There are a number of different control types, to name a few there are Deterrent, Preventative, Detective, Corrective, and Compensating controls. The idea being that each type of control will specialize in providing a different type of security.
In the case of your padlock, that would fall under a deterrent control, since it is something intended to be noticeable and keep people away. Other examples would be a sign that warns people of a guard dog, visible security cameras, etc. Basically anything that can delay or deter an attack.
Preventative controls are in place to stop something from happening, so again the lock would fall into this category as well.
The best practice is to layer security across many different control types (and vendors) to mitigate the chances of an attack being successful. However, there is no such thing as risk elimination, just that you can reduce them down to acceptable risk as much as possible.
The main point is that the security should cause an attacker more trouble that the data inside is worth, ie. not worth the effort. Although im sure that there are probably people out there that would enjoy a challenge purely for the sake of it rather than the potential data that they could get to.
In the case of IT Security, placing warning signs on login to say that a user will be prosecuted would be classed as a deterrent.
If you saw two bikes, one with a big and heavy lock, and one with a small old-looking lock, and you wanted to steal a bike, which one would you choose?
Further Explanation
To explain this further we can break Deterrence controls into sub-categories:
- Technical
- Physical
- Administrative
I'll explain each one individually below.
Techical
Technical controls that would deter a would be attacker are quite limited, in the case that the purpose of all deterrent controls is simply to try and stop someone from attempting to attack. For technical controls we can use warning signs on login pages, a proxy server that redirects to warn users a certain site is restricted, etc. It doesn't go any further than this though
Physical
Physical controls are anything that would make it look difficult to attack. Things like a high fence, visible cameras, floodlights, etc. would all be classed as physical deterrence controls. Signs that state that areas are off limits, would be another.
Administrative
Administrative controls contain policies, guidelines and standards. For example, a strict security policy that states severe consequences for violation would fall under this category. Training for awareness would also be an example here.
In summary, anything that makes a target look more difficult without actually implementing anything to stop them are classed as deterrence controls. There is usually some overlap, especially with preventative controls, because things like a locked door, or a high fence can fall under both categories.
If you want some further reading on the other types of access controls here is a short blog from a CISSP study guide that explains them quite well: http://cisspstudy.blogspot.com/2007/05/types-of-access-control.html