Egon Brunswick (1903-1955) argued that organisms (read “people”) exist within an environment with which they interact, and which in part shapes their behaviour. So the idea has been around for a while now, but security practitioners don’t seem to have caught on to its relevance to cyber. Instead, users are given advice based on the view that security decisions are some kind of special case, standing outside the day to day work environment. Might be time to take some baby steps towards understanding how the work environment shapes people’s security decisions?