信息安全专业essay/report/assignments/paper/research代写 -Code

信息安全专业essay/report/assignments/paper/research代写

MSc in Information Security

Project Handbook

Contents

• 1 Introduction
  • 1.1 Objectives of the project
  • 1.2 Purpose of this guide
  • 1.3 How to use this guide
  • 1.4 Regulations
• 2 Choosing your project topic
  • 2.1 Main pitfalls
  • 2.2 Where to begin
  • 2.3 Adding value
  • 2.4 Establishing your project plan
  • 2.5 Specifying objectives
  • 2.6 Identifying methodology
  • 2.7 Developing a work plan
  • 2.8 Practical projects
    • 2.8.1 You must learn something from the practical work
    • 2.8.2 You must have the necessary skills (or support)
    • 2.8.3 You will largely be assessed by your report
    • 2.8.4 You must have contingency plans
  • 2.9 Work-based projects and placements
  • 2.10 Completing the Project Description Form (PDF)
  • 2.11 The Preliminary Literature Review
• 3 Project methods
  • 3.1 Main pitfalls
  • 3.2 Literature searches
  • 3.3 Using external assistance
  • 3.4 Making contact
  • 3.5 Interviews
  • 3.6 Surveys and questionnaires
  • 3.7 Case studies
  • 3.8 Practical components
  • 3.9 Collecting and documenting data
  • 3.10 Drawing conclusions
• 4 Producing your project report
  • 4.1 Main pitfalls
  • 4.2 Length of the project report
    • 4.2.1 How long should my project report be?
  • 4.3 Format of the project report
  • 4.4 Presentation
    • 4.4.1 General issues
    • 4.4.2 Structuring your report
    • 4.4.3 Figures and tables
    • 4.4.4 Presenting specialist terms
  • 4.5 Writing style
    • 4.5.1 Intended audience
    • 4.5.2 Spelling and grammar
    • 4.5.3 Use of language
    • 4.5.4 Expression
    • 4.5.5 Flow of text
  • 4.6 Content
  • 4.7 Referencing – Purposes of referencing – Choosing sources to reference – Format of references
    • 4.7.1 Examples:
    • 4.7.2 Examples:
      • Citing references
      • Bibliographies
      • Cross-references
  • 4.8 A note on the use of cut and paste
• 5 Your project supervisor
  • 5.1 Main pitfalls
  • 5.2 Role of the project supervisor
  • 5.3 Selection of your supervisor
  • 5.4 Working with your supervisor
  • 5.5 Project drafts and your supervisor
• 6 Assessment of your project
  • 6.1 Main pitfall
  • 6.2 The assessment process
  • 6.3 Assessment criteria
• 7 The project process
  • 7.1 Main pitfalls
  • 7.2 Phases of the project process
  • 7.3 Submitting your project report
  • 7.4 Policy on late submission
  • 7.5 How to get help
  • 7.6 Warning and wishes
    • 7.6.1 Warning
    • 7.6.2 Wishes

Acknowledgement

Thanks to Mrs Sarah Abu Ghazalah for assisting with the conversion to Latex. Thanks to Chris Mitchell for providing valuable suggestions and improvements. Thanks to Keith Martin who wrote the first version of this document.

Version Control

Version AFOctober 2017, Modified by MA.

Version AESeptember 2015. Modified by KM.

Version ADSeptember 2014. Modified by KM.

Version ACSeptember 2013. Modified by KM.

Version ABSeptember 2012. Modified by KM and CJM.

Chapter 1

Introduction

The project is probably the component of the MSc Information Security pro- gramme that gives rise to the most queries from students concerned about what is expected of them. It is also a component of the MSc that many students appear to misunderstand, both in terms of the nature of the work involved and the nature of the report that has to be produced. Interestingly it is also the component of the MSc that polarises students the most some students fear the project while others cannot wait to get started!

Whether you fear the project, or cannot wait to get started, it is extremely im- portant that you understand what is expected of you during the project process. It is therefore essential that you pay close attention to all the information and advice available to you regarding the project.

Lets start with something to think about.

1. The project counts for 1/3 of your mark on the MSc Information Security programme.
2. To pass the MSc you must pass the MSc project with at least 50%.

Do you find this idea slightly alarming?

Well you should at least be slightly alarmed! The project is a substantial component of the MSc programme. Fortunately there are two very simple rules that can help you overcome many of the problems associated with conducting the project.

1. Read this project guide before you start work.
2. Follow all advice contained in this project guide.

Following these two simple rules does not guarantee you a good mark for your project but it should help you to avoid receiving a poor one! In the rest of this introductory section you will find out what is expected of you during the MSc Project and how this project guide can be used to assist you.

1.1 Objectives of the project

So what are you actually being asked to do?

On completion of your project you are expected to have demonstrated your ability to perform the following three skills:

1. Skill 1: Work independently on an information security-related project for which you have defined the objectives and rationale. In other words you are being asked to: – work independently. What it does means is thatthe project report must be based on your own work, be written in your own words, and present your own considered ideas on your chosen topic. – work on an information security-related project. This is an MSc in Information Security, so your project must be mainly con- cerned with something to do with information security! Of course it may contain necessary background information that does not directly concern information security and it may involve components of work that are only indirectly relevant to information security. However, the objectives of the project, the bulk of the work, and the majority of the report must be concerned with something (anything!) to do with information security. – have defined objectives and rationale. A project must be a well-defined unit of work. You must clearly define what your project achieves and you must explain why these objectives are worthy and relevant. In other words, you must explain clearly what you have done, and why. 2.Skill 2: Apply knowledge about aspects of information security to a particular problem, which may be of an engineering, ana- lytical or academic nature.

What you are essentially being asked to demonstrate here is the ability
to absorb information concerning information security (from course mate-
rials, resources, experiences, information exchanges) and thendo some-
thing with itby applying it to a particular problem. You are therefore
being asked to add value to the information that you have gained during
the rest of the MSc programme.
There are many different ways in which you can add value to the infor-
mation that you have gained on the programme. These can be by nature:

• Engineering. For example, conducting practical experiments, im- plementing something, designing an architecture, applying theory to a practical environment (such as writing a security policy), etc.
• Analytical. For example, comparing different approaches to solving a problem, conducting a critique of a particular methodology, investi- gating whether a particular solution is appropriate for an application, assessing standardisation work, etc.
• Academic. For example, a comprehensive overview of a subject area not addressed in detail elsewhere on the programme, theoretical research, etc.

All projects are expected to add value  good projects typically
add value in several different ways.

3.Skill 3: Produce a well-structured report, including introduc- tion, motivation, analysis, and appropriate references to exist- ing work. Regardless of how much good work you put in, how many hours you burn, and how much stress you generate, you will ultimately be assessed largely on the strengths of your project report. Your ability to produce such a report is an assessed objective of the project process. In other words,assessors will be examining both the content of your project work and your ability to write a report.We will discuss the project report in much more detail later, but for now you should recognise that the basic expectations of the report include that it:

• is well-structured. The report needs to be organised in a logical way.
• has an introduction. The report is sufficiently self-contained that someone with some basic information security background can un- derstand what your project topic is about.
• has motivation. The project topic is clearly justified.
• contains analysis. Whatever else it does, the report must include a critical analysis of the chosen subject area that shows that you have extended your source material in some way. This analysis must also show that you appreciate how the topics discussed in your report relate to one another, and to the rest of information security.

• has appropriate references to existing work. This is an es- sential feature of the report. Remember that you need to be able to demonstrate that the report is your own work, that you have ex- tended the source materials and that you understand the subject area. One of the main tools for demonstrating these is the use of appropriate referencing. This is much more than listing resources at the end of your project. You must therefore make sure that you understand how to use references.

1.2 Purpose of this guide

This project guide has four main purposes:

1. To explain the project process.
2. To help you to choose a project topic.
3. To help you to conduct your project.
4. To help you to write your project report.

The guide is divided into seven chapters, as follows:

1.IntroductionThis chapter, which introduces the project and explains
how to use this project guide.

2.Choosing your project topicHow to choose a suitable project topic.
Includes advice on what types of topic are suitable, the pitfalls involved
with different types of project, and how to develop objectives for your
project.

3.Conducting your projectDiscusses different research techniques and
methodologies that you might employ during your project. How to docu-
ment your work and draw conclusions.

4.Producing your project reportAdvice on how to produce your project
report. This includes what should be in your report, how to structure
your report, how to format your report, presentation advice, and issues
concerning writing style. Importantly, it also contains advice on how to
use references.

5.Your project supervisorEvery student enrolled for the MSc Project is
allocated a project supervisor. This chapter explains what to expect from
your supervisor and gives advice on how to make the most of this support.

6.Assessment of your projectHow your project will be assessed.

7.The project processThis section explains the project process. In par-
ticular it identifies what you should be doing when, and includes details
about the administrative processes involved.^1

1.3 How to use this guide

We recommend that you read this guide from cover to cover before you commence any further activities concerning your project.

You should then keep this guide at hand throughout your project, re-reading relevant chapters when appropriate. In particular you should re-read the chapter on producing your project report before you do any writing.

Although this guide is intended to be fairly self-ontained, it is always wise to use as many sources of advice as you can when conducting your project. Supplementary sources include:

• Your project supervisor. Your project supervisor can help with advice on all aspects of the project process and should be your first port of call with any further queries that you have about any aspect of the project process.
• Past project reports. Each year a range of very good MSc projects are selected and are available fromhttps://www.royalholloway.ac.uk/ isg/research/technicalreports/technicalreports.aspx. You will have to look for the documents with the following entries Comments:MSc Thesis or Comments:Search Security Award winning project.
• Other project guides. There are several books published on conduct- ing projects and writing reports. Please use such project guidance as supplementary to, but not as an alternative to, this Project guide.While many aspects of project work and project writing are com- mon to different types of project, there are also many aspects that are particular to the MSc Information Security project that you are conduct- ing. Information in this Project guide should take precedence over alternative advice.If in doubt, ask.

1.4 Regulations

Before you commence your project, please make sure that you are familiar with the relevant regulations. These can be found in the Regulations Governing Ex- amination and Assessment Offences, available from the College Registry web

(^1) At the start of each chapter we provide a summary of the main pitfalls that have been associated with the relevant aspect of the project process, based on our experience of previous MSc projects.

site. These are linked from http://www.rhul.ac.uk/isg/informationforcurrentstudents/mscproject/ formsandtemplates.aspx

In particular, please make sure that you are familiar with the explanation of plagiarism given in Section 1 of the Regulations Governing Examination and Assessment Offences. Plagiarism is an examination offence and may have serious consequences.

Chapter 2

Choosing your project topic

Despite the fact that it sounds so straightforward, choosing your project topic can often be the most challenging part of the project process. Note that choosing the project topic does not just involve choosing the subject matter, but also includes defining clear project objectives and defining a project work plan. Once you have chosen the right project topic the rest is often much easier!

In this chapter we discuss how to get started, how to go about specifying project objectives and we help you to develop a working plan for your project.

2.1 Main pitfalls

• Project topic too broad
• Lack of preliminary research
• Failure to define clear objectives

2.2 Where to begin

The first step is to decide what subject relating to information security you wish to concentrate on for your project. There are no restrictions on this, so long as information security is a central feature of your chosen project topic.

Choosing the subject matter is a very individual part of the project process but, if you are struggling to decide where to begin, here are some possible ways of coming up with subjects:

• Subjects that interest you. This is by far the best way of choosing a subject. You are going to invest a considerable amount of energy and

time in your project, so it makes sense to choose something that you are
really interested in. What would you love to know more about? What
aspects of information security fascinate you?

