Patterns

Yes, update now...Xbox 360 style

Wed, 23 Apr 2008 21:49:40 -0800

Call me paranoid, call me what ever you like but if you are going to download software to my system please offer me the chance to review the ingredients before I click OK. Ultimately, it would be nice to know what I am about to approve don’t you think?

I wonder if I am the only one that feels this way. Major application and OS’s do a great job at offering this review before a user approves the update but such is not the case in the land of the Xbox 360 game console. Sure you could argue that console gamer is not going to know a DLL from LSD but nonetheless, offering optional information about what the update is going to do for them is good form. In Xbox360 land, you get a screen that looks something like this

and it would be great if the X or Y button gave you information on what was about to change on your system. And while your taking down my feature request wonderful product manager of the xbox360, it would be nice to see the update history of the machine.

Does the information exist? Sure it does but you have to really hunt for it and I’m not sure all the updates have made it to the web. For example, http://blogs.msdn.com/xboxteam/archive/2007/11/30/december-2007-system-update.aspx

http://www.xbox.com/en-US/community/news/2006/1030-novemberupdate-completelist.htm

From a security stand point, it just spooks me out when I approve an update to my system and have no idea what has downloaded or what has been modified. The number of independent game developers for Xbox360/Xbox-live are taking off and Microsoft has a solid program. Lets just say that things will start to get very interesting.

—tk

Typo in Rebates

Sun, 13 Apr 2008 11:11:56 -0800

I buy lots of electronics and have been experiencing a trend lately with rebates. It may be just paranoia on my part but thought I would post this blog entry to see if anyone else is seeing the same pattern.

I bought another LCD monitor and with it was a mail-in rebate for 30.00. Like all of these, you spend time to gather the required information, sent it in, and after a good 6 weeks time, you get a check. Done? Not quite because the “Pay To the Order of” has misspelled my last name. If this was the first time this happened, it would not be an issue but 3 times in the last 6 months, something seems wrong.

Could it be that there is a strategy out there to raise the cost of accounting on the payee so that they at some point think it is not even worth it to pursue? I wish we could see the statistics of all the people who go through with the mail-in but because of the run around, end up ultimately not redeeming their rebate.

This information is not available so all we have to go on are patterns and paranoia. Is 30 minutes of sitting on hold and filing more paperwork worth $30.00? At some point, everything come to a cost/benefit decision.

—tk

RSA 2008 Exhibition Floor

Thu, 10 Apr 2008 21:15:54 -0800

Anyone who has been going to RSA year after year has seen lots of change. Changes in the quantity of vendors, changes in the vendor types, changes in the booth personnel, even changes in the swag you get if you sit through a presentation. I’m so glad we are past that dry spell of just pens and mints, we like t-shirts, USB-drives and remote control helicopter s! This year was a great show and I’d like to share with you some observations.

When I first started going to RSA, there were more vendors than there were customers. It was a huge vendor boondoggle and while the business development people were having a great time, I was looking for customers to speak with and have a great conversation about what they were looking for at the show and what type of problems they were trying to solve.

This year was great in terms of customers-to-vendor ratio. We had a great turnout at our booth and I’ve almost lost my voice from non-stop conversations. What does this change mean for future RSA shows? I remember one year being at the show and having a customer tell me “You know what TK, this is a show of car parts, and frankly, I need transportation.”. I’ll never forget this statement and I have a working theory.

In the early days of the RSA show, the exhibitors sold all kinds of parts that when put together by a skilled craftsmen, created a powerful solution. Composability was more important than Usability. As the attendees change to more of a business level buyer persona, consumers that are not security subject matter experts, we move toward deeper solutions where Usability trumps Composability.

When I hear those words “…this is a show of car parts, and frankly, I need transportation.”, I imagine a trend on the exhibit floor dominated by much more complete solutions. Product designed for a persona that does not know how to fire up a debugger, does not know how to read a set of ACLs, but knows how to read market results and can use Excel to model any financial system you can imagine. That might be a little extreme but nonetheless, the customers out number the vendors by a larger and larger margin.

