earlier today i sent out a tweet mentioning a security awareness initiative by the folks at eset and that started off a brief discussion with michael santarchangelo about security awareness and adoption thereof. it could have been a longer discussion, but i quickly realized i had more to say about the subject than could reasonably fit in twitter.
the reason we talk about security awareness is that most people seemingly lack such awareness. but what does that mean? well one of the things it means is that people don't think about the consequences of their actions, they don't think about the possible outcomes. this isn't just some people, either. as michael pointed out, it's all people, even you and i to some degree fail to account for all the possible outcomes. it's also not just about security, but rather about virtually any kind of awareness. some of us are more aware of certain things than others are, and aware of some things more than other things, and of course the amounts are different for each person.
we could, of course, think about such things more so why don't we? in a word: laziness. now i don't mean that in a judgmental way. although laziness certainly isn't well regarded in this day and age, it's not just some character flaw in humans. the argument could be made that it served a purpose, once upon a time. physical laziness, at least, serves to conserve energy, which would have been an advantageous evolutionary trait back before we started to gain mastery over our environment, when food was harder to come by. wasting energy foolishly could have hastened starvation, so the fact that we developed a tendency to conserve our strength for when we really needed it is probably a good thing, even though the adaptation doesn't serve us nearly as well now that food is (at least in developed nations) relatively plentiful.
i'm not about to suggest that mental laziness shares the same lineage as physical laziness, however. it would be quite the stretch to suggest that thinking too hard could lead to starvation. mental laziness is something i've been thinking about for a while, why it's there and how to overcome it*. at some point it occurred to me that every moment a person spends thinking about outcomes is a moment that one isn't being in the moment. being in the moment is one of the hallmarks of happiness. being focused on the present instead of the past or the future is something one only does when one is content. one could, then, argue that people don't think about outcomes unless they really have to because it means giving up (if only temporarily) a state of mind in which they experience happiness.
that seems a little wishy washy to me, though, and while i was chatting with michael i had an idea about a possible root of mental laziness that is more like the one for physical laziness i described above. having a tendency to focus on the here and now could have been an advantageous evolutionary trait. being lost in thought when you're out in the wild and you're not the top of the food chain is a good way to become lunch for something else. those that spent too long thinking about abstract concepts got eaten while those who maintained a presence of mind lived on. the fact that contentment and happiness are linked to that mental state could be a neurological reward that evolved to reinforce what was once a beneficial behaviour (it feels good so do it more), much like our tendency to prefer sugary/fatty foods would have aided us in prioritizing energy rich foods when food was less plentiful (it tastes good so eat it more).
of course, the world of today is much different than the world in which such evolutionary traits would have developed, so they don't serve us nearly as well as they once might have. those neurological rewards still reinforce the behaviours in spite of the fact that they're they're no longer advantageous. some of us have, whether through genetics or conscious effort, become better adapted to various realities of the modern world. those of use who have should count ourselves as lucky rather than looking down our noses at those who haven't adapted as quickly. fighting against millions of years of evolution can't be easy and few of us are really that much further along than anyone else.
i offer these thoughts to serve as a form of perspective. it would be nice if we could just read some books or articles, or attend some classes and then magically overcome whatever it is that is holding back our security awareness. but if i'm right then at least part of what holds us back dates back to the dawn of man, if not earlier. such intrinsic aspects of humanity are not so easily changed, and yet we continue to evolve and adapt.
(*to a certain extent i started trying to overcome others' mental laziness with respect to security with http://www.secmeme.com long before i ever started to think in terms of mental laziness. if i were to describe it uncharitably, i'd say i was trying to trick people into thinking more about security.)