• Relating subjects to your existing expertise. You are almost cer- tainly more familiar with some aspects of information security than others. This has two consequences: – It may make sense to choose a subject that plays to your existing strengths. – Alternatively, you may want to use the project to enhance your knowledge of a subject area which is new to you.

Think about what you already know, and what you would like to know,
and decide how best to invest time and energy in the project.

• Subjects of timely interest. Information security is a rapidly evolving subject and it is inevitable that some technical or commercial issues have not been covered adequately in the course materials because they are very recent. You might like to choose a subject that falls into this category, applying the knowledge that you have gained from the programme to this subject area.
• Subjects that are presented to you. Many students decide to work on projects that have been proposed to them by third parties. Such parties might include your employer or an organisation that you have contacted about project work.
• Subjects that you would like to be seen to have expertise in. Some students select a subject that they believe future employers would be interested in. This is not always the best way of selecting a subject, but it is true that many potential employers are likely to be interested in what you did for your project.Note that it is almost certainly better to be able to enthuse about a successful project that interested you than about a relatively unsuccessful project on a trendy subject that did not interest you.

In order to indicate the variety of different project topics that students choose, we have provided a list of some previous titles in Appendix A.

Note that there is no requirement for your project topic to be ab- solutely unique similar projects may well have been conducted by students in the past. However it is vital that your project report is original and not based on any previous report.

2.3 Adding value

It is important that your project contains a degree of novelty. Note that by requesting a project to be novel we are not requiring you to conduct a project on a subject matter that nobody has ever done before. We are requiring, however, that you do much more than just reproduce existing material on a subject.

This novelty, which we call adding value, is when you demonstrate your in- formation security skills by applying your existing knowledge. As value can be added in many different ways, it is difficult to specify exactly what added value is. As a guide, added value is the combined answer to questions such as:

• What is interesting about your project?
• In what ways has your project extended source materials?
• What is new about your project?
• In what ways was this a challenging project?

More specifically, added value can be provided by activities such as the following:

Exploring a subject not covered in the course material

You certainly have a better chance of adding value if you choose a subject area that has not been covered in the basic course material. This is because you have to apply your own skills to analyse the security issues that arise in this area. However, you must still demonstrate that you have extended the source material that you base your project on.

Looking at a subject from a new perspective

There are many different ways of looking at subject matter. One way of adding value is to examine something from a new perspective. This might happen when you take knowledge in one area and apply it to another. It might also happen if you examine a subject area applied to a particular type of environment.

Practical work

The modules of this MSc programme are, by the very nature of the course, largely theoretical. One way of adding value in the project, therefore, is to con- duct some practical work. This normally involves the application of theoretical information security within a practical (real) environment, and could involve

implementation work. Although this is a good way of adding value, there are some particular issues with this type of project, which are dealt with later in this chapter.

Conducting analysis

It is inevitable that you will have todescribethings in any MSc project, but this in itself rarely demonstrates application of knowledge, as good descriptions of most information security subject matter can be found in existing literature. However,analysingthings is a quite different activity. Analysis involves using knowledge and applying it in a subjective, but carefully argued, way. Examples of analysis activity include comparing and critiquing things. Analysis is a pro- cess that normally adds value and every project should involve some analytical work.

Providing a comprehensive overview

Every project should include a short overview of material relevant to the subject matter. It is however possible to conduct a project that entirely consists of an overview of a particular topic. In this case the added value comes from the relevance and stress that you have placed on the various topics covered. This must be done well if you are to add value, and so projects of this type need to be both comprehensive and of high quality if they are to succeed.

Warning: many projects that attempt only to add this type of value achieve disappointing results.

Original research

You are not being asked to conduct a research project. That said, there is no doubt that conducting original research does add considerable value to a subject area. However this only happens if it is sensible research and achieves some genuinely new and original results. You should thus only choose a research project if you are confident that you are able to conduct such a project and have discussed this carefully with your supervisor.

There are many other different ways in which you can provide added value within a project. As soon as you have a subject matter you must begin to think how you could add value to it. It is worth keeping in mind that good projects usually add value in several different ways.

2.4 Establishing your project plan

Once you have established a subject area (or perhaps a few different subject areas) that you would like to work in, your first problem is to determine whether a project can be developed in this area that has the potential to meet both your own interests and the academic requirements of the MSc programme. There are three stages to this process:

• Developing your ideas. Think your project ideas through in some detail. Establish what information you might need to get hold of. Think about what you would like to achieve during your project.
• Conducting a small-scale feasibility study. Conduct a basic litera- ture search, establishing what is already known about the problem. Think about how you could add value to this knowledge.
• Specifying objectives. Determine some specific objectives that your project would aim to achieve. These will define your project and we discuss this in more detail in the following section.

If you have more than one project topic in mind then you may find it helpful to go through the above process for each of the ideas that you have. This will almost certainly help you to decide between competing ideas.

The end product of this process should be completion of theProject descrip- tion form, which includes a working title, a statement of your objectives, your planned methodology and a rough work plan. We will now comment on these areas in more detail, as well as indicate some issues that arise with special types of project.

2.5 Specifying objectives

Specifying objectives is one of the most important parts of project planning. Objectives specifywhatyour project is going to achieve. There are three rea- sons why establishing clear objectives is vital to a successful project.

• Objectives provide direction. If you ever feel lost and unsure what you are supposed to be doing you should be able to turn to your objectives and refocus your project work.
• Objectives define the scope of your report. If your objectives are too vague then your scope is likely to be too broad. Likewise, if your objectives are too narrow then you may not have sufficient material for a project.

• Objectives concisely describe measurable goals. When the project is complete anyone (including yourself) should be able to clearly identify the extent to which your project was successful. Objectives provide the benchmark against which the success of your project should be measured.

There is no limit to the number of related objectives you might specify for a project, but typical projects have between one and five. The most important thing is that you have some! It is surprising how many projects fail to clearly specify measurable objectives. These projects typically lack focus and direction, and receive poor marks as a result.

The easiest way of identifying objectives is to define your project topic in terms of any of the three following concepts:

1.Questions. An objective can be defined as a question that your project
is going to answer.

2.Problems. An objective can be defined as a problem that you are going
to solve.

3.Hypothesis. An objective can be defined in terms of a hypothesis that
your project is going to attempt to provide evidence for (or against).

One of the main advantages of clearly specifying objectives is that they define the scope of your report. The single most common mistake that students make when developing a project plan is that the scope of their project is too broad. This either results in:

• a project that covers a large quantity of material in insufficient depth. The result is a shallow project that lacks substance, has very little added value, and is likely to receive a poor mark.
• a project that is far too long. Not only are such projects a waste of effort, but they are in fact failing to satisfy the project requirements. The approximate length of a project report is specified (see Chapter 4). Significantly exceeding these guidelines may affect your project mark.

2.6 Identifying methodology

When you develop your project plan you will be asked to identify the methods that you intend to use. In other words, you are being asked to think about how you are going to conduct your project.

Of course, you wont know at this stageexactlyhow you are going to conduct your project, but you should at least start to think about it. The reason that

you need to start identifying possible methodologies is because you need to make sure that your intended project is possible within the allocated timeframe, and that you will have sufficient resources to conduct it.

The following is a (by no means exclusive) list of possible methods that you might use:

• Literature searches. Every project will need to commence with a liter- ature search (libraries, research articles, Internet etc.) to establish what information is known about the subject matter.
• Contacts. You might consider contacting relevant experts or organisa- tions for advice during your project.Note that you need to work out whether such contacts are going to be able to help you before you complete your project plan (not afterwards). Security-related information is often something that it is not easy to obtain.
• Surveys. It might be appropriate to conduct a survey during your project, perhaps through interviews or questionnaires.
• Case studies. Many projects feature at least one case study, where the subject matter is examined in a more precisely defined environment.Note that you must find out in advance whether it is likely that you will be able to obtain the information required for a case study.
• Experiments. In some cases it might be appropriate to run an experi- ment, which in information security is more likely to be a trial of some methodology or software than a true scientific experiment.
• Implementations. Even if your project does not focus on implementa- tion work, it might be appropriate to include an implementation to support the rest of the project.

Some of these methods are discussed in more detail in Chapter 3. Once you have identified a suitable methodology you need to ask yourself whether you believe that it will result in you obtaining the information necessary to complete your project. Be prepared to defend your chosen methodology why do you believe that it will suffice? If in doubt, consult with your supervisor.

2.7 Developing a work plan

Although it is often difficult to determine accurately, it is important to develop a rough work plan that indicates any key milestones in your project (completion of literature search, first prototype of demonstrator, deadline for questionnaire responses etc.) and when you would hope to achieve them. You should also think about the time you will need to write up the project report and when you

might produce any early drafts. It is easy to wildly underestimate the amount of time needed so leave yourself ample time to deal with the unexpected.

2.8 Practical projects

Conducting practical work as part of your project is certainly one way of adding value to a subject. There are however several important issues that you must be aware of before you formulate a project plan that involves a significant amount of practical work.

2.8.1 You must learn something from the practical work

While the value of practical work within an MSc project is recognised, it must be meaningful. It is important to be able to justify that the practical work is relevant and that you will learn something about information security as a result of doing it. (An implementation on its own may well not satisfy these criteria.)

2.8.2 You must have the necessary skills (or support)

Due to the nature of practical work, especially in a distance learning environ- ment, it is unlikely that your project supervisor will have the skills to support the practical side of your project. You must therefore either already have the necessary skills, or have access to people who can support you should you en- counter difficulties. If you do not yet have the necessary skills, but intend to acquire them before (or during) the project work, then you must make sure that you have allocated sufficient time for this purpose. This needs to be identified in your project plan.

2.8.3 You will largely be assessed by your report

If your project is very practical by nature, you must keep in mind that you still need to write a project report. Further, it is this report (and not all that wonder- ful practical work that you conducted) that will form the basis of the assessment of your project. It is thus very important that you allocate sufficient time to produce your report and that it reflects accurately the amount of practical work that you conducted. For example, if your project was based around an implementation then you might have sections concerning (for example) background theory, justification for choosing to implement, architec- tural design, testing and performance analysis.

2.8.4 You must have contingency plans

Projects go wrong, plans change. However this is probably a more serious problem for practical projects, where any number of completely legitimate cir- cumstances can lead to the project failing to achieve key objectives. This is particularly true if parts of your project rely on the input of other people. All projects should have them, but practical projects need contingency plans. You must try to establish what could go wrong, and what changes you might make to your project should difficulties be encountered at various stages in the process. How might you refocus the project? To what extent are partially achieved objectives meaningful? If at the last minute it all falls apart, or doesnt work, do you still have something to write a report about?

Practical projects are to be encouraged, but extra care needs to be taken at the planning stage. Take the time to formulate a careful plan and consult your project supervisor.

2.9 Work-based projects and placements

Many students choose to conduct their MSc project with the additional sup- port of an organisation. For many students this organisation is their current employer. Students who are not in full-time work are also often supported by organisations, whether through full-time placements or through more modest support activities. Although it is not necessary to conduct your project with another organisation, there are significant advantages:

• Projects conducted with organisations are likely to be more practical in nature. The organisation provides a context within which it may be much easier to focus and direct a meaningful project.
• Conducting a project with an organisation may provide you with access to resources that would otherwise have been unavailable.
• If that organisation is your current employer then you may be able to balance work commitments against study commitments by conducting a project that is in the interest of both. This will save you time and may bring mutual benefits to both yourself and your employer.
• Students not in full-time work often use project collaboration with another organisation to gain some work experience and explore possible future employment opportunities.