I predict that RSA next year will have less small highly technical one-trick-pony companies and more multi-product solutions and managed services companies. To use that great quote, there will be more vendors selling cars and transportation services than there will be vendors selling parts.

—tk

Why are we still having to deal with downtime?

Fri, 28 Mar 2008 12:17:57 -0800

Xbox LIVE will be unavailable for approx. 3 hrs on April 1^st from 2pm PDT

Huh? With all that virtualization, load balancing, and other service abstraction strategies we have today, why do we still have to deal with scheduled downtime?

I understand that we cannot plan on ever getting rid of an unscheduled outage because “stuff happens” but we certainly have at our fingertips methods that can avoid scheduled downtime once and for all.

I’m just bitter because it may take a bite out of my Halo3 Team Slayer. The Master Chief would never allow for scheduled downtime! It must be the work of the Covenant. The fight continues…

—tk

Vitruvius qualities of well designed information systems

Sun, 09 Mar 2008 19:48:57 -0800

At South-by-Southwest I attended talk given by Jennifer Fraser on Vitruvius who was the first Roman architect to write about the craft. I saw some invariant patterns of good design that could be useful as we design information systems. The warning I must underline is that building physics-based systems are different than building information-based systems, at least this is true in March of 2008. Rival goods are not the same as non-Rival goods.

Marcus Vitruvius Pollio was born ~80 BC and died 25 BC. Regardless of his abilities as an architect, he lives today because he was the person who wrote about the craft and documented the essence the architecture of his time. If being referenced some 2000+ years later is not enough of a value proposition to get you to document your contribution, I don’t know what is.

Jennifer referenced De architectura (Latin: “On architecture”) which consisted of 10 scrolls and “The Ten Books on Architecture” which is the translation and available on books.google.com. Vitruvius said that well-designed buildings must exhibit three qualities: firmitas, utilitas, and venustas. Respectively, utility, attractiveness, stability.

Looking at information system design, these qualities are also beneficial. What is interesting in Jennifer’s presentation is that applications at some moment in time can be mapped to a vector in a firmitas, utilitas, and venustas space.

For example, an application can be at position ‘X’ when it is in demo format and ultimately its goal is to move to position ‘Z’. There are times when an application would be not as attractive or has low utility but is ultra stable like ‘Y’; its goal over time is to get to position ‘Z’.

Another thing that was clear was how Vitruvius understood his users. He had an intimate understanding of who would occupy the dwelling and what tasks they would perform on a daily basis. Up front in the design was a serious considerations for private and public spaces. I can see how this has a parallel with information system.

Vitruvius is quoted as saying “The eye is always in search of beauty” and who can argue that. We should set our design goals high and demand beauty, utility, and stable system.

—tk

South by Southwest 2008

Fri, 07 Mar 2008 21:56:52 -0800

Check out http://sxsw.org/

It is South by Southwest time again and Austin Texas is completely consumed by inventors, designers, artists, gamers, authors, and any other category that describes a creative class. The beauty of this conference is that it brings together many creative disciplines and everyone shares their passion. It is the intersection of software, film, and music.

Today was registration and as you can see by my badge, I’ll just attend the technical sessions this year. If I sound a little bummed about that it is because there are a few bands this year that I really wanted to see but things are just too busy at work. Oh well. This afternoon, I sat in on a good talk about Javascript patterns and tomorrow I’m looking forward to some great design sessions. I’ll blog some of my thoughts.

—tk

g4m3 0n!

Fri, 07 Mar 2008 21:31:02 -0800

Hey, I want to apologize for being absent for so long. I have a lot of stuff to write about and I’ll be getting it out in 2008.

Will you be at RSA? I’m giving a talk on Game Theory and how these patterns can be applied to IT Security. Check your program and don’t be shy – come over and say hello.

—tk

2nd-Order Design Patterns

Mon, 20 Aug 2007 14:19:58 -0800

There is a new video game being released on Aug 21st called BioShock. It will be released for the Xbox 360 and PC - I've already got my copy pre-ordered. If you are interested there is a great Wikipedia page on it.

