Stay out of bad neighbourhoods.
Note that social preconceptions of what constitutes a "bad neighborhood" may be wrong. You may have heard that porn sites are bad neighborhoods; but nobody's getting viruses off abbywinters.com. In contrast, any site offering to give you smiley cursors and screensavers may as well be selling rusty needles in a back alley.
Only download software from people who have a reputation to lose.
Sadly, many reputation-bearing software vendors bundle security-harming crapware with their software anyway. It's an improvement over random piracy, though; and one bias that probably worsens people's security is the notion that if no system is perfectly secure, then they may as well not bother improving — a form of zero-risk bias, I suppose.
For that matter, speaking of reputation and risks, a few years back you could get a Windows system cracked by putting a music CD from a well-known music label in the drive. Users may have expected that a music CD was not software, which expectation proved false.
Something else to consider is that most users probably experience the sunk-cost fallacy, coupled with status-quo bias, when considering switching to different software (e.g. operating system or Web browser). Considering that there are significant security differences among these choices, cognitive biases may be keeping a lot of users on inferior software.
Hacking and Cracking, Internet security, Cypherpunk. I find these topics fascinating as well as completely over my head.
Yet, there are still some things that can be said to a layman, especially by the ever-poignant Randall Munroe:
Password Strength
Passwords Reuse
I'm guilty on both charges (reusing poorly formulated passwords, not stealing them).
These arguments may be just be the tip of the iceberg of a much larger problem that needs optimizing: Social Engineering, or mainly how it can be used against our interests (to quip Person 2, "It doesn't matter how much security you put on the box. Humans are not secure."). I get the feeling that I'm not managing my risks on the Internet as well as I should.
So the questions I ask are: In what ways do our cognitive biases come into play when we surf the Internet and interact with others? Of which of these biases can actively we protect against, and how? I've enforced HTTPS when available, as well as kept my Internet use iconoclastic rather than typical, but I doubt that's a comprehensive list.
I don't know how usefully I can contribute, but I hope that many on Less Wrong can.