There are, however, a number of issues that you must address carefully before committing yourself to an MSc project that is based primarily on work with an organisation.

• The work expected of you by that organisation might be different to the requirements of an MSc project. This is particularly true when the ex- pected outcome of both is a report. Some common differences between work reports and an MSc project report are: – An MSc project requires a substantial literature search and back- ground setting, while a work report is often shorter and more focused. – An MSc project must feature a substantial bibliography and include scientific referencing, while a work report may not require any refer- encing. – An MSc project should be impartial, while work reports may be influenced by political and commercial pressures. – An MSc project often requires a balanced analysis and may have open conclusions, while many work reports require recommendations.

(Thus in extreme circumstances you may actually end up having to write
two different  but related  reports!)

• An organisation may ask you to be involved in activities that are not directly related to your MSc project work. While these may be interesting, they may also lead to competition for your time.
• If you are working as part of a team then it may be difficult to extract a component of work that you can honestly regard as independent work. This is something that you need to discuss carefully with both your project supervisor and the organisation concerned before you commence such a project.
• The work that you perform may be commercially sensitive and so any non- disclosure issues need to be addressed right at the start of your project. While it is possible to restrict public access to your final project report, your MSc project report must be made available to examiners for assess- ment purposes. Be aware that an organization may not allow you to use in your project all the information that they provide you or that you generate as an employee or an associate.
• Work-based projects and placements typically require the involvement of other people in aspects of your project. In this case it is extremely im- portant to plan effectively, obtain firm agreements if necessary, and cer- tainly to make contingency plans in case other parties are unable to deliver what you expect from them. Do not rely on an organization to meet the timetable that the project follows.

Conducting MSc project work with another organisation can be extremely re- warding. If you wish to seek such opportunities then it is largely up to you to create these opportunities yourself. In some cases your supervisor may have suggestions for contacts, and in some cases Royal Holloway is contacted directly

by organisations seeking students. However if you are keen to involve organ- isations in your project then it is safest to assume that you need to take the initiative and explore possible contacts yourself. Begin this process as soon as you can.

2.10 Completing the Project Description Form (PDF)

The main problem that you will have at the beginning of the project process is vagueness. Even when you are relatively certain about the general area you wish to pursue, you will have probably have some difficulty in setting out a concrete proposal and a definite plan of work. This is natural at the beginning, but you must move, as soon as you can, to a definite proposal. Most proposals are too ambitious initially. There is nothing wrong with being ambitious, but you must try to avoid being too ambitious.

A project with limited objectives carried through systemat-
ically, in depth, normally impresses the examiners consid-
erably more than one that covers a wide area superficially.

Students should arrange to meet their supervisors regularly (between January to March) to discuss their project and develop the following two items:

• The Project Description Form (PDF). A sample PDF can be obtained from^1 and in Appendix B.
• The Preliminary Literature Review (PLR). A template for the literature review can be obtained from^2 and in Appendix C. This should be sub- mitted with the PDF.
• The main sections of the PDF are:

(^1) http://www.rhul.ac.uk/isg/informationforcurrentstudents/mscproject/ formsandtemplates.aspx (^2) http://www.rhul.ac.uk/isg/informationforcurrentstudents/mscproject/ formsandtemplates.aspx

Title Of Project This is a working title and you can change it
later. A good title Usually incorporates not
just the general topic, but also establishes the
contribution of the work that you intend to do.
(See appendix A for example)
Statement of Ob-
jectives

Here you should state what you intend to
achieve and why you have chosen these objec-
tives.
Methodology This should state how you are proposing to
achieve the objectives and why you are using
them.
Work Plan This should indicate any key milestones and
when you expect to achieve them.
Additional Com-
ments

Here you can address any other relevant is-
sues (whether you are conducting the project
with an organization, any contingency plans
you have, whether non-disclosure agreements
need to be signed etc). Some students choose to
include a draft table of contents at this stage,
but you should only do so if you already have
clear ideas about how you might present your
work.

Note

Your PDF should contain sufficient detail that your supervisor can assess your proposal and decide whether it looks appropriate for an MSc project. It is only a plan, not a blueprint. Once you have started to undertake your project you may find that some details specified on the Project description form become subject to change (for example, you might want to revise your objectives, or you may change your methodology). For minor changes this is perfectly ok, but if your project starts to deviate substantially from that specified on the Project description form then you must discuss this with your project supervisor.

2.11 The Preliminary Literature Review

An initial project literature review should be prepared, again in consultation with your supervisor. This form should use the standard project front page. If at any stage the project deviates significantly from the description given, then the student must discuss this with their project supervisor and, if necessary, complete a revised form.

The precise length of this section will depend on how much prior work is relevant to your project. However, a target of 5000 words for the introduction and this section is not unreasonable.

Please note that the preliminary literature review may be used in the Main Content section of your project in order to demonstrate the current state of research, findings and other relevant work related to the topic of your MSc project. Therefore, it makes sense for the PLR to be as extensive and complete as possible.

Chapter 3

Project methods

In this chapter we make some general remarks about some of the project meth- ods that you might choose to use, identifying common pitfalls and providing guidance on avoiding them.

3.1 Main pitfalls

• Inadequate literature search
• Relying too much on Internet resources
• Failing to approach external contacts in an appropriate way
• Poor use and interpretation of questionnaires
• Failing to properly integrate case studies

3.2 Literature searches

Every project should begin with a comprehensive literature search, some of which should have been done even before the project plan is formulated. It is essential that your project demonstrates that you are able to find out what is already known about your chosen subject matter.

There are many different sources that you can turn to for information. These sources will present information in different, sometimes even contradictory, ways. It is your task to absorb this jumble of information and extract the relevant facts as best you can. The most important advice during a literature search is to:

• avoid relying on a single source for any piece of information. (You have already been advised to consult other sources on how to do a project!)
• treat all information with a healthy degree of scepticism. Some sources will be more reliable than others, and it is your responsibility to make your own informed judgements about which sources are reliable and which are not.

Sources of information that you might use to varying degrees, depending on your project topic, include:

Books

There are a plethora of books currently being written on all aspects of infor- mation security. Well -written books normally have the advantage of offering a degree of perspective on the material covered. They are also often a good source of further resources, with significant bibliographies. Most books are reviewed to some extent before publication, although this does not always offer guarantees of their accuracy.

On the other hand, the publication process for books is fairly slow and they do get out of date quite quickly. Further, in information security many books are published hastily and some are therefore of poor quality. Books are also quite expensive to purchase, so you may want to read as many reviews as you can before purchasing them.

The best advice on books is to seek recommendations. Well-established, highly- recommended books are usually good sources.

Research publications

Research publications include sources such as journals and conference proceed- ings. Research publications are the mechanisms by which ideas are proposed and gradually accepted within research communities, and so these resources must be consulted if your project involves a degree of state of the art.

Most journal articles and many conference proceedings are refereed, and so offer a degree of quality assurance.

However, research publications can be both advanced and difficult to read. Again, just because an article has been published does not mean it is correct. Research publications in information security are often contradictory and can be hard to get hold of if you do not have access to a library (although increasingly they can often be located on the Internet).

The Internet

Imagine how people conducted literature searches before the Internet! (Believe me, it was relatively painful, involved running regularly to libraries and lots of letter writing.) The Internet is a magnificent tool for assisting in a literature search, butsearching the Internet is not a literature search.

Here is what the Internet is superb for:

• A preliminary investigation of the available resources on your topic.
• Portal sites that provide inter-related links to different resources.
• Dedicated web sites that contain quality information on specific topics.
• Access to individual sites (and papers) of researchers and organisations.
• Downloadable articles and white papers.
• Easy access to opinions.

Here is why relying only on the Internet is dangerous and inadvisable:

• Much (most) of the information on the Internet has not been formally evaluated (refereed).
• Much of the information on the Internet is subjective and often wrong.
• Much of the information on the Internet is patchy and lacks perspective.
• Much of the information is at an inappropriate level for an MSc project.
• Not all relevant information is publicly available on the Internet.

The Internet is an essential tool for any modern literature search but use it prudently, and not exclusively. It does not have all the information that you need and is not even always the source of the latest information. Be particularly careful to assess the probable quality of information from any web site that you visit.

Magazines and newspapers

There are numerous periodicals that are either dedicated to aspects of informa- tion security or regularly feature related articles. These are all valid resources that you might choose to consult and are often one of the most reliable re- sources for timely developments. Obviously you need to be aware that these may not always be written by subject experts and so you should be careful in your evaluation of their relevance.

Vendors

Literature produced by vendors is often an appropriate and relevant resource for MSc projects in information security. It goes without saying that while a vendor may be the best source of information on issues relating to their products (and often on related issues), you cannot realistically assume that they are presenting information from a fully balanced perspective. Treat vendor information with caution.

3.3 Using external assistance

Even if you are not conducting your project with an external organisation, there are many ways in which you might seek the assistance of external individuals or organisations during your project work. These vary in scope from seeking particular pieces of information, through to conducting informal interviews or conducting questionnaires.

3.4 Making contact

There is no magic formula for guaranteeing success in your requests for external assistance, but there are various ways of increasing your chances of making some progress. General tips are:

• Take time to compose your request if you dont take the time to ask, why should they take the time to reply?
• Always introduce yourself politely and explain the background to your request.
• Make it clear why the particular individual person (organisation) is being contacted personalise the request and avoid mass mailing.
• Be clear and specific about what information you are requesting.
• Offer something in return (perhaps a copy of your project report).

When contacting organisations it is always best to try to contact a specific person. The problem is that in many cases you may not know exactly who to contact. You should first engage in some detective work to find out names of appropriate individuals (ask around, search the Internet, read organisational literature). If all else fails then you may just have to make a general approach. This may work, but be prepared for disappointment.

In certain circumstances it may be appropriate to include a cover letter from your project supervisor with a request for information. Always consult your supervisor before using such a letter.

3.5 Interviews

For certain types of project (for example security management related projects) it may make sense to seek opinions from practitioners or users in your chosen subject area. One method of gathering such information is to conduct informal interviews.

Interviews are essentially a type of meeting in which you hope to gain some relevant information. Here are some tips for conducting a successful interview:

• Choose the subjects of your interviews carefully and try to make sure in advance that they are going to be able to provide the information that you seek.
• Plan your interview carefully in advance. An interview is like a mini project in itself it should have clear objectives and a time plan. Decide on your main questions, and any follow-up questions.
• If appropriate, make your questions available to the interviewee in ad- vance.
• Try to use a mixture of open questions (that allow the interviewee an opportunity to talk around a subject) and direct questions (that give you precise answers to issues of interest).
• Take careful notes during your interview (if you have permission, you might consider recording them).

Be careful how you use and represent information that you obtained in an in- terview. You may have misinterpreted some answers, or may have inferred information that was not factually correct. It may make sense to include ques- tions that you asked in an interview in an appendix of your project report. It is also good practice to offer interviewees an opportunity to see how you used their information in your report and give them the chance to review it.

3.6 Surveys and questionnaires

Problem investigation sometimes generates questions that require the use of survey techniques.You should think very carefully before you use these techniques as they are hard to do well and are often unsuccessful due

to the difficulty of getting responses from target audiences.If you do decide that a survey of some sort is appropriate then it is essential that great care is paid to the details and methodology of the survey. These matters all need to be reported and discussed in your project report.