You may take a look and think it is just another first-person shooter but there is a very important pattern to what these designers are after and at the end of this posting I will tie that back in to how this pattern should apply to designers of vulnerability management and configuration compliance systems. Heck, this pattern applies to all information technology systems but I am getting ahead of myself. What makes this game different is that all the objects in this world work the way you would expect them to and therefore it is the player, not the game design that creates the tactics and strategies. It lets every player of the game express themselves differently and in ways that the game designer may have not predicted. I have come to know this form as 2nd-order game design; it is a game that facilitates games. I'll come back to this in a bit.

A popular thing gamers talk about are 'walk-throughs'. This is a document that some awesome player authored describing in fairly static terms the step-by-step progression of a game start to finish. It is a linear progression of what the game designer wants you to experience while you play the game. You are not going to find a walk-through for BioShock because it is all about choice, options, invention, and this static tree-like prescribed experience from the game designer does not apply. The game has an invention system which basically makes you the designer of your own game as you are in the game. In these 2nd-order designs, you are placed in to a world where every player would be entitled to a separate but just as exciting experience. The term 'sandbox' is used sometimes to describe this situation but I think the term falls short in describing the patterns exhibited by 2nd-order designs.

I can point to other systems that leverage this 2nd-order design pattern. One that I think you would will enjoy is http://ldd.lego.com/ Lego Digital Designer. Essentially, the consumer has the same authorship over the creation of a LEGO structure as the designers at Lego. My kid was invited to a birthday party and wanted to build his own Lego toy for his friend. He used this software to design, build a Lego creation and, he uploaded the design model to Lego. Lego, it captures an image of the creation as a label for the and puts it on the outside of a box, assembles all the components and ships your completed design with all the pieces and ships it to you. An important characteristic common to these 2nd-order designs is that the user is equally a consumer and a producer. The Lego Digital Design product is a product that creates markets that create products.

What does this 2nd-order design pattern have to do with Vulnerability Management and Configuration Management? I've been watching this market evolve for the past 10 years and in the beginning, designers/vendors hads a very strong opinion and position on what qualified as a vulnerability and what was "secure" versus 'insecure". Like early 1st-order game designs, the designer "told" the user how they should experience their world. The designers valued systems and opinions were forced on the user of the system and hopefully the two would be in harmony. This is yesterday's pattern and information system architecture will over time, favor the 2nd-order form where the role of designer/producer and user/consumer is dynamically portrayed by every member of the system.

I encourage the designers of information technology systems to get out of their own way; build 2nd-order systems: systems that allow the building of systems. Allow the user to build risk models and domain ontologies that the designer had no comprehension of when the product shipped. Let every player/user express themselves differently and in ways that the designer may have not predicted.

I have a vision of how information systems will evolve and hopefully in the coming days I'll blog about it.

--tk

Interface No-nos

Tue, 03 Jul 2007 09:27:23 -0800

How many times have you come across an interface design that leaves you wondering if the designer has ever used the interface themselves? I have one for you and I'll omit the vendor name and product so that I can communicate these facts without worrying about someone getting upset and missing the point altogether. Ultimately, we want to learn from mistakes and fix things.

There is an IP phone on the market that is very full featured. However, there is one feature that is highly dysfunctional. It would not be obvious if you just read through the documentation but very obvious when you use the phone.

The unit has a set of soft-buttons that are dynamic; their functionality is based on the context of your operational state (on call, directory lookups, settings, etc) . For example, If you reach over and adjust the volume up or down, a soft button changes to 'SAVE' so that you can make this adjustment permanent to your preferences. If in 3 to 4 seconds, you do not hit the soft-button, it changes back from 'SAVE' to its original assignment which is........END CALL.

Yup, you guessed it, if you hesitate and hit this button too late instead of saving this newly adjusted parameter, you will issue the command to end the call. Where is the interface police when you need them!

When dealing with soft-buttons, I think there should be an analysis performed so that functional classes are grouped such that the chances of you accidentally hitting the same button for wildly different commands are reduced.

