I wish I were back in school, because there are so many choices out there for a good project. Here are some suggestions for you:
* The basis for all security is policy and how to create an effective one for all levels -- executives, network professionals, system administrators and consultants. How do you build a change management program to stem security flaws that lead to potential vulnerabilties?
* How do you educate employees for security awareness? Where does that begin? How does a resource starved business unit build a plan to test the level of information security? (I could go on, but I think that's a good start)
* Could or should the mission of CISOs be to raise the level of information security in the enterprise? How to do they get there? What does it take to build an effective program? How do you transform a network specialist into a network and security specialist?
* Viruses, worms, Trojan horses -- What's next? Add IP/URL spoofing and identity management to the first three, and now things are getting deep. If these issues are the next threats, what should companies be doing to head this off at the pass?
* Security event correlation and alert response: How does a company build a plan, and what metrics (if you can find any) can be applied?
Also, take a look at the security books being published today to see what's popular and go from there. Good luck!
For more info on this topic, please visit these SearchSecurity.com resources:
This was first published in September 2003