Questionnaires in particular are one of the most misused methods in MSc projects. The following sections contain a brief overview of the typical problems that arise regarding the use of questionnaires.

• When might you use a questionnaire? A questionnaire survey can produce useful data for a project provided the necessary detailed work is done in advance. Typical areas where one might be used are for sampling attitudes (you want to find out peoples views and attitudes on some issue) or verification of a hypothesis (you want to generate evidence for or against a hypothesis that you have formulated).
• How do you organise a questionnaire?A questionnaire survey gen- erally involves the following steps:

1.Define your objectives. Decide exactly what you want to learn
from the survey. Cut out the non-essential and think carefully to see
if there are alternative sources which are perhaps more reliable or
easier to find (surveys are quite hard to conduct). Every question in
a questionnaire should have a purpose that is evident in the analysis
of results.
2.Design your questionnaire. Presentation of the questionnaire is
surprisingly important if you want respondents to take it seriously.
Organise your questionnaire into batches of related questions. Ask
general questions before specific questions. Format the questionnaire
professionally.
3.Define your target. Decide exactly who you need to complete your
questionnaire, making certain that they either have the information
or can get hold of it. Make sure that your target population is bal-
anced and unbiased towards the subject area (you will not be able to
deduce much from a questionnaire otherwise). Also make sure that
your target is sufficiently large that you are likely to obtain a suffi-
cient response to extract meaningful results (many questionnaires do
not succeed because they fail to obtain sufficient responses).
4.Motivate the respondents. You should explain the background
and reasons for the survey to respondents. You should also generally
promise anonymity in the final report and offer to send a summary
of your findings to the respondents. If you dont do this bit right,
your questionnaire will go straight into the waste paper basket.
5.Organise and plan. Decide how the survey is to be conducted,
how late replies are to be chased up, how queries will be dealt with,

when replies are to be sent back, etc. In the case of a work-based
project, you will probably need to enlist the co-operation and support
of management in the departments concerned.
6.Pilot. No questionnaire is so simple that it will not benefit from pre-
testing, preferably by someone totally unaware of your objectives. In
the case of a large survey, a pilot study is essential. This is the time
when the obvious but overlooked factors will hopefully be discov-
ered. A pre-test also gives you an opportunity to check the analysis
procedures: Do the questions get the expected response? Are the
objectives fulfilled? Is further explanation necessary?

• How should questions be phrased?Again there are no hard and fast rules, but here are some tips to successful questions: – One element in each question: It is nearly always bad practice to combine ideas in the same question. Otherwise questions may be interpreted inconsistently and the answers may then be meaningless. – Be specific: General questions get general answers, and in most cases you will be seeking specific information. Try to avoid questions that involve respondents having to guess or estimate, and seek specific data. Structuring answers into a set of allowed responses (multiple- choice) is a means of forcing a decisive reply. – Be clear: If your respondents dont understand the questions then they are not going to provide accurate answers. Use simple language. Make answers easy to provide (multiple- choice is particularly effec- tive in this regard, although beware of biasing answers). – Avoid ambiguity: This is a major problem as it is difficult to word a question so that it means the same thing to everyone. This is one important reason for piloting a questionnaire before deployment. – Allow for uncertainty: The respondent should have the option of saying, do not know or perhaps or sometimes and giving further explanation. Further explanation frequently allows something overlooked to come to light. – Do not be personal: You rarely need to ask personal questions. If you cannot avoid them then explain why you want the information. – Do not ask loaded questions: An example of a poor question is what are your problems with implementing your security policy? In this connection you are implying that there are problems, which there may not be.
• What happens once you have received the responses?Your inter- pretation of questionnaire results is very important. For simple question- naires it may suffice to informally interpret the data. For more advanced questionnaires you may want to formally analyse the results statistically.

Either way it is important that you treat results in an unbiased manner
and do not make the mistake of reading too much into the responses.
This is particularly true if the response rate of your questionnaire has
been disappointing.
It is good practice to include the raw questionnaire data in an appendix
of your project report. You should also note that the whole process of
questionnaire design, testing, implementation and result processing should
be described in your project report.

3.7 Case studies

Many projects include case studies. This is a particularly relevant component in projects that are both theoretical and general in their nature. Case studies can either be central to the entire project or just act as add-ons to a project. The main reasons for including one or more case studies in a project include:

• Demonstrating theory. Case studies can be used to illustrate the ap- plication of theory within a more practical environment.
• Providing specific context. Case studies can be used to provide a specific environment within which more general issues can be applied and demonstrated.
• Tools for comparison. Different issues or aspects of a problem can often be meaningfully demonstrated by comparing two or more case study environments.
• Testing grounds. Cast studies can be used as testing grounds within which to examine whether theoretical ideas have practical application.

Just like other project methodologies, it is important that case studies are em- ployed effectively within a project. You must be able to justify that a case study is meaningful and has added something to your project. The need for the case study should be motivated within the project. The lessons learned from examination of the case study should be clearly identified and interpreted in your project report.

3.8 Practical components

Clearly there are many different methods that you might use to conduct any practical components of an MSc project. These are too varied to provide a general treatise in this guide. We will only re-emphasise here that practical components of project work need to be approached extremely carefully and

considered at the planning stage. Some more detailed remarks on this have already been provided in Chapter 2.

3.9 Collecting and documenting data

The way that you collect and process data during the project is very much up to you. It is worth, however, making a couple of general suggestions.

• It is important to keep track of the resources that you use. You will need these when you start to create your bibliography. You will also need to remember what use they were when you start writing up and citing your references. Each time that you access a resource, take a full reference for it and sketch down some notes about what it contains.
• Many people benefit by keeping a project diary. While this might seem tedious to maintain during the project work, it can help to keep you on schedule and identify whether you are meeting your short and long-term goals. A project diary can really come into its own during the writing up phase. If you have an idea late in the day, the necessary evidence and support can sometimes be found in your project diary.
• Always back up any data or writing that you generate. Even people work- ing in information security get caught out by this from time to time. If you spend the day writing a chapter of your project, dont wait until the weekend backup to make a spare copy of your file!

3.10 Drawing conclusions

Towards the end of your project you will have hopefully made significant progress and gathered lots of relevant information. One of the important parts of the project process still remains, however. This is drawing project conclusions.

The conclusions of your project do not simply serve as an end piece to the report, but also as a summary of the work and an indication of how it relates to the future of your subject area. In particular, your project conclusion should:

• Summarise your contribution and re-emphasise your main results.
• Relate the results of your project to the original objectives, identifying the extent to which you believe the objectives have been met and explaining any differences between what you have achieved and what you intended to achieve.

• Briefly summarise how your work has contributed to the knowledge of the project subject area, placing your work within the context of existing resources. Where you have obtained different findings from previous work you should explain why you think this is the case.
• Follow on logically from the preceding project report discussions and do not introduce any new ideas. Be particularly careful of any potential differences between conclusions that you expected and conclusions that actually follow from your analysis.
• Point to the future of your subject area. You should now be sufficiently familiar with your chosen subject area that you can relate your project to likely developments in the future. You might even choose to make predictions in your project conclusion.

Chapter 4

Producing your project report

The project report is the ultimate deliverable of your MSc project. It is the component that will be used for the bulk of the assessment of your project work. You must give yourself plenty of time to write the project report and you must take care to make sure that it accurately reflects all the work that you have done. This chapter provides some guidelines to help you write a good project report. These deal with the length and format of your report, presentation issues, writing style and the use of references.

4.1 Main pitfalls

• Not enough time spent on writing the report
• Project report too short/lightweight
• Poor structure and organisation of report
• Unprofessional presentation
• Inappropriate writing style
• Inappropriate cutting and pasting from other sources
• Failure to reference report properly

4.2 Length of the project report

First, a few words about the most asked question concerning project reports:

4.2.1 How long should my project report be?

The MSc project is worth 1/3 (one third) of the overall MSc mark. You must therefore spend approximately as much time on your project as you do studying 2.5 modules. Your project report should effectively represent this work effort. You may not always be sure that you have enough, but you will almost certainly know when there is not enough.

As avery roughguide we recommend that your project report should be around 50 pages long, (this is roughly the equivalent of between 10,000 and 20,000 words, the length set by the Regulations). This measure assumes fairly dense text, reasonable line spacing, font size (typically between 10 and 12) and the use of reasonable margins. Clearly reports with extensive diagrams and figures or generous formatting styles may exceed this length. We do not specify precise line spacing, font size or margin size, in order to allow you to present your project in a style that you prefer.

Clearly it would be possible to generate a lightweight project that reached 50 pages by abusing this! The quality of a project report is all about the content, not the length, and you should seek advice from your project supervisor about whether your project report is acceptable before the submission deadline. (It is probably fair to say, however, that very few distinction level projects are ever less than 50 pages in length.)

Neither should it be assumed that to be on the safe side your project report should far exceed 50 pages. There is normally no need for a project report to greatly exceed 50 pages, (20,000 words) and in some cases (but by no means all) such a project may be penalised because the project report is not as focussed as it should be.

The College policy on Penalties for ove- length work is as follows:

• For work which exceeds the upper word limit by at least 10% and by less than 20%, the mark will be reduced by ten percentage marks, subject to a minimum mark of a minimum pass.
• For work which exceeds the upper word limit by 20% or more, the maxi- mum mark will be zero.

4.3 Format of the project report

While we do not provide a general presentation template that your project report should conform to, we do recommend a particular format for the components of your project report. This format is as follows:

Title Page Giving the title, author name, student number,
supervisor name and signed declaration (see the
following note)

(Acknowledgements) Optional

Table of Contents Giving the section structure and page numbers

(List of figures &
tables)

Optional

(List of abbrevia-
tions & acronyms)

Optional

Executive Sum-
mary

A one-page summary of your work that pro-
vides an outline of your objectives and main
findings

Introduction Introduces your project by providing basic
background material and stating what objec-
tive you set out to achieve and why

Main Content The main content of the report. Please
read bellow the clarification between the PLR,
project work and existing resources

Conclusion The conclusions of your project and how this
relates to the future of the subject area

Bibliography A list of all resources referred to in the project

Appendices Any supplementary material

In addition, note the following:

• Title page

A sample title page is provided in Appendix C.

• Executive summaryAll reports should have, before the introduction, anexecutive summary. Executive summaries are not introductions. They summarise the purpose and main findings of your report, usually in a fairly non-technical language. The executive summary should be the last part of the project report that you write, since it is only possible to summarise the project once everything is finished!
• IntroductionThe introduction to your project should be reasonably con-

cise and include the following items:

• Short background to the problem being investigated (you may wish to include more detailed background information in subsequent sec- tions).
• A statement of your objectives, including the motivation for them.
• The methods used in the project in order to achieve these objectives.
• Main contentYou are free to format the main content of your report as appropriate (but see the following section on presentation). Whatever else it contains, you must include somewhere within the main content:
• The relevant material already presented in the PLR in order to demonstrate the current state of research, findings and other rele- vant work related to the topic of your MSc project. This should form the background literature review in the project subject.
• The relationship between the project work and existing resources.
• Detailed discussion of activities conducted during your project.
• Results obtained during your project and related discussion.
• ConclusionFor advice about drawing conclusions, see Chapter 3.
• BibliographyThis is an important component of your project and its quality will be assessed.
• AppendicesAppendices are optional sections of your project report where you can place extra information that does not form part of the report body but which may be useful for a reader of your project report. You should refer to appendices in your main text as you do for other cross-references. An appendix that is not cross-referenced within your main report should not be included. Note that appendices do not count as part of the 50 page guideline.It should be perfectly possible to understand your project report without having to read the appendices. Appropriate content of appendices includes:
• Detailed technical material whose inclusion in the main body of the report would detract from the reading quality of the report (for ex- ample, selected source code).
• Details of methods used within the body project (for example, ques- tionnaire forms).
• Raw data extracted during the project (for example, questionnaire results).
• Relevant data from another source that you feel it would be useful for a reader to easily access while reading your report (for example, sections of legislation).