What if there was a mouseover type of button on your browser that sensed that if you were in spell correct mode it would bind itself to 'learn word' and if you did not act on it in a few seconds changed back to 'erase all'. Bad design, no donut.

I have to just put this in the category of Interface No-Nos because I have not read any research to allow me to place it in any formal category of interface design. I'm sure you have a bucket of interface no-nos too. The trick is to always learn from our mistakes.

--tk

On the knowledge of knowledge

Fri, 27 Apr 2007 13:06:15 -0800

I am often told to relax or switch to decaf when I make a big deal about the words we use in our industry. I can usually walk away from most of the confusion but one that I cannot let go is the difference between data, information, and knowledge. This is a personal thing and I have come to know these terms through other domains like Library and Information Science (LIS) and the Knowledge Management industry.

What is the big deal? It is not a big deal until the time in which it is. It's like saying "This book is purely fictional except for those parts which are not". In your line of work, you may not at this point need a more granular descriptor; but for what I have been doing these past six years, I need all the help I can get describing these intangible notions that have no physical properties. Defining information as “stuff” is just not helpful.

We in information security and risk management have much to learn from other domains like Library and Information Science (LIS). I have been a very good study and I’m right in the middle of a great book on the Philosophy of Information; oh my god it is awesome. You may be thinking “Philosophy of Information, give me a break. I have a real job and some real problems to solve.” Great, and when you are done solving the problem at hand, think about other domains like the field of law for instance: while the majority of the field is made up of practitioners who serve the market, there is a small minority concerned with the intellectual underpinnings of the system. They are made up of legal theorists and philosophers that include the U.S. Supreme Court justices and their like. What I am saying is that what you may view as an unnatural imbalance in the community of experts is very natural and works quite well in other domains that face similar problems.

So let’s get back to this exploration of the difference between the terms data, information, and knowledge. Even with my years of concentration on this subject matter, I have only scratched the surface but intend to be up to my neck in the Philosophy of Information as it stands today in other fields.

Data
Data are described as a set whose members are distinct from one another but lack context beyond just their presents and absence. For example: 20 IP packets, 300 vulnerabilities, and 600 attacks. Value is created at this level by the sheer ability to capture the phenomenon, nothing more, and nothing less. Through some function X, data is transformed to information.

Information
We have come to understand information as an emergent form present when data are presented in context and a information connection is made between observer and that which is observed. Data from multiple domains are related and presented as a single form: information. Included in this synthesis are temporal factors that change the resolution of the presentation. Using the same examples above: "The first 20 packets from a TCP flow established between machine A and Machine B", "300 distinct vulnerabilities affecting our web-services over the past 5 years", "600 attacks originating from our servers"

Knowledge or Intelligence
A form of yet another higher order is knowledge or intelligence. I have found both of these terms interchangeable with the public sector biased toward the term intelligence and the private sector the term knowledge. Following the structure so far, knowledge then is data in context in context; the observer understanding the information in a context that is broader than what is presented at the time of observation. An example would be "Last night at 0100 hours, our sensors recorded 600 attacks originating from our extra-net servers with a destination of company X but the first 20 packets from a TCP flow established between machine A on our end and Machine B at company X showed that none of the attacks were exploiting the 300 distinct vulnerabilities effecting our web-services over the past 5 years."

As you can see, the value at each logical level is different depending on the processes you are involved in. The skill is to be able to jump around this cognitive model and with every movement, you the observer are growing your knowledge at a rate that is beyond the sum of what is being presented.

The form knowledge has some very peculiar properties that are worth mentioning. As we move further and further away from an economy based on rival-goods, these properties will no longer be in the background and will be center to our discourse.

[This collection noted by N. Wiener, A. Toffler, J Piaget, and others, comments by TK]

Knowledge is inherently non-rival
If I give it to you, I still have it. As opposed to rival-good where if I sell you something, in the transaction I sell you item A which then I no longer have and you pay me item B which then you no longer have.

Knowledge is intangible.
We can’t apply the domain of physics to it but that does not mean we cannot manipulate it.

