advice rather than anything to do with cognitive biases. One real problem is with the PC - it's security model is rather like an office with a security guard at the gate. The guard is quite fierce. But - once inside, there's no further security - all the filing cabinets are unlocked. All the offices are open. You can read everyone's email. The PC needs a layered security model, but doesn't have much of one. To counteract this, take the guard's job seriously... - buy some internet security software and use it.
Stay out of bad neighbourhoods.
Only download software from people who have a reputation to lose. Don't just believe that pirates crack programs and make them available for free on the Internet out of the kindness of their hearts. Maybe some do - maybe even most of them. But if you download a cracked program and run it, you are giving control of your PC to the pirate. Maybe that free program is not such a good deal after all.
Divide your online activity into personas that don't identify you, and you can afford to throw away, and accounts that you're a bit paranoid about. Anything with personal info is in the latter category. Watch out for facebook - it encourages you to put all your personal identifiers into the public domain, which is not a good idea. What use is it for your bank to use your mother's maiden name and your birthday to secure your dealings with them if you can take all that info from your facebook page?
Don't access the important accounts from a computer which you don't trust.
What do people want who try to break your security? One of three things.
If an online id doesn't contain any info about these things, just don't worry about it - set a half decent password and leave it at that.
If you contact someone else, you can usually be pretty sure they are who you think they are. If someone else contacts you, the most likely thing they'll lie about is who they are. This is the only cognitive bias thing - we tend not to realise that who initiates a conversation is important. If you do it, you're pretty safe. If the other person does, the other party is much more likely not to be who you think they are.
Hi, I'm from your bank and need you to verify this fraud... Hi, I'm a police officer, and your friend x.... Hi, I'm from the state lottery.... Hi, I'm a Nigerian chap who needs a little help (true, but then the part about their immense wealth isn't...) Hi. I'm your friend x and I'm stuck in London....
Have a cached "Yeah, right - so how do I know that's who you are?" ready and waiting. If in doubt, terminate the conversation and if necessary reinitiate it yourself - don't let the other person 'help' you to do this. For example, if someone calls saying they are from your bank, you should consider calling the bank back using the phone number on your statement or your bank card. Don't take the number from the person you're not sure about !
Maybe not very cognitive-biasy, but it's the best I can do for you....
Stay out of bad neighbourhoods.
Note that social preconceptions of what constitutes a "bad neighborhood" may be wrong. You may have heard that porn sites are bad neighborhoods; but nobody's getting viruses off abbywinters.com. In contrast, any site offering to give you smiley cursors and screensavers may as well be selling rusty needles in a back alley.
Only download software from people who have a reputation to lose.
Sadly, many reputation-bearing software vendors bundle security-harming crapware with their software anyway. It's an improveme...
Hacking and Cracking, Internet security, Cypherpunk. I find these topics fascinating as well as completely over my head.
Yet, there are still some things that can be said to a layman, especially by the ever-poignant Randall Munroe:
Password Strength
Passwords Reuse
I'm guilty on both charges (reusing poorly formulated passwords, not stealing them).
These arguments may be just be the tip of the iceberg of a much larger problem that needs optimizing: Social Engineering, or mainly how it can be used against our interests (to quip Person 2, "It doesn't matter how much security you put on the box. Humans are not secure."). I get the feeling that I'm not managing my risks on the Internet as well as I should.
So the questions I ask are: In what ways do our cognitive biases come into play when we surf the Internet and interact with others? Of which of these biases can actively we protect against, and how? I've enforced HTTPS when available, as well as kept my Internet use iconoclastic rather than typical, but I doubt that's a comprehensive list.
I don't know how usefully I can contribute, but I hope that many on Less Wrong can.