Perils of Looking but Not Seeing

 Introduction

As we go about our lives and work there is a good chance we often look but do not see what is around us. Depending on the situation this can either be harmless such as sitting at the window of train watching fields go by but can turn deadly such as looking at the traffic lights and failing to see whether it is red or green leading to crash as you go straight through. 

The key difference between them is to look at something means to gaze your eyes upon or acknowledge its presence. In order to see, not only does one look at the object but also understands it and pays attention to it. To look and to see are two different things, even if they both refer to visual perception. Visual perception is the ability to see and interpret our surroundings by processing information contained in visible light.

Merriam Webster defines ‘looking’ as, “to ascertain by the use of one's eyes; to exercise the power of vision upon; to search for.”  In layman terms, to look at something means to gaze your eyes upon or acknowledge its presence. It is considered as a passive action. For example, Sarah asked Sam to look at her new watch. In this example, Sarah is telling Sam to acknowledge the presence of her new watch, all he needs to do is glance at the watch and acknowledge that Sarah has bought a new watch.

‘Seeing’ is defined as, “To perceive by the eye; to perceive or detect as if by sights.” It is a more active action. In order to see, not only does one look at the object but also understands it, perceives it and pays attention to it. Perception means recognising or relating what the eyes see with prior knowledge of the object. Let’s take the same example of Sarah and Sam. When Sarah shows her new watch to Sam, he sees it instead of just looking at it. He goes on to notice that it is different from the one Sarah had before. This means to see, not only just acknowledging it, but also understanding it and paying attention to it. It also means to look past the just obvious and actually take time to notice. 

It is important to acknowledge this because often when things go wrong or when we make mistakes realising can sometimes be put down to looking but not seeing. So we overlook or fail to understand what had gone wrong. 

But also this is linked to the issue of hindsight bias after the matter has passed. While hindsight is a useful way to acknowledge mistakes and to learn to do things differently trying to be clever with hindsight is a quick way to cause more problems or not to solve problems. 

Examples of Looking but Not Seeing 

The examples I will give may seem I am picking on the Americans I believe that they show the extreme consequences of looking but not seeing and the shortsightedness of always having a homogeneous group of people making decisions.  

There are a couple of articles which illustrate this:
They both illustrate in my opinion of looking and seeing only what you want to see while falling to see and understand what is actually in front of you. Though in both cases the CIA and US military have taken steps to try and rectify gaps in their knowledge and capabilities.  

Applied to Cybersecurity

In cybersecurity looking but not seeing has the potential to be a major issue because the enterprise attack surface is massive and growing rapidly. There are practically unlimited permutations and combinations of methods through which an adversary can attack and compromise the networks of an organisation. 

This is illustrated quite well as a graph:

The enterprise attack surface

The x-axis includes the organisation's traditional infrastructure (servers, databases, switches, routers, and so forth), applications (standard and custom), endpoints (managed, un-managed, mobile and fixed, IoTs, industrial controllers, and so forth), and cloud apps (sanctioned and unsanctioned).

At the right end of the x-axis, there are the organisation's third-party vendors. The x-axis effectively repeats itself recursively in the organisation's supply chain, where each third-party vendor is an entity with an x-axis and attack surface just like that of the organisation, and this brings risk into the enterprise network because of certain trust relationships. The ellipses on the x-axis indicate that these categories of assets are large sets. It is quite difficult for most organizations to even enumerate their x-axis with accuracy.

On the y-axis, there are the different methods of attacks—starting from simple things like weak and default passwords, reused password, passwords stored incorrectly on disk, or transmitted in the clear, on to more complex things like phishing, social engineering, and unpatched software. Further down the y-axis, there are zero-day vulnerabilities—security bugs that are "unknown" until they are first used by an adversary. There are quite literally 100s of items on the y-axis in dozens of categories.

Each point in this x-y graph represents one way by which adversaries can compromise an enterprise asset. 

Being able to overview all these assets, identifying vulnerabilities and ensuring they have protected quickly becomes a task requiring numerous tools, monitoring systems and a mindset that is always vigilant. Meeting them is rarely easy. 

These challenges may become harder to tackle as companies that have affected by the events of COVID-19 this year look to save money by cutting budgets. This could to fewer personal to oversee the managing of security measures and implementations. Which has the potential for warnings and problems to be missed or overlooked. Though some companies will aim to replace the loss of personal with automatic systems they still often require human intervention and active action to reach their full effectiveness. 

Conclusion

I have been meaning to write about the topic of 'looking but not seeing' as I think from a human factors perspective in cybersecurity it illustrates the type of mindset you have to avoid in cybersecurity practice in my opinion. Though how you teach or inform someone about this is not often straightforward as most people are bad at examining and reflecting on their own actions and behaviour. Also, it is not something which could be fixed with more or better technology. While a technology or design solution could present information to the person in a better way it still relies on that person taking active not and understanding what is being presented to them. Hopefully, this post has raised a few interesting ideas and I would encourage further reading around this.

Sources

Comments

Popular posts

Personal Interest - Unbuilt fleets of the Royal Navy

Personal Interest - RAF Unbuilt Projects

Balancing functionality, usability and security in design