Knowledge is non-linear
As we begin to develop more and more of a informational understanding of nature itself, we can see that non-linear patterns are much more common than linear patterns. Even in business, tiny insights can yield huge outputs.

Knowledge is relational
An observer attains meaning only when knowledge is held in some ratio to other knowledge.

Knowledge mates with other knowledge
This growth is exponential because the more there is, the more synthesis and analysis can be performed, the more new knowledge is created which is then fed back in to the system.

Knowledge is observer centric
There is a hermeneutic principle that knowledge follows: The hearer, not the speaker determines the meaning of an utterance. Piaget was quoted as saying “He who organizes his experiences organizes the world”

Knowledge is explicit or implicit, expressed or not expressed, shared or tacit.
It is at the very edge of our human knowing.

All of this research was done in the 1950’s and much of it has still not yet been applied because our community still suffers from what my buddy David Mann calls “Physics-envy”. The sooner we let go of the paradigms and language of the industrial age, the better. It really does not matter if you agree or don’t agree; it has already begun. Everything around us; our media, our social networks, our bodies are all transcending to a data/information/knowledge representation. I have a few ideas on how to go about managing risk and certainty that may or may not work out, but I can tell you that the methods we are using today are in their sunset years.

--TK

Get Naked

Thu, 26 Apr 2007 13:08:36 -0800

I've been a reader of WIRED magazine since it was released back in the early 90's. The April 2007 issue was all about business exposing themselves or as the cover suggests "Get Naked and ..." The articles essentially talk about how business can benefit from this new ultra transparency. It is critical that we understand the fundamental issues underpinning this strategy and while printing the word "Naked" might sell more copies or get your email caught in a SPAM filter, it has little to do with the core factors of change.

Alvin Toffler would probably point to this article and claim that this is yet another transition that must happen to our economy as we move from the assembly line mentality of the industrial past to the software mentality of the information age. He is right and to the people who still look at the future through rival-goods colored glasses, it is going to get really weird.

I'd like to say to the readership of this blog that information technology practices are still being based on the machine models of the industrial age and the removal of these rival-goods glasses is not going to be a painless process. Risk models based on keeping the business from running around naked is going to go the way of the dinosaurs. This change is not technologically driven; it is epistemologically driven.

As I see it, the 'Get Naked' theme of this WIRED issue is entertaining but could be a little misleading. The pattern is not that an outer layer 'thing' is being removed to show an inner layer 'thing' - we are not removing the skin's skin to show skin; the pattern is that for the first time we are seeing the entity for what it truly is and that being a set of processes and not things. The key shift is that the industrial age brought us an epistemological model based on things and nouns, and the information age is NOT about things and nouns but about processes and verbs with a focus on how an object comes in to being.

Businesses today must make the shift from securing "things" to securing "processes that cause things to come in to being". The efforts to take information and force it in to a package that works with our non-rival economy (think DMCA) will not be the dominant strategy. This shift from things to processes or from nouns to verbs has a profound effect on the risk models that exist today. I continue to lead a team that is researching new models based on an economy of non-rival goods.

So when thinking about the nakedness of company X, try not to think in terms of a giant assembly of nouns that together make up an aggregate noun named company X; think about company X as a set of processes Y that at any point in time manifest themselves as company X. The question then become not "What is company X" but "How does company X continuously come in to being". Understanding the latter requires a contructivist epistemology.

SHIfT HAPPENS

Mon, 09 Apr 2007 10:48:31 -0800

When people think about information warfare, the image that comes to mind are hackers, worms, radio jamming, etc. While these do make for good news-worthy topics, the real day-to-day war is done at cash registers and in places as mundane as the checkout line in the grocery store. Let me replace the word war with game to describe in general the framing of some conflict. In this posting, I would like to talk about the game patterns that Alvin Toffler pointed out in his book Powershift published in 1990. If you follow this pattern, you will see how power can shift once a common identifier is introduced and technology is leveraged to change the players advantage. I conclude with the assertion that this shift will happen in the compliance marketplace and again it will be all about the advantage of information superiority.