4.4 Presentation

It is surprising just how much influence the presentation of your report can have on the experience of any reader (including the examiner). Bypresentation, we mean not only the manner in which your information is arranged on the pages of your report, but also the way in which you organise and structure this information within the report. It is extremely important to pay attention to both these aspects of presentation. We do not place any restrictions on how you do this, but in this section we do provide some good practice guidelines that you would be well advised to follow.

4.4.1 General issues

On all aspects of your project report presentation you should aim for acon- sistent look and feel. One of the easiest ways of creating this is to use a standard word processing tool.

You are free to use any word processing tool to create your project report. Al- though your choice will probably be influenced by familiarity, you should note that is worth considering the likely content of your report before making a final choice. For example, reports likely to feature heavy use of mathematical formu- lae are most easily produced using tools specifically designed for this purpose, such as LaTex.

By far the most popular word processing tool for report writing is Microsoft Word. If you are planning to use Microsoft Word then we recommend that you seek advice on how to most efficiently use Word to produce the type of structured document that is described in the rest of this section.

There are no general restrictions on font size or line spacing, however the major- ity of project reports use line-and-a-half spacing with an 11 or 12 point font. Avoid using more than one or two fonts throughout your text. Use a fairly wide left hand margin in order to accommodate the binding of your project report. Remember also to number all the pages of your project report. Whatever else you do, make sure that the way you lay out your project report is pleasing to the eye.

4.4.2 Structuring your report

It is extremely important that you structure your report effectively. There are two important reasons for making sure that the organisation of the information in your report is of high quality:

1. A well-structured report aids navigation. It allows a reader to locate information in your report quickly.

2. A well-structured report aids comprehension. It allows a reader to always be aware of what stage they are at within the report, how they got there, and where they are going.

The key design aspect of your report is the organisation of the report into sections (chapters). These in turn should be broken into subsections (which may in turn be broken into further subsections). There are several aspects to this that you should carefully consider (note that in the following when we refer to sections we could equally well be referring to subsections):

• Complexity. Too many sections (or subsections) make a report overly complicated. Too few sections make a report seem unstructured. There is no magic formula for getting the section breakdown correct, however the remaining issues covered here may help you to do this in an appropriate manner.
• Scope. The best guideline for choosing the scope of each section is that the content of each section should have a common logical theme (high level for sections, lower level for subsections, etc.). Your choice of sections should make sense to a reader.
• Order. A reader should never be surprised by a section. Sections should flow in logical order and, ideally, you should always prepare a reader for them both by explicit advanced notification of the coming sections and by using the flow of your text to link them together.
• Titles. Each section should have a meaningful title. A reader should be able to scan your table of contents and have a pretty good idea of what your report contains from the section titles alone.
• Numbering. Each section should be numbered. This aids navigation and allows for cross referencing of sections. The extent to which you continue numbering subsections is up to you. We suggest that certainly the top two section levels should be numbered (e.g. Section 2 and Section 2.3), and possibly the third (e.g. Section 2.3.1). However, numbering does start to get confusing below this level (e.g. Section 2.3.1.1) and is probably best avoided.
• Consistency. Your use of sections should be consistent throughout the report. This also applies to the fonts you use for the section headings, use of capitalisation and the spacing that you place between headings and text.

Breaking your project up into carefully managed and well-planned sections goes a long to way to improving the reading experience. However, even within a section, it is possible that you have quite a lot of information to convey on a topic. In this case you should use regular paragraph breaks and use bulleted (or numbered) lists to provide further meaningful structure to your writing.

4.4.3 Figures and tables

The presentation of your report can be greatly aided by appropriate use of figures and tables. Both can be used to concisely present information that would otherwise be hard to convey in text alone. They also improve the experience of the reader by breaking up pages of monotonous text. However, please bear the following in mind when using figures and tables:

• They should be appropriate. Do not put figures (or tables) into a report just for the sake of it. They should aid the understanding of the project report. If they have no information value then they should not be there.
• They should be interpreted. A common mistake is to place a figure or table in a report and then say nothing about it. A figure (such as a graph) is almost always meaningless without supporting information. Every figure and table must be interpreted in the text, explaining what information it conveys and, if necessary, providing any further information that is needed to understand it.
• They should be labeled. All figures and tables should be numbered and given titles. They should then be referenced from the text using the appropriate label. Hence in Table 3.2 we see that … is appropriate, whereas in the table on the previous page … is not.
• They should be credited. It is common to use a figure or table found in a source document. It is important that this source is appropriately cited when the figure or table is used. Even if the figure or table is based on one appearing in a source document, this source should be cited (Figure 4.1 is based on an illustration in [FP02]).

4.4.4 Presenting specialist terms

Due to the specialist nature of the MSc project, it is likely that your project report will use a large number of fairly specialist terms. While you may assume that your readers have some basic knowledge of information security, you should make the report as self-contained as possible. Here are some tips on presenting specialist terms:

• Definitions When introducing a term for the first time, highlight the new terminology usingboldoritalics, and provide a concise definition (accompanied by a reference to further reading if necessary).
• Abbreviations and acronyms

Always make sure that every abbreviation or acronym that you use in your
project report is accompanied by a full explanation on first use. If you
have a large number of abbreviations and acronyms in your report then it
would be advisable to include a list of them in your project report.

• Special content If you regularly use some special type of content, such as examples of source code, web links or computer program names, then you might like to adopt a special font to deal with content of this type. For example, it is common to write computer program names in ateletype-style font.

4.5 Writing style

We appreciate that this course is not an MA in English Literature and do not expect all projects to be written in flawless English prose. However, good use of English really does improve the readability of a project report and normally makes the ideas that you are presenting much clearer to a reader. We do appre- ciate that if you are not a native English speaker then this presents a particular challenge. Nonetheless, please do not overlook this aspect of project presenta- tion.

4.5.1 Intended audience

A useful tip on writing style is to think of whom you are writing your report for. You may think that you are writing it for yourself, or for your examiners, but the best way to develop an effective writing style is to imagine writing for a more general audience. Keeping this audience in mind should help you to answer questions such as do I need to explain this …? or what level of detail should I go into on that …?.

We suggest that you assume that your general audience comprises people with a basic knowledge of information security, but who might not be familiar with all the details of your chosen topic. An appropriate audience would thus be current, and past, MSc students on this MSc programme. This audience will need to be reminded of general issues, certainly reminded of essential detail, but are probably already familiar with the basic principles of information security.

4.5.2 Spelling and grammar

There are no excuses for submitting a project report that
contains many spelling and grammatical errors.

The following techniques can be used to minimise these:

• Use a spell-checker. There is simply no excuse for not passing your project report through a spell-checker. It might not pick up everything, but it will pick up most typos and spelling mistakes. It doesnt take long and it makes a difference. It shows, above all else, that you care about the presentation of your project report.
• Use a grammar-checker. Many word processing tools also have an au- tomated language check facility. It might not always give the best advice, but it can help. If you have access to one then use it.

4.5.3 Use of language

A good project report should be informative and interesting, but written in an accurate and neutral style. You are not writing a textbook or an article for a tabloid newspaper! Here are some tips on writing style:

• Keep it simple: Keep your writing style as simple as possible. Avoid the use of overly flowery language. Readers want to understand the information that you are trying to convey. Information security is gener- ally complex enough without you making it more obscure by your use of language. This advice is particularly important if you are a non-native English speaker. You will not get extra marks for using big words and trying to use clever sentence construction.
• Keep it honest: Everything that you write in your project report should be accountable and accurate. If you make statements then they must be justifiable and linkable to sources. There is a tendency in maga- zine articles and books to use language to present emotive information such as the the web-enabled age of increasing connectivity or the e-commerce revolution, but in fact if you take the time to consider them carefully you should quickly realise that these are in fact meaningless phrases what do they actually mean? If you state more and more people are turn- ing to wireless networking then you have to provide justification is this actually true? In this regard you should also avoid overstatement
  • is it true that all organisations do it, or only that many organisations do it?
• Use the third person:In general it is best to write in the third person. Your project report is essentially a reporting back of some facts that you have accumulated during your project. It is however essential to use the first person when you are expressing your own personal opinion.
• Avoid marketing speak:Be very careful to avoid the use of any mar- keting speak in your project report (there is almost nothing that is likely to annoy an examiner more).You must thus use adjectives sparingly. Your companys Certificate Authority might well be very good in your opinion,

but it is not necessarily a centre of excellence. Your favourite organisa-
tion may be competent in your opinion, but without careful justification
you should not claim that they are second to none in the topic that you
are investigating.

• Using humour:Use humour in your writing sparingly, and wisely. There is nothing wrong with trying to make your writing a bit more interesting, but there is always a danger that inappropriate use of humour could count against you. A similar remark applies to excessive use of silly analogies or cliches. Be sensible.

4.5.4 Expression

The way that you express your writing will influence the impression that a reader has of the quality of your work. There are several issues worth addressing here.

Expressing opinions

You are encouraged to express your own opinions throughout your project report in fact this is one way of demonstrating that you are aware of the relevant issues and have thought carefully about them. However:

• Make sure that you do not misrepresent a personal opinion as a fact (using the first person is one way of ensuring this).
• Justify your opinion by providing suitable evidence, either by means of arguments or references to source materials.

Writing authoritatively

Be very careful with the tone of authoritativeness that you write in. In general your project report should be authoritative you are, after all, expected to be an expert in the subject of your report. However do not attempt to be authoritative when you are writing about subjects that you are not sure about. It is (probably!) better to express degrees of doubt and uncertainty, than to make incorrect statements or claims. Be aware of the difference in meaning and clarification conveyed by conditional language as opposed to unconditional (may as opposed to will, normally as opposed to always). See also remarks in the above section about writing honestly.

Using verbatim text

Only if it is appropriate and contributes to the report, should you reproduce verbatim text (text copied, or superfically modified) from another source directly in your report.

• Do this sparingly, making sure that you clearly indicate which text is verbatim and that you clearly cite the source of the text.
• This applies to any areas of text in your report (in other words it applies as much to introductions and linking text as it does to text representing an idea).
• Unattributed use of verbatim text may be an act of plagiarism.
• Lack of confidence in technical English writing is not an acceptable excuse for using unattributed verbatim text.

4.5.5 Flow of text

The last issue of writing style that we consider is the flow of text throughout your project report. If you can make the writing flow naturally throughout the report then you will improve the experience for any reader of your work.

Linking text. Try to appreciate the need for a reader to be aware of how one part of your report connects to another. Hopefully by structuring your report sensibly you have already helped the reader considerably but be aware that you can further aid the reader by providing good linkage text. For example:

• In your introduction you should provide an overview of all the sections of your report.
• At the start of each section, you might provide a few sentences that explain the breakdown of subsequent subsections.
• Before any list in your report you should provide a sentence introducing it.
• At the end of each section you might consider a short summary of the section, or at least a few words of conclusion.

Paragraphs. Break your writing down into paragraphs. A full page of solid text can be very off-putting to a reader. Paragraphs normally contain more than one sentence, but are rarely more than a few sentences in total length. Let your writing breathe.

