The problem with the textbook security advice is that if you follow all of it, it will cost you more than the expected loss from following none of it, and since the people who write it rarely bother to give priority guidance, people end up rationally following none of it. What's actually needed is a very short list of advice that's feasible to remember and follow, and which will cost less to follow than its expected benefit.
Here's a couple of my suggestions to start with:
If you're going to use the same password for two dozen random websites, don't also use that same password for your PayPal account.
Don't publish your date of birth, it's an attack vector for identity theft. If a website demands your date of birth, and you choose to give the real year, at least change the exact day. (Same goes for other identifying pieces of information e.g. mother's maiden name, date of birth is just the one that comes up most often.)
Hacking and Cracking, Internet security, Cypherpunk. I find these topics fascinating as well as completely over my head.
Yet, there are still some things that can be said to a layman, especially by the ever-poignant Randall Munroe:
Password Strength
Passwords Reuse
I'm guilty on both charges (reusing poorly formulated passwords, not stealing them).
These arguments may be just be the tip of the iceberg of a much larger problem that needs optimizing: Social Engineering, or mainly how it can be used against our interests (to quip Person 2, "It doesn't matter how much security you put on the box. Humans are not secure."). I get the feeling that I'm not managing my risks on the Internet as well as I should.
So the questions I ask are: In what ways do our cognitive biases come into play when we surf the Internet and interact with others? Of which of these biases can actively we protect against, and how? I've enforced HTTPS when available, as well as kept my Internet use iconoclastic rather than typical, but I doubt that's a comprehensive list.
I don't know how usefully I can contribute, but I hope that many on Less Wrong can.