In order to see this game play out, we have to go back to a period between 1950 and 1980. It was a time when the balance of power had the giant manufacturers on the top and the wholesalers and retailer at the bottom. The giant manufacturers had control of the market information and could claim information superiority. These manufacturers had often over 50% market share and when their sales person came to call on a supermarket, the sales person did all the talking and the supermarket did the listening; they had to listen hard or else.

The giant manufacturers were the experts. It was also a time between the 50s and 80s when mass advertisement was their tool. They controlled the airwaves during America's popular events like the World Series and the Miss America Pageant. The point here is that the giant manufacturers controlled the information going to the consumer and it also controlled the information collected from the customer. When I say that they had information superiority, I simply mean that the manufacturers knew more than any of its retailers about how, when, and to whom its products would sell. It is important to note that they maintained this position by remaining between the retailer and the customer.

Then something happened. In April of 1973, a single standard code was agreed upon by retailers which we now know as the Universal Product Code (UPC) or simply the Bar Code. The committee which brought this weapon to the game had no idea the impact it would have in the shift of power; they were trying to simply solve a problem of long checkout lines and some errors in accounting. With all the products having this unified ID space, computer companies raced to bring to market optical scanners and infrastructure to make use of this bar code. The bar code did much more than just help manage the checkout lines, it transferred power; it shifted the information superiority from the giant manufacturers to the retailers.

Let me stop here and say a little more about information superiority. This does not mean that through the bar code, scanners, and computers, that they just acquired more data; more data does NOT mean information superiority. Information superiority is when the proper synthesis and analysis is done with the data so that you can outwit or maintain just a marginal (knowledge) advantage in the game.

Given this transformation or shift in power, some of the giant manufacturers invested heavily in these analytical tools and proposed to the retailer (still in transition) that it would help them model and analyze their strategy if in turn the store would share the data with them.

Let us recap: lack of common identifiers, vendors having much more domain knowledge than the consumer, very little automation in the consumer's environment, and everyone but the consumer defining the game play. Sound familiar? The consumer must find a way to control the acquisition of that information (re-orient themselves in the game play) and be able to control what information is collected, synthesized, and analyzed. They must achieve information superiority over their vendors and their adversaries.

If this makes any sense to you and you think this transition will help you, email me or post your comment. These identification standards (common ID space like UPC) need to happen and they are not going to happen if we don't make them happen. While those standards are stabilizing, we need to come together on automation. Consumers need multi-vendor automation, not single vendor automation. In closing, this is the information war or game I am most excited about fighting. There is a long road ahead but with the perspective of the consumer, we can all make it through the transformation in a way that there is more value created for everyone.

--tk

Fair Division on TV

Thu, 08 Mar 2007 04:14:52 -0800

A few days ago I saw a TV commercial where a mother was sitting down with her two children eating breakfast (or it may have been lunch). There was only one slice of bread left for their peanut butter toast so they began to argue on who would get the larger half. She gave the first child the task of cutting and the second child the first opportunity to pick which half he wanted.

This is the 1996 Brams and Taylor "Fair division" contribution to society. I recently sat on a panel at a conference and used it in one of my examples. Unlike the TV commercial, it is described in the Brams and Taylor book with cake cutting and not peanut buttered toast.

S.J. Brams and A.D. Taylor, Fair Division: from cake-cutting to dispute-resolution, Cambridge, 1996.

J. Robertson and W. Webb, Cake-cutting Algorithms, AK Peters, 1998.

I have often wondered why we have not seen this type of fairness pattern show up in IT workflow. Next time you have a fairness problem, either technical or social, see if this what game theorists call 'envy-free' strategies will help you.

An industry blindspot

Wed, 07 Mar 2007 04:21:51 -0800

Over the past 8 years or so, the good people at the MITRE Corporation have contributed a set of identifiers that have proven to be very useful to the information security industry. With more on the way, I'd like to share with you my thoughts. Before I begin, I hope these comments are not taken in a negative manner. I have the deepest respect for these people and support them 100%. All of their energy and talent goes in to making our industry more efficient and accurate so next time you're at a trade show and see the MITRE booth, say hi and say thanks.

