There is a new video game being released on Aug 21st called BioShock. It will be released for the Xbox 360 and PC - I've already got my copy pre-ordered. If you are interested there is a great Wikipedia page on it.
You may take a look and think it is just another first-person shooter but there is a very important pattern to what these designers are after and at the end of this posting I will tie that back in to how this pattern should apply to designers of vulnerability management and configuration compliance systems. Heck, this pattern applies to all information technology systems but I am getting ahead of myself. What makes this game different is that all the objects in this world work the way you would expect them to and therefore it is the player, not the game design that creates the tactics and strategies. It lets every player of the game express themselves differently and in ways that the game designer may have not predicted. I have come to know this form as 2nd-order game design; it is a game that facilitates games. I'll come back to this in a bit.
A popular thing gamers talk about are 'walk-throughs'. This is a document that some awesome player authored describing in fairly static terms the step-by-step progression of a game start to finish. It is a linear progression of what the game designer wants you to experience while you play the game. You are not going to find a walk-through for BioShock because it is all about choice, options, invention, and this static tree-like prescribed experience from the game designer does not apply. The game has an invention system which basically makes you the designer of your own game as you are in the game. In these 2nd-order designs, you are placed in to a world where every player would be entitled to a separate but just as exciting experience. The term 'sandbox' is used sometimes to describe this situation but I think the term falls short in describing the patterns exhibited by 2nd-order designs.
I can point to other systems that leverage this 2nd-order design pattern. One that I think you would will enjoy is http://ldd.lego.com/ Lego Digital Designer. Essentially, the consumer has the same authorship over the creation of a LEGO structure as the designers at Lego. My kid was invited to a birthday party and wanted to build his own Lego toy for his friend. He used this software to design, build a Lego creation and, he uploaded the design model to Lego. Lego, it captures an image of the creation as a label for the and puts it on the outside of a box, assembles all the components and ships your completed design with all the pieces and ships it to you. An important characteristic common to these 2nd-order designs is that the user is equally a consumer and a producer. The Lego Digital Design product is a product that creates markets that create products.
What does this 2nd-order design pattern have to do with Vulnerability Management and Configuration Management? I've been watching this market evolve for the past 10 years and in the beginning, designers/vendors hads a very strong opinion and position on what qualified as a vulnerability and what was "secure" versus 'insecure". Like early 1st-order game designs, the designer "told" the user how they should experience their world. The designers valued systems and opinions were forced on the user of the system and hopefully the two would be in harmony. This is yesterday's pattern and information system architecture will over time, favor the 2nd-order form where the role of designer/producer and user/consumer is dynamically portrayed by every member of the system.
I encourage the designers of information technology systems to get out of their own way; build 2nd-order systems: systems that allow the building of systems. Allow the user to build risk models and domain ontologies that the designer had no comprehension of when the product shipped. Let every player/user express themselves differently and in ways that the designer may have not predicted.
I have a vision of how information systems will evolve and hopefully in the coming days I'll blog about it.
--tk