Repetition. It is important to re-emphasise important points throughout your project, but you should try to do this without too obviously appearing to be repetitious. Effective use of language allows you to stress significant infor- mation in different ways without appearing to have excessively cut-and-pasted your project together.(Now read this paragraph again carefully!)

Footnotes. Footnotes are normally used in technical writing either for:

• extended parenthetic remarks that would otherwise cause unnecessary or excessive disruption to the flow of the main text
• citing references.

In general we recommend that you try to minimise the use of footnotes (or even avoid them altogether). We certainly recommend that you do not employ them for both of these different purposes. If you wish to use them for paren- thetic remarks then use them sparingly and be as brief as you can with the supplementary text (always consider whether it might be more appropriate to link to a reference, incorporate the footnote into the body text or just omit the footnote altogether). If you wish to use them to cite your references (not our recommended way of doing this, but a tolerable technique) then please use them exclusively for this purpose.

4.6 Content

There is not too much to say about content this is the part of the project report that you have to produce through months of endeavour and intellectual activity! However there are a number of important general remarks about the content that you should include in your project report. It should be:

• relevant. Make sure that the content of your project report is relevant to the intended objectives of your project. Material that is regarded as irrelevant will not only distract (and perhaps irritate) a reader, but may result in your project report containing insufficient relevant material to satisfy the project requirements
• representative. The content of your project report should fairly repre- sent the effort and activities that you conducted as part of your project.

This is particularly true for projects that involve considerable practical
components. If you spent most of your time on a relevant implementation
activity then your project report should be about that implementation
and its related issues (see also Chapter 2)

• fair. Your project report should do what you say that it does, andshow respect for all other work on this topic. For example (with regard to the former), if you say that you are going toanalysesomething in your project then you must do more than justdescribeit. The main way of showing respect for other work on the topic is through your use of referencing
• accountable. It should be clear to a reader of your project what you did, how you did it, and that the resulting efforts were sufficient for an MSc project. Your personal contribution (as opposed o the material taken from other sources) should be clearly identified. On completing the reading of your report a reader should have a fairly good idea how you spent your time conducting the project.

4.7 Referencing

Read the following sentence out loud three times and commit it to memory!

Referencing is a very important part of my project report.

It is almost true to say that you can never have enough referencing. Unfor- tunately, referencing is probably the one aspect of project report writing that causes the most problems, especially to people writing such reports for the first time. There is really no need for this to be the case, and so it is important that you take the time to find out how to use references effectively. This section contains some guidelines, but is not meant to be comprehensive, so if you are using referencing for the first time then we recommend that you consult other guidelines on this issue as well (see Chapter 1).

####### Purposes of referencing

There are two related purposes for referencing:

1. To enable a reader to trace the sources that have influenced your ideas and work.
2. To enable a reader to access your sources for further detail.

Notice that the first reason not only explicitly attributes credit to sources that you have used during your project, but also implicitly separates your personal contribution to the project topic from that of existing sources.

Bad referencing can thus expose you to potential accusations of plagiarism. This is an examination offence under the General Regulations (Section 9) and may have serious consequences.

The second reason implies that your project report is not an isolated document. While its main ideas should stand alone, referencing is the tool that connects your project report with everything else that has been written on your project topic. It helps to place your report, and your sources, within an appropriate context.

Referencing is thus an integral part of your project report.

####### Choosing sources to reference

Every source that you use in your project is a potential reference. Thus refer- ences can be to books, articles, reports, standards, web pages, surveys, promo- tional literature or even conversations.

Many pieces of information can be found in different sources. Please follow the following three general principles when deciding which sources to reference for a piece of information:

1.Earlier sources take precedence over later sources. Thus if you read
the same idea in two different journal articles, one published in 1994 and
the other published in 2003 then you should definitely reference the one
published in 1994. You might also choose to reference the one published
in 2003 if it adds some later perspective or insight that is relevant to your
project. If in doubt, you could choose to reference both.

2. Permanent sources take precedence over ephemeral sources. Since references should be traceable, it is important that you try to find the most permanent source you can for a piece of information. If someone communicates something to you in a conversation then you should try to locate this information from a more general source that someone else could access. In this regard the printed word normally takes precedence over electronic sources. If you find something on the Internet then it is worth trying to establish if this information appears elsewhere in a journal article or book. Note that even on the Web, downloadable white papers take precedence over web pages, as these are more likely to have a longer life and be traceable should the URL change.

3.Refereed sources take precedence over unrefereed sources.
The quality of information is only as good as the quality control exer-
cised on publication of the information. This can be very hard to judge
and to a certain extent you will have to make your own decisions. In
general journal articles are subject to more scrutiny than books (although
a well-read book may have been more scrutinised than a little-read jour-
nal article). Journals and books tend to have been more scrutinised than
articles appearing in newspapers and magazines. Information on the web
site of a large organisation is more likely to have been scrutinised than
information on a private web site, etc.

You should have already been able to work out that these three principles will sometimes be contradictory and that there will be plenty of exceptions to them as well. Use them to help you to make decisions. If in doubt reference all your sources!

####### Format of references

There are two formats that you will need to decide upon when you start to write your project report. One is the format for listing references at the back of your report (we consider this in this section). The other is the format used when citing references (we discuss this in the next section).

The reference format that you decide to use must guarantee that the information is:

• comprehensive. The description of a reference should contain as much information as is necessary to help a reader to find that same source should they desire to do so. Please keep this in mind when you reference relatively ephemeral sources such as web pages. Some sources (such as personal con- versations) cannot be traced by a reader, but even in this case a reference should contain as much information as is necessary to indicate the context of the source (in this case the name and date would represent a minimum requirement)
• consistent. The format of references should be as consistent as possible. In particular, references to the same type of source (books for example) should rigorously follow a fixed format.

We do not provide a strict format for each type of source as there are different conventions and you may have your own preferred style. The following gives an indication of what type of information you should include, and in each case gives different examples of acceptable formats.

Articles in journals / serial publications / conference proceedings / reports
Author Initials and surnames of all au-
thors. When there are no au-
thors, often the name of the is-
suing e.g a government body or
a company can be given instead.
Title Given in full, normally with
only the initial letter and proper
nouns in capitals.
Name of
journa/proceedings/publication

Preferably in full. (There are in-
ternationally acceptable abbrevi-
ations that can be used  never
make up your own abbrevia-
tions.) In italics. Unpublished
works should have their status
indicated (e.g. Technical Re-
port)
Journal/ publication Details Volume number, (edition num-
ber), (month for serial publica-
tions), year, page range.

Examples:

G. Horn, K.M. Martin and C.J. Mitchell, Authentication protocols for mo- bile network environment value-added services, IEEE Transactions on Vehicular Technology, 51, (2002) 383-392.

Gollman, D.: What do we mean by entity authentication? Proceedings of IEEE Symposium on Security and Privacy, Oakland CA (1996) pp. 214-221.

J. Colombo, Phishing for gamekeepers, Information Security Bulletin, Vol. 9 Issue 1, February 2004, 9-20.

C.A. Mathers, A framework for B2B certification services, Technical Report TR 99-07, Department of Mathematics, Royal Holloway, 1999 (available from author).

Books
Author Initials and surnames of all au-
thors (or editors in the case of
Complilations)
Title Given in full, normally with
only the initial letter and proper
nouns in Capitals (including edi-
tion number if relevant) In ital-
ics.
Publisher The full name (optionally the
place of publication  usually the
city).
Date of publication The year.
Optional detailed location of
source material

Typically section number or page
range. Note that often this infor-
mation is omitted from the ref-
erence and the extra information
provided in the citation call (see
the following section).

4.7.1 Examples:

C.J. Mitchell (Ed.), Security for mobility, IEEE Press, 2004.

T. A. Powell, HTML: The complete reference (2nd Edition), Osborne-McGraw Hill, Berkley, 1999.

Electronic sources
The key to referencing an electronic source is to provide as much
information as you can in order to assist someone who later tries to trace
(the source under the assumption that the URL may change in
the future). Not all of the following fields may be relevant for a
given source, but attempts should be made to complete as many as possible.
Author Initials and surnames of all au-
thors. When there are no au-
thors, often the name of the is-
suing department (e.g. a govern-
ment body) or a company can be
given instead.
Title Given in full, normally with
only the initial letter and proper
nouns in capitals.
Date of publication The date given on the source
page(s). If there is no date asso-
ciated with the source then pro-
vide the last date that you ac-
cessed the source.
URL The full URL.

4.7.2 Examples:

Internet Engineering Task Force RFC 2409 (1998): IKE:Internet Key Exchange, http://www.ietf.org

S. Fluhrer, I. Mantin and A. Shamir, Weaknesses in the key scheduling algo- rithm of RC4, August 2001, http://www.cs.umd.edu/ waa/class-pubs/rc4_ksap roc.ps

Other references By following the general ideas of the reference formats already covered, you should be able to apply common sense to decide how to reference any unusual sources that you use that do not fall into the previous categories. For example:

H. Ganley, Informal advice given to new MSc students, Personal communica- tion, 7thSeptember 2003.

International Organisation for Standardization, ISO 7498-2: Information pro- cessing Systems Open systems interconnection Basic reference model Part 2, 1stEdition 1989.

####### Citing references

Having a long list of references is one thing, but it is only when you cite references that you demonstrate that you have read them and understand how they relate to your project.

Citinga reference involves placing a coded link to your reference list within your main text (normally within square brackets). In this section we briefly indicate when this is appropriate and discuss suitable formats for citations. Again, this section is not meant to be comprehensive and you should seek further information (or look at examples of best practice) if you are unsure how to most effectively do this.

Style format for citations We do not specify a style format for citations. There are several popular styles and we recommend that you adopt one of them. The most popular are:

• [Letters Year]This consists of two-three letters followed by two num- bers representing year of publication. Multiple publications by the same authors in the same year are distinguished by subsequent lower case let- ters. Thus if David Brownrigg has one reference in 2003 then use [DB03], but if he has two then use [DB03a] and [DB03b]. This system is most appropriate if you are manually inserting citations into your text as the citation code is independent of the order in which your references are listed in your bibliography. (Hence this is a highly suitable format for use with Microsoft Word.)
• [Numerical]Citations are simply numbered in bibliographic order and cited by number, for example [17]. This is the cleanest citation style, but is best used only if you have a word processor that supports automated citing of references (such as LaTex). This is not a recommended method if you are manually inserting citations into your text.
• (Author, Year)Citations are called using author name and year, such as (Brownrigg, 2003). This has the advantage of forcing you to name the author of each citation, but can look rather clumsy if your report uses many citations (which it should do). This method seems to be largely preferred by humanities subjects.
• FootnotesSome people use footnote indicators as citation codes, and provide the full reference in the footnote.We do not recommend this techniquebecause it looks ugly and requires you to repeat references at the bottom of a page each time that they are used.

For the rest of this section, we will illustrate the use of citations only using the first of the listed styles.

When to use citations A very simple rule that is often quoted is any time you state a fact, provide a citation. This is not a bad way of thinking about when to use a citation, although there are in fact more occasions than the simple stating of a fact that require a citation. Here are examples of some situations where a citation is appropriate.

Crediting a source with an idea According to [DB03], postgradu-
ate project work provides valu-
able training that is directly ap-
plicable in the workplace
Attributing a direct quote to a
source

According to [DB03], The MSc
project is designed to deliver
quality training in directly appli-
cable skills of the type demanded
by the security industry.
Providing a link to a source for
further information

Some of the benefits of conduct-
ing an MSc project are outlined
in [DB03].
Providing evidence to support a
claim or fact

Many people believe that con-
ducting an MSc project provides
students with directly applicable
work skills [DB03].
Specifying a source A recent report [DB03] indicated
that project work provided mar-
ketable work skills.

