I am doing an MSc on Computer Security and it is time to choose a subject for my thesis. I am not any good in programming (my BSc was on Engineering, not Computing), so I want to avoid it.
So, my options are basically restricted on Security Management. This includes things like making security policies, creating security related frameworks and Information Warfare(agressive use of information).
Any help (eg. pointers to more specific subjects) would be apreciated 
I’m curious - how can you do an MSc on Computer Security, but not be good at programming? If I had not been good at engineering they wouldn’t have even let me into graduate school - they would have kicked me over to business or law. Or is this a non-US graduate degree (in which case, I guess it makes sense)?
Second, to actually help you out…a large, large amount of the computer security aspect is human factors. You could try to do something like:
“The Role of Human Factors in Computer Security” - an investigation into the alarming levels of computer security failures resulting from human factors, including negligence, loss of data, theft, interception, social engineering, phishing, and criminal threats and intimidation. The goal is to prove that these human factors continue to represent a very large threat to computer access and computer data security, and to present case studies, tests, examinations, and surveys supporting this proof. Finally, suggestions and guidelines will be developed to enable active and passive avoidance of human-driven computer security failures, continuous monitoring and change management of security practices, emergency responses to failures of security, and human-factor security breach event forensics.
I’m also curious, as I’m in the network security business, and I don’t know anyone in the technical end of it that doesn’t know how to code. When you say “engineering, not computing”, do you mean that you studied hardware design instead?
Knowing what you’re actually studying could help propose a thesis. What sorts of advanced courses did you take for this major?
The BSc was good old Electronics Engineering. Lots of analogue and electric stuff, some things on manufacturing(photolithography, semiconductors) and a just a little digital logic, computer architecture, assembly and C++.
The MSc is quite practical. It is mostly geared towards making the correct decisions in securing a system for managers and administrators. The modules include security management, cryptography, network security and practical windows and unix security. A good understanding of protocols and OS architecture was required, but no need to write your own code.
I have programed in the past, but I don’t have enough confidence in my programing skills, so I want to avoid it if possible.
The purpose of this MSc is the managerial/administrative end not the technical one. Maybe only half of the students there have an IT background. I believe most of the rest are from Business and Economics schools and there are even some police officers there (they are trained to outfit a computer crime unit).
Sound like human factors might be a good approach like I mentioned above. You could even do a practical experimental portion of it, such as surverying students, or trying to see how easily they can be “tricked” into giving away a password (you’d have to be very careful setting this up, so as not to violate any privacy laws or morals…something where the password is fake to begin with…)
Most of the interesting problems in security involve breaking something, i.e. figuring a way to get past something that’s designed to hold you out. And this would also be a good (and enjoyable) thesis to write as well, having a go at breaking through some system.
Una Persson has a very good suggestion, breaking (or investigating the breaking of) the human aspects of security. Another areas with interesting holes that requires minimal coding effort is wireless security.
As you likely know, Bruce Schneier writes a free monthly newsletter with a lot of interesting topics in the space. You may want to check that out as another idea source.
I find the concept of a honeypot very interesting. Basically, a company sets up a decoy server, allows it to be hacked, and researches what the hackers are doing.
If you’re interested in the social engineering aspects that Una mentioned, you might check out Kevin Mitnick’s work. He’s a convicted criminal in this field, but has published some very interesting stuff on how he exploited people to break security (basically call up, be charming and ask for confidential info). His work might serve as a starting point or at least keep you from repeating something that is already common knowledge.
If you’re more interested in the people and policy issues than trying to break things, it might be interesting to study usability issues in preventing social engineering. What could be done from a system standpoint to get non-technical users to quit executing every email attachment they receive? What can be done to get a non-technical user to ignore spam? Technical solutions like server-based virus scanners and spam filters don’t work well enough or we wouldn’t have these problems anymore. We need to train people without making them feel like they have to become IT gurus just to do it right. In every company I’ve seen, there is a huge gap between policy (don’t execute attachments) and reality (oooh, somebody loves me. I’ll click that!). If your interests are management, these are important issues you could address.
General Questions is for questions with factual answers. This thread is better suited for In My Humble Opinion. I’ll move it for you.
Cajun Man
for the SDMB