Perils of Looking but Not Seeing

 Introduction

As we go about our lives and work there is a good chance we often look but do not see what is around us. Depending on the situation this can either be harmless such as sitting at the window of train watching fields go by but can turn deadly such as looking at the traffic lights and failing to see whether it is red or green leading to crash as you go straight through. 

The key difference between them is to look at something means to gaze your eyes upon or acknowledge its presence. In order to see, not only does one look at the object but also understands it and pays attention to it. To look and to see are two different things, even if they both refer to visual perception. Visual perception is the ability to see and interpret our surroundings by processing information contained in visible light.

Merriam Webster defines ‘looking’ as, “to ascertain by the use of one's eyes; to exercise the power of vision upon; to search for.”  In layman terms, to look at something means to gaze your eyes upon or acknowledge its presence. It is considered as a passive action. For example, Sarah asked Sam to look at her new watch. In this example, Sarah is telling Sam to acknowledge the presence of her new watch, all he needs to do is glance at the watch and acknowledge that Sarah has bought a new watch.

‘Seeing’ is defined as, “To perceive by the eye; to perceive or detect as if by sights.” It is a more active action. In order to see, not only does one look at the object but also understands it, perceives it and pays attention to it. Perception means recognising or relating what the eyes see with prior knowledge of the object. Let’s take the same example of Sarah and Sam. When Sarah shows her new watch to Sam, he sees it instead of just looking at it. He goes on to notice that it is different from the one Sarah had before. This means to see, not only just acknowledging it, but also understanding it and paying attention to it. It also means to look past the just obvious and actually take time to notice. 

It is important to acknowledge this because often when things go wrong or when we make mistakes realising can sometimes be put down to looking but not seeing. So we overlook or fail to understand what had gone wrong. 

But also this is linked to the issue of hindsight bias after the matter has passed. While hindsight is a useful way to acknowledge mistakes and to learn to do things differently trying to be clever with hindsight is a quick way to cause more problems or not to solve problems. 

Examples of Looking but Not Seeing 

The examples I will give may seem I am picking on the Americans I believe that they show the extreme consequences of looking but not seeing and the shortsightedness of always having a homogeneous group of people making decisions.  

There are a couple of articles which illustrate this:
They both illustrate in my opinion of looking and seeing only what you want to see while falling to see and understand what is actually in front of you. Though in both cases the CIA and US military have taken steps to try and rectify gaps in their knowledge and capabilities.  

Applied to Cybersecurity

In cybersecurity looking but not seeing has the potential to be a major issue because the enterprise attack surface is massive and growing rapidly. There are practically unlimited permutations and combinations of methods through which an adversary can attack and compromise the networks of an organisation. 

This is illustrated quite well as a graph:

The enterprise attack surface

The x-axis includes the organisation's traditional infrastructure (servers, databases, switches, routers, and so forth), applications (standard and custom), endpoints (managed, un-managed, mobile and fixed, IoTs, industrial controllers, and so forth), and cloud apps (sanctioned and unsanctioned).

At the right end of the x-axis, there are the organisation's third-party vendors. The x-axis effectively repeats itself recursively in the organisation's supply chain, where each third-party vendor is an entity with an x-axis and attack surface just like that of the organisation, and this brings risk into the enterprise network because of certain trust relationships. The ellipses on the x-axis indicate that these categories of assets are large sets. It is quite difficult for most organizations to even enumerate their x-axis with accuracy.

On the y-axis, there are the different methods of attacks—starting from simple things like weak and default passwords, reused password, passwords stored incorrectly on disk, or transmitted in the clear, on to more complex things like phishing, social engineering, and unpatched software. Further down the y-axis, there are zero-day vulnerabilities—security bugs that are "unknown" until they are first used by an adversary. There are quite literally 100s of items on the y-axis in dozens of categories.

Each point in this x-y graph represents one way by which adversaries can compromise an enterprise asset. 

Being able to overview all these assets, identifying vulnerabilities and ensuring they have protected quickly becomes a task requiring numerous tools, monitoring systems and a mindset that is always vigilant. Meeting them is rarely easy. 

These challenges may become harder to tackle as companies that have affected by the events of COVID-19 this year look to save money by cutting budgets. This could to fewer personal to oversee the managing of security measures and implementations. Which has the potential for warnings and problems to be missed or overlooked. Though some companies will aim to replace the loss of personal with automatic systems they still often require human intervention and active action to reach their full effectiveness. 

Conclusion

I have been meaning to write about the topic of 'looking but not seeing' as I think from a human factors perspective in cybersecurity it illustrates the type of mindset you have to avoid in cybersecurity practice in my opinion. Though how you teach or inform someone about this is not often straightforward as most people are bad at examining and reflecting on their own actions and behaviour. Also, it is not something which could be fixed with more or better technology. While a technology or design solution could present information to the person in a better way it still relies on that person taking active not and understanding what is being presented to them. Hopefully, this post has raised a few interesting ideas and I would encourage further reading around this.

Sources

Comments

Post a Comment

Popular posts

Balancing functionality, usability and security in design

Image
Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
Read more

Personal Interest - Unbuilt fleets of the Royal Navy

Image
Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
Read more

Personal Interest - RAF Unbuilt Projects

Image
  Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
Read more