Knowing what rules not to follow and what isn't a risk is important to know where to invest energy.

Tech and non tech users have a budget to spend on IT Sec, so if you impose a lot of useless or marginally useful rituals along with the useful prophylaxis, the user will be forced to drop some of the measures, so it's better to drop some rules early on by policy rather than letting users decide what good practices to avoid.