Note that in the last two cases, while the sentences still make sense if the cita- tion is omitted, an examiner reading these sentences will certainly notice that a citation is missing!

Having stressed the importance of including citations wherever appropriate, it is also worth observing that citations used inappropriately (in particular, not relating explicitly to anything in the text) serve no purpose at all.

Multiple citations If you wish to cite several citations at once then you can use either of the following:

• Many surveys have been conducted on the relevance of MSc projects [DB03, KM00, MR99].
• Many surveys have been conducted on the relevance of MSc projects [DB03], [KM00], [MR99].

Providing information with a citation Details such as chapter numbers of books can be placed within a citation (this allows you to have one reference to the book in your bibliography):

• According to [DB03, Ch. 4], The MSc project provides useful skills. Depending on your citation format style, you may choose to additionally state the authors alongside your citation. Hence the following is also acceptable:
• According to Brownrigg [DB03, Ch.4], The MSc project provides useful skills.

Positioning a citation within a sentence A citation is best placed imme- diately following the relevant text at a position within the sentence that makes grammatical sense. This is best seen by means of examples.

The following are acceptable:

• Many people believe that conducting an MSc project provides students with directly applicable work skills [DB03].
• There is evidence [DB03] that conducting an MSc project provides stu- dents with directly applicable work skills.

But the following are not:

• Many people believe that conducting an MSc project [DB03] provides stu- dents with directly applicable work skills.The citation is not next to the relevant text it appears to cite a reference on MSc projects rather than citing a reference on the issue of their applicability.
• Many people believe that conducting an MSc project pr ovides students with [DB03] directly applicable work skills. This is not at a sensible position grammatically because it breaks the sentence up try reading the sentence aloud if you are not convinced!
• [DB03] claims that conducting an MSc project provides students with directly applicable work skills. It is best not to start a sentence directly with a citation in this case a better choice would be: The author of [DB03] claims that …

Writing with citations Many people ask when they should insert citations into their text. We strongly recommend that you insert citations as you write. It is very difficult to go back through a document and insert all the relevant citations once you have forgotten what motivated your writing. It is almost inevitable that you will miss some important ones out.

Of course, it is not always convenient to recall the details of all your sources while you are writing. Thus we recommend that if you do not know the exact source at the time of writing then you insert a placemark citation (e.g. [REF?])

into the text, so that when you return to the document you will remember that you need a citation at this point in the text.

Do not write your project report and then go back and do the refer- ences. This will result in sloppy referencing and is likely to be fairly obvious to an examiner of your project report.

####### Bibliographies

All the sources that you have used for your project should be listed at the back of your project report.

The majority of the sources that you have consulted should be cited somewhere in your project report. However, it is possible that there are some sources that have influenced your thinking but that you have not cited directly in your writing. Thus we suggest that you make the following separation at the back of your project report:

References This is the list of allreferences that are citedin the text of your project report. These should be listed in alphabetic order with the relevant citation code immediately to the left of the full reference, such as:

[DG96] Gollman, D.: What do we mean by entity authentication?, Proceedings of IEEE Symposium on Security and Privacy, Oakland CA (1996) pp. 214

This should be the most comprehensive of the bibliographies included in your project report. Every item on this list should be cited somewhere in your body text.

Additional sources This is the list of all sources that influenced your project but did not feature in the final report. Whereas references should all be listed together in one alphabetically ordered list, if you have a substantial number of additional sources you might choose to group these by type (books, electronic sources, etc.). You might even like to indicate next to each of these sources what influence it had on the project (e.g. useful background on web security issues).

Please note the following:

• References are compulsory, whereas Additional sources are optional.
• A long list of integrated (and cited) references shows the depth of your understanding of your project topic. A long list of uncited references and additional resources shows very little.

####### Cross-references

Cross-references are the internal equivalent of references within your project re- port. They act as signposts that direct readers to other related parts of your project report and therefore provide it with further structure. Cross-references are typically to section numbers within your report (another reason for num- bering all sections, subsections, etc.) or appendices. We recommend that you use cross-references throughout your project report to:

• direct the reader to further detail contained elsewhere in your project report
• link related parts of your project report
• avoid repetition of material already given elsewhere in your project report.

4.8 A note on the use of cut and paste

It is worth ending this section with an important note.

Given the availability of electronic sources and scanners it has become increas- ingly easy to produce a project report that consists of large sections of text cut and pasted from source documents. Doing this is likely to land youin serious trouble:

• If you fail to cite and reference the original sources then you have con- ducted an act of plagiarism.

This is an examination offence under the Regulations Governing Exam-
ination and Assessment Offences (see Section 1) and may have serious
consequences.

• Even if you cite and reference the original sources, it is possible that your examiners will decide that your project report does not contain enough original content and that you have not demonstrated a full understanding of your chosen subject area. Thus if you choose to cut and paste any material into your project report then you must:
• clearly cite the source every time
• provide supplementary text that indicates your understanding of the used material
• use this technique as sparingly as possible. See the section on using verbatim texton page 30 for more information.

Chapter 5

Your project supervisor

In this chapter we briefly explain the role of your project supervisor and suggest how you can make the most of their assistance during your project.

5.1 Main pitfalls

• Lack of communication with supervisor
• Failure to agree project plan with supervisor
• Failure to approve report structure with supervisor
• Failure to show draft report to supervisor

5.2 Role of the project supervisor

Your project supervisor is your first point of contact on all issues concerning the MSc project.

While it is useful to have a project supervisor who is knowledgeable in the subject area of your choice, the role of the project supervisor does not require them to be a subject expert. If necessary your project supervisor can help you to locate subject specific information, but their main activities will be to support you throughout the course of the project.

The two areas where your supervisor will be of most help are likely to be:

1. Helping you to select a project topic and developing your project plan.
2. Approving the structure of your project report when you begin to write.

Other areas where a supervisor can be of great help include:

• Advice on completing your project description form.
• Advice on sources.
• Advice on your progress during the project process.
• Advice on activities that you undertake during your project.
• Advice on dealing with contacts and external organisations.
• Advice on concerns you have that arise during your project.
• Critical reading of draft reports.

You must be very clear, however, that it is not the role of the su- pervisor to do any of the work for you or to write any part of your project report.

5.3 Selection of your supervisor

At the start of the academic year you will be allocated an MSc advisor. Your MSc advisor is the person to whom you can hold your first discussions about possible project topics. You should endeavour to make contact with them as soon as you can.

During the first semester you should establish whether your MSc advisor would make (and is willing to be) a suitable project supervisor. If not, then they will be able to direct you to other more compatible supervisors.

Look out for announcements during the first semester concerning the process to follow in order to choose a supervisor. If you do not choose a supervisor yourself then one will be assigned to you. Note that there are limits on the number of students that any one member of staff may supervise, so your choice is not guaranteed. It may be possible to change your supervisor at a later date, but only with the agreement of all parties concerned.

5.4 Working with your supervisor

Regardless of your own previous experience (and that of other people who help you on your project) you should be aware of the fact that your project supervisor will have a very good idea about what makes a good MSc Information Security project report. It is thus strongly recommended that you involve your project supervisor throughout the project process.

While your project supervisor is there to help you, it is not their job to chase you. Only you are responsible for the successful completion of your project.It is thus your responsibility to consult your project supervisor as you require, not the other way round.

The most effective way to work with your project supervisor is something that you need to establish with them, as this will differ depending on your needs and their preferred support mechanisms. The following general suggestions should help to make this relationship effective:

• Establish contact with your project supervisor early during the project process.
• Agree a preferred method of communication with your project supervisor.
• Establish deadlines for deliverables during the project process (and meet them).
• Keep your supervisor regularly informed of progress.
• Contact your supervisor as soon as any problems arise.
• Follow advice that your supervisor gives you and justify any reasons that you have for deviating from it.
• Be reasonable in any demands of your supervisor.

5.5 Project drafts and your supervisor

One area where project supervisors can greatly assist you is when it comes to writing your report. Supervisors have experience of many project reports and also know what examiners will be looking for. You would be very foolish not to take advantage of the opportunity for your supervisor to cast a critical eye over a draft of your project report. On the other hand, supervisors are unlikely to be happy to approve every single draft of everything that you write. They will quickly get just as tired as you of your project report! Here are some tips regarding your supervisor and project drafts:

• Establish in advance the extent to which your supervisor is happy to review project drafts.
• Show your intended report structure to your supervisor before you embark on writing extended portions of the report.
• Show an early draft of one section to your supervisor for comment. Many early mistakes can be stamped out at this stage. In particular, make sure that you include references in this early section, as this is something you will probably want some feedback on.

• Implement any reasonable changes that your supervisor recommends, un- less you have good reason not to (in which case, explain to them why).
• Pay attention to the general comments that your supervisor makes on any early drafts and keep them in mind when writing later sections of your report.
• Avoid showing your supervisor too many drafts of the same section.
• Indicate to your supervisor in advance when any draft material will come through, giving them the chance to reserve time to review it for you.
• Do not expect your supervisor to correct your spelling and grammar, but be prepared to listen to advice that they give on its standard.
• Make sure that any final draft that you submit for checking is presented to your supervisor within a timeframe that they have already agreed. In general it would be unreasonable to ask a supervisor to review a final draft less than two weeks before the project deadline.

Chapter 6

Assessment of your project

In this chapter we explain how your project will be assessed.

6.1 Main pitfall

• Failure to appreciate assessment criteria

6.2 The assessment process

All of the project mark is based on an assessment of your project report. Your report will be assessed using the following procedure.

1. Each project report shall be read independently by two examiners, nor- mally one of whom shall be the candidates supervisor.
2. They will each write a brief assessment of the project and assign a mark. The mark shall be an integer in the interval [0,100], where 50 is the pass borderline and 70 is the distinction borderline.
3. The two examiners will consult to compare their assessments and, if pos- sible, they will recommend a mark jointly.
4. In the event that the two markers cannot come to an agreement then a third examiner will be consulted to moderate and return a recommended mark.
5. The recommended marks are presented to external examiners who have the right to suggest refinement of the recommended mark.

6. Final marks are approved by the MSc Examination Board.

Examiners should satisfy themselves that the report is the work of the candidate and should take into account the readability and coherence of the report as a whole, the completeness of the discussion, as well as the difficulty and scope of the project, its relation to an industrial placement, if any, and the extent to which the objectives of the project are met.

To justify a pass there shall be evidence of at least one of the following points:

• The candidate appreciates the relations of the topics discussed to one another and to the rest of the subject area concerned.
• The candidate has extended the source material by expressing reasoned opinion or by way of a practical implementation.
• The candidate has elaborated the treatment as found in the sources by clarifying the issues or filling in gaps.

A distinction should only be awarded when these factors are present to a marked extent or where research is involved which demonstrates the discovery of new facts or the exercise of independent critical power, or provides material that merits publication.

6.3 Assessment criteria

Project markers assess project reports across a broad range of criteria, includ- ing issues relating to content, presentation and appreciation of material. The criteria used in the assessment of projects by project examiners can be found at

https://www.royalholloway.ac.uk/isg/informationfornewreturningstudents/ mscproject/formsandtemplates.aspx

Chapter 7

The project process

In this chapter we summarise the project process, indicating the timing and any administrative issues that you need to address along the way.