Everyone is familiar with CVE but you may not have heard of some of the others. I don't know if this is the complete list:

CVE - Common Vulnerability and Exposure
CCE - Common Configuration Enumeration
CPE - Common Platform Enumeration
CWE - Common Weakness Enumeration
CME - Common Malware Enumeration

(I'll refer to all of these at CxE's representing a set containing these members)

The value proposition is that if we all honor these namespaces, we can be assured common identifiers and therefore interoperate with greater precision; when any one of these enumerated objects are referenced either socially or technically, a unique identity is referenced. Other industries have faced this problem and have come up with very useful identifiers that help them address this problem of identity. Could you imaging what the book industry would be like without an ISBN number? Or how about the retail industry and its complex supply chains not having a UPC (Universal Product Code). There is a pattern and that is what I am here to talk about.

The pattern is a category or set containing members that are uniquely indexed. What is interesting is how common this pattern is in every system. What is enumeration and why is this pattern so useful? The dictionary says:

enumerate
v 1: specify individually;
2: determine the number or amount of;

I like to look at the pattern and appreciate its form. We create categories because we like to group like objects. Given any number of objects, we spend cognitive cycles trying to fit them into a set based on some attribute[s]. At the logical level of category there is a loss of individual identity; categorization is really just a cognitive difference-filter. At any point in time, we can jump from the flat category back down to the individual member by its ordered or unordered index. The beauty is in how simple and useful this pattern can be, that is as long as your definition of the problem is simple. What happens when it is not so simple?

Are you still with me? Lets skip ahead 3 years and suppose there are not five common enumeration namespaces but lets say that there are twenty or thirty? Are we better off? When does it end? At which point do these common enumeration need their own common enumeration: CCEE - Common Common Enumeration Enumeration?

What I am going to say right now is not meant to diminish the value of CxE's, it is to ensure that we can continues its success.

The next step is to formally build the RELATIONSHIPS between these objects. There is still value in these CxE namespaces ensuring a unique identifier but there is greater value to be gained by formally declaring how they are all related. Which platform (CPE) is related to a CCE (configuration) or CVE (vulnerability/exposure)? What you would end up with is an ontological representation of the information technology domain. I've spent the past 6 years thinking about this problem have a few ideas to share on how to pull it off. To be ultimately useful and sustainable, it would have to be:

-- cared for by an entity that had international appeal
-- cared for by an entity that has no commercial interest
-- the ontology delivered in machine readable feed
-- distributed authoring of relational properties
-- based on a social networking technology that binds the community together

Our industry requires this to move to the next level of evolution. The value is not in the object, it is in the stable relationships that object has with other objects. Who's with me? Lets get started!

--tk

Dropping Anchor

Tue, 06 Mar 2007 05:50:49 -0800

Behavioral economists claim that people rely on what they call 'anchors' when making decisions. Essentially, it is an arbitrary bit of information within a domain that a person first used to orient themselves to the state of affairs. For example, the price of a stock when they first purchased it. As new information streams in, they will always refer back to this initial purchase as an 'cognitive anchor'. Even far in to the future, decision to some degree are still based on this anchor.

In our decision making process, our ability to understand the ratio between what we know and what we are about to learn is where the party is happening. This is the difference that makes a difference and is fundamental to how we perceive and then understand change. How we understand change is core to decision making.

As we form new ways to communicate risk related information throughout our organizations, we should take some time to understand their cognitive anchors. Useful questions include: When this person experiences this new information, what prior knowledge or what anchor will they be using to form their understanding? If have the privilege of it being the first time they experience this information, what will be the most appropriate anchor for future updates?

Magicians are craftsmen in carefully dropping these anchors so that your understanding is being tailored by their actions and under their complete control. Lets take that magic and invert it. Lets make sure that our audience has the most appropriate anchors so that they are not being misled but informed on the possible and plausible outcomes they face in their decision making process.