Peripheral vision

Part of security awareness is situational or contextual awareness - being alert to potential concerns in any given situation or context. At its core, it is a biological capability, an inherent and natural part of being an animal. 

Think of meercats, for instance, constantly scanning the area for predators and other potential threats.

We humans are adept at it too, particularly in relation to physical safety issues. The weird creepy feeling that makes the hairs stand up on the back of your neck as you wander down a dark alley is the result of your heightened awareness of danger triggering hormonal changes. A rush of adrenaline primes you for the possible fight or flight response. I'm talking here about reflexes acting a level below conscious thought, where speed trumps analysis in decision-making.

When 'something catches your eye', it's often something towards the edge of your visual field: peripheral light receptors coupled with the sophisticated pattern-recognition capability in your visual cortex spot changes such as sudden movement and react in an instant, before your conscious brain has had the chance to figure out what it is. 

The same innate capability is what makes it hard to swat a housefly with your hand. It sees and responds to the incoming hand by springing up and away in milliseconds. [If you use a swatter with a lattice pattern, however, its compound eye and tiny brain gets confused over which way to fly - a fatal error!] 

You can probably guess where this is going. Security awareness works at both the conscious and subconscious levels. Short of radical surgery or a few million years of evolution, we can't change our biology ... but we can exploit it.

The conscious part revolves around rational thought - for example knowing that you might be sacked for causing a serious incident, or promoted for preventing one (if only!). We routinely inform, teach, instruct and warn people about stuff, encouraging them to do the right thing, behave sensibly. We hand out leaflets and briefings. We tell them to read and take note of the warning messages about dangerous links and viruses. We make them acknowledge receipt of the security policies, perhaps even test to make sure they have read and understood them. Through our security awareness service, we go a step further, prompting professionals and managers to address the information risks and implement good practice security controls. 

The subconscious part is more subtle. We don't just tell, we show - demonstrating stuff and getting people to practice their responses through exercises. We find interesting angles on stuff, using graphic illustrations and examples to open their eyes to the underlying issues.  We intrigue and motivate them, pointing out the dangers in situations that they would otherwise fail to recognize as such, removing their blinkers. We enhance their peripheral vision, and appeal to their emotions as well as their logical brains.  We make the shiny stuff glint, and make things feel uncomfortable when something isn't quite right. We like creepy. We heat topical infosec issues to make them hot, and chill good stuff to make it cool.

Consider the WannaCry incident: we couldn't predict precisely how, where, when or how the attack would come, but effective security awareness programs made people sufficiently alert to spot and react to the warning signs in a non-specific way. We're establishing a generalized capability, more than simply knowing about the particular nasty that happens to be ransomware ... or malware or phishing or social engineering or scams or ... whatever. 

The subconscious element is vital. If those hairs stand up when people receive dubious emails, phone calls, requests and other information, we are really getting somewhere. They still need to react appropriately, of course, which is generally a conscious activity such as don't click the link, and do call the help desk.

PS  I'm reminded of a standout line in the Faithless song, Reverence: "You don't need eyes to see, you need vision".