Rethinking Everyday Cybersecurity.
‘Socio-technical systems’ is the term computer scientists use to describe the coexistence of humans and technology within a single system [7]. It reflects the idea that software engineering may focus on code, hardware, and protocols, but the larger system also includes human habits, organizational routines, cultural norms, and regulatory constraints. A wide range of fields such as human-computer-interaction (HCI), usable security, behavioral economics, organizational psychology, and safety science, to name just a few; study how people and machines shape one another.
In this article, I want to highlight one specific angle: how cryptography does not merely secure a socio-technical system technically but also shapes human behavior in ways that strengthen the system as a whole. Cryptographic mechanisms act not only as mathematical protections, but as psychological nudges that structure routines, influence decision-making, and prevent small lapses from escalating into major security failures.
From Morning Routines to Digital Habits
Much of our digital life plays out behind screens, in spaces that feel intangible. In contrast, our physical routines are embodied, and intuitive; especially for people who use computers daily but do not have a technical background. Consider your own morning routine. You wake up as your smartphone alarm rings. You turn it off, stretch, open a window for fresh air, and make your bed. You put on a warm hoodie against the cold. You head to the bathroom, brush your teeth, and take care of morning hygiene. You return to close the window, walk to the kitchen, and press the button on the coffee machine. While your coffee brews, you get dressed, gather your belongings, i.e. phone, apartment keys, car keys, office access card, gym card, headphones, notebook, and head out. You lock the door, double-check that the lights are off, and only then begin your day.
None of this feels like a burden. These small security-like actions, closing windows, checking for keys, locking the door, are routine, automatic, and uncontroversial. Yet when we shift into digital environments, parallel actions suddenly feel like bothers. At your desk, you unlock your laptop and groan at the extra seconds required for two-factor authentication. You sigh when you must create a new password every few months. You postpone updates because they interrupt your workflow. You step away “just for a second” and leave your screen unlocked. You reuse the same password “just this once.” You click “remind me later” on the backup reminder. You ignore warnings about suspicious emails because you’re in a hurry. Digital equivalents of your morning routine now feel like friction.
But the parallels are almost one-to-one. Two-factor authentication is the digital version of checking that you really have your keys. Locking your screen when you leave your desk is no different from locking your apartment door even if you’re only taking out the trash. Regular software updates are the equivalent of maintaining household appliances so that they don’t fail when you need them. Password hygiene mirrors the routine of keeping different keys for different spaces, i.e. home, office, mailbox, locker, because one single master key for everything would be both impractical and dangerous. Even cryptographic backups resemble keeping a spare key somewhere safe because you know accidents happen.
The Psychology Behind Modern Cybercrime
The deeper issue is that many users fail to perceive these analogies. Socio-technical security breaks down not because the technology is flawed but because the behavioral layer is ignored. When users are disconnected from the meaning of digital safeguards, they perceive only inconvenience rather than protection. This creates openings for attackers who rely overwhelmingly on human vulnerability. Modern cyberattacks rarely begin with sophisticated code exploits; instead, they target people, our habits, blind spots, emotional triggers, and cognitive shortcuts.
Phishing remains the most common entry point: attackers craft emails that mimic trusted senders, prompting users to click malicious links or enter passwords into counterfeit login pages. These messages often weaponize urgency (“Your account will be suspended in 24 hours”), curiosity (“You’ve received a secure document”), or fear (“Suspicious activity detected”). When employees are tired, distracted, or rushing between tasks, they are significantly more likely to click without thinking.
Shoulder-surfing, though old-fashioned, still works remarkably well: someone glancing over your shoulder in a café or coworking space to capture your password, or watching you unlock your phone at the airport security line.
Impersonation scams and pretexting have grown more sophisticated as well. Attackers now research organizational structures on LinkedIn, scrape email signatures, mimic internal writing styles, and call employees pretending to be IT support: “We’re rolling out an urgent security patch; could you read me your verification code to complete the installation?” Many fall for it, especially when the request is wrapped in authority and urgency.
Malicious attachments such as PDFs, spreadsheets, or “secure” invoices still succeed because users trust familiar file formats.
Fake login portals have become indistinguishable from real ones; the URL bar is often the only giveaway, and many users don’t look closely enough to notice a single swapped character. Increasingly, AI-generated social engineering amplifies these risks. Large language models produce flawless grammar, culturally tuned phrasing, and personalized content scraped from social media, removing the telltale signs that once made phishing easy to spot.
Attackers can now mass-generate individualized lures at scale, targeting employees based on role, project involvement, or emotional vulnerability. For instance, referencing a real ongoing initiative or mimicking a supervisor’s tone perfectly.
What makes these attacks devastating is not technical ingenuity but their exploitation of the everyday realities of human work. People experience annoyance when repeatedly asked for verification. They feel impatience when barriers interrupt their workflow. Routine fatigue sets in when tasks become repetitive and seemingly pointless. And above all, humans have an inherent desire to “just get the task done”, to complete a request quickly, especially when under time pressure or when the request appears to come from a superior.
Attackers understand this human boundary far better than most organizations do. They know that technical infrastructure including firewalls, encryption, intrusion detection systems, is increasingly robust and difficult to penetrate directly. But a single distracted click can circumvent all of it. A single moment of impatience can unlock the door entirely. And this asymmetry is precisely what attackers exploit: they do not need to defeat the system; they only need to convince one person to bypass it on their behalf.
This is why socio-technical security is not merely a technical challenge but a behavioral one. It requires designing environments, routines, and safeguards that work with human psychology rather than against it: systems that make doing the secure thing the easiest thing, not an extra burden people must remember to carry.
Making Secure Behavior Feel Effortless
Yet applying a minimum level of care is easier than it seems. When you pour your morning coffee, you instinctively hold the mug steadily to avoid spilling and staining your clothes. It’s automatic. You don’t resent this extra caution; it’s simply part of the task. The same spirit applies to basic cybersecurity. Locking your screen, verifying a sender before clicking a link, taking the extra second to approve a 2FA prompt, or running an update before shutting down are not obstacles. Quite the contrary: they are the digital equivalents of closing windows, locking doors, and checking pockets before leaving home. They take seconds but prevent hours, days, or even months of damage.
Socio-technical systems can be engineered to be extraordinarily robust, but the strongest cryptography in the world cannot compensate for a careless click or an unlocked workstation. The human component will always remain the most unpredictable and therefore the most vulnerable part of any security architecture. But humans can also be the strongest asset when their digital habits align with the technical safeguards designed to protect them. And that begins by recognizing that cybersecurity is not separate from daily life; it is simply the digital continuation of routines we already practice effortlessly every morning.
Jennifer-Marieclaire Sturlese
Sources
All icons have been created with Dall’e
Socio-technical Systems Engineering Handbook
Similar articles:
Digital Signatures and the Interoperability of EU E-Government
Conscious Computing