7.1 Main pitfalls

• Failure to pay attention to deadlines
• Failure to understand the project process

7.2 Phases of the project process

For more information about the MSc project process, tasks and deadlines please visit the The MSc Project Process Information (Summary) for Students link from the Forms and Templates section of the MSc project web site:https:// http://www.royalholloway.ac.uk/isg/informationfornewreturningstudents/mscproject/ formsandtemplates.aspx

7.3 Submitting your project report

All students are entirely responsible for submitting their report to Royal Hol- loway before the project deadline.

Meeting the deadline is part of the project process. It is the responsibility of the student to ensure that paper copies submitted by post, or any means other than by handing in to the Departmental Office, reach the Departmental Office

in good time. It is acceptable to ask a friend to print, bind and hand in your project on your behalf.

Submission of your project report consists of the following two steps, both of which must be completed by the deadline:

1. Two paper copies, bound using any reliable process,such as plastic spiral binding, and sent to the address indicated below. Please note that there are 3 binding machines on Level 2 of the Bedford Library and you should be able to buy plastic binding spines from the college shop.
2. One electronic copy (look out for announcements providing details of the electronic submission process).

Please make sure that your Title Page conforms to the required format and that you have signed the declaration on the Title Page on both paper copies of your project report (see Chapter 4 and Appendix C).

Please note the following:

• Royal Holloway will not return any copies of your report to you. Please make sure that you keep at least one copy of your project report in the event that your submission gets lost in the post.
• Please deliver your reports to McCrea 247 in person or pack your report securely and send it by the most reliable means available (e.g. courier, special delivery mail, or registered post). No refund of costs can be made by Royal Holloway. You are advised to send your report by a method for which you can obtain not only proof of posting but also proof of receipt at Royal Holloway, to be used in the event of packages going astray. – ONLY IF you decide to post your project then please email the ISG MSc Projects Director (martin.albrecht@royalholloway.ac.uk) and the ISG Course Director (z.ciechanowicz@rhul.ac.uk) a scanned copy of the postage receipt, along with your full name, student number and project title.
• Packages should be marked clearly: MSc Information Security Project Report, and should be addressed to: Information Security Group Attention: Michelle Gates (ISG MSc Project) Information Security Group (McCrea 247) Royal Holloway, University of London Egham, Surrey TW20 0EX United Kingdom Tel: +44(0) 01784 443085 Fax: +44(0) 01784 430766

7.4 Policy on late submission

The College policy on late submission of work is as follows:

• For work submitted up to 24 hours late, the mark will be reduced by ten percentage marks, subject to a maximum mark of a pass.
• For work submitted more than 24 hours late, the maximum mark will be zero.

Students attention is drawn to paragraphs 47b) and 49 of the Postgraduate Regulations which imply that the failure to submit the project dissertation within the deadline means that an outcome of INCOMPLETE will be recorded. Students attention is also drawn to paragraph 33 of the regulations and the fact that REPEATING a course may have fees implications (different to those of RESITTING an assessment).

A student who is having difficulties meeting the deadline for project submission may have recourse one or more of the following: Deferral; Illness and Other Extenuating Circumstances; and Interruption of Studies. Such students should notify the Chair of the Sub-board of Examiners (Dr Allan Tomlinson), the ISG Administrator (Emma Mosley), and the MSc Director (Chez Ciechanowicz) at the earliest opportunity.

For further information see the Postgraduate Regulations, available at:

http://www.rhul.ac.uk/Registry/academic_regulations

and sections 5, 6, and 7 of the Instructions to Candidates, available at:

http://www.rhul.ac.uk/registry/Examinations/Essential-info.html

7.5 How to get help

In the event that you have any difficulties with any aspect of the project process then you should use the following help mechanisms.

• Your project supervisor should be your first port of call on any aspects of the project process.
• The ISG web site contains information about, and downloadable forms for, the project (seehttp://www.isg.rhul.ac.uk/msc/modules/IY5500)
• The MSc Projects Director (Dr Konstantinos Markantonakis) can help with any further queries, particularly if you are having problems with supervision or administrative issues relating to the project.

7.6 Warning and wishes

By means of a last word on the project process as a whole we issue a warning and some wishes.

7.6.1 Warning

• Do not underestimate the task in hand. Take the project seriously remember always that it is worth one quarter of your final mark.
• The work you submit must be your own. Acknowledge any quotations you use from published or unpublished sources. Unacknowledged quoting or copying (plagiarism) may constitute an examination offence and may be treated as cheating.
• Deliberate damage to computer systems or the work of others, or any misuse of computer systems or acts in contravention of normal legal and ethical requirements may lead to outright failure.

7.6.2 Wishes

Your MSc project should be fun and challenging to conduct. Use your time and sources wisely, ask for help when you need it, and the very best of luck.

Appendix A: Examples of MSc project titles

The following list contains titles of MSc projects that have been done in the past (sometimes amended to provide clarity). These are included for your information only (you should not feel obliged to choose a title similar to one on this list and neither should you feel obliged to avoid choosing a project topic just because it is too similar to one on this list).

Note that a good title usually incorporates not just the general topic, but also establishes the
contribution of the work done.

1. Information security policy implementation: creating a security policy for a UK-based SME.
2. Risk assessment for CCR PLC: a security investigation and threat analysis for a global IT consultancy company.
3. Corporate identity management: integration of a Certificate Authority and utilisation of certificates in a corporate environment.
4. Security issues in the health sector: identifying the security requirements for an NHS Trust Single Assessment Process.
5. Network management security: comparing the effectiveness of SNMP and CMIP with regard to the security aspects of network management.
6. P3P: an investigation into whether the Platform for Privacy Preferences is a viable and effective technology for enhancing Internet privacy.
7. Managed security services revolutionised: an investigation into current MSS technologies and the development of a proposal for new ideal MSS technology.
8. Security awareness: a strategy for promoting and raising awareness of The Use of Information and Information Systems Policy at the Royal Mail Group.
9. Electronic purses: an analysis of electronic purse technology, focusing on the security requirements of the Common Electronic Purse Specification.
10. How good is Firewall-1?: an evaluation of the effectiveness of the security features present in Checkpoint FW-1 Release 54.
11. ID-based cryptography: an overview of identifier-based cryptography and related applications.
12. M-PKI: security challenges and solutions for using public key cryptography to support security services for mobile commerce.
13. Online certificate revocation: an analysis of issues and solutions for supporting online revocation in PKI software.
14. Secure Internet access: the provision of secure access to the Internet for consumers and small organisations using ADSL.
15. Information governance: proposal of a new framework for accountability and control.
16. Internet voting technology: a critical review of the current state-of-the-art electronic voting technologies.
17. Java Card micropayments: testing the suitability of Java Card technology for Internet micropayment applications.
18. Providing secure e-government services: an analysis of the provision of secure e-government services in Malaysias Multimedia Corridor.
19. Designing a secure automobile: investigating the role of cryptography in the design of future automobile security systems.
20. SecureBuild: a review of a secure Unix platform for Internet-facing applications.
21. Data protection in the U.K.: an analysis of the effectiveness of the U.K. Data Protection Act in addressing privacy concerns.

22. Computer-related crime: a comparison of the approaches taken by the U.K. and the U.S.A. in developing legislation to counter computer-related crime.
23. Minix security: a review and design of security services for the Minix operating system.
24. Software security paradox: an overview of issues and techniques for developing secure software on insecure systems.
25. Password search revisited: analysis and design improvements for a commercial password search machine.
26. Web services security standards: a review of requirements for web service security and an analysis of the likely effectiveness of emerging standards.
27. Address spoofing on the Internet: an investigation into current tools, techniques and controls.
28. Implementing a secure wireless LAN: the design and implementation of a secure wireless LAN for a small commercial organisation.
29. The price of information security: an investigation into how large organisations assess and cost information security services.
30. Mobile Malware and Smartphone Security

Appendix B: The Project Description Form (PDF)

Please refer to http://www.rhul.ac.uk/isg/informationforcurrentstudents/mscproject/formsandtemplates.aspx

or see the Project Description Form below.

Project Description Form (PDF): MSc Information Security

How to complete this form This form should be completed during the second term. Every student must meet their supervisor at regular intervals during the term to discuss the scope of the project and the initial literature review. Drafts of the form

and the literature review should be submitted to the project supervisor for review during the term, as plans for the project evolve. Apart from completing this front page, text should be provided under each of the four headings given after the declaration section below.

An initial project literature review should be prepared, again in consultation with your supervisor. This form should use the standard project front page. If at any stage the project deviates significantly from the description given, then the student must discuss this with their project supervisor and, if necessary, complete a revised form.

Royal Holloway encourages research of highest quality by ensuring that research ethics and good practices are followed. If the proposed work raises any ethical issues, ethical approval must be sought in advance.

Student checklist

• Two copies of this form must be completed, signed and submitted to your project supervisor for signature by DEADLINE TO BE CONFIRMED.
• A copy of the project literature review should be attached to both copies of this form.

Student and project details

Name^

Student number^

MSc track (if applicable)^

Email address

Supervisor name^

Provisional project title^

Ethics (to be completed jointly by the student and the supervisor)

Question Delete/tick as appropriate

1. Will the study be covert in any way? Yes^ No^

2. Will resulting data be used for purposes outside this study? (^) Yes No

3. Are you working with a vulnerable population? (^) Yes No

4. Is it possible that your study will cause distress or harm to participants?

Yes No

If the answer to any of the above questions is YES, the supervisor should contact the MSc Project

Director and arrange for Departmental/College ethical approval.

Declarations and signatures

Student declaration : I declare that I have read and understood the MSc Project Handbook, in particular the

sections on referencing and plagiarism. I declare that the contents of this Project Description Form are all my own work, and that I have acknowledged all quotations from published or unpublished work of other people. I also declare that the proposed work will not raise any ethical issues.

Signature : Date :

Supervisor declaration : I approve the attached project plan and literature review. I agree that the proposed project topic meets the requirements of the MSc track (if specified). I also agree that the project does not raise any ethical issues.

Signature :

Date :

Appendix C: Sample Title Page and structure

for Preliminary Literature Review and Project

Please refer to http://www.rhul.ac.uk/isg/informationforcurrentstudents/mscproject/formsandtemplates.aspx or see the sample title page below.

Student Number: 100123456

First (given) name, Last (family) name

Note that while the title page of your project report need not conform to the precise format of this sample, it must contain ALL the information in this example. It is particularly important to ensure that your student number and name (font size 16pt) appear at the VERY TOP of the COVER page of your project.

Title: Sample Title Page.

Supervisor: First name and Family name of your Supervisor

Submitted as part of the requirements for the award of the
MSc in Information Security
at Royal Holloway, University of London.

I declare that this assignment is all my own work and that I have acknowledged all quotations from published or unpublished work of other people. I also declare that I have read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences, and in accordance with these regulations I submit this project report as my own work.

Signature:

Date:

While we do not mandate a particular structure for your project report, we do recommend the following section headings. Please refer to chapter 4 of the MSc in Information Security Project Handbook for further information on the contents of these sections.

(Acknowledgements)

Table of Contents

(List of figures & tables)

(List of abbreviations & acronyms)

Executive Summary

Introduction

Main Content

[This should consist of a set of sections, with headings appropriate to the content.]

Please note that the preliminary literature review may be used in the Main Content section of your project in order to demonstrate the current state of research, findings and other relevant work related to the topic of your MSc project. Therefore, it makes sense for the PLR to be as extensive and complete as possible.

Conclusion

Bibliography

Appendices