Skip to content

Security, privacy and data integrity

A-Level Computer Science · Topic 6

Train
6.1

Security, privacy and integrity — three different ideas

Syllabus
Candidates should be able to: Notes and guidance
Explain the difference between the terms security, privacy and integrity of data
Show appreciation of the need for both the security of data and the security of the computer system
Describe security measures designed to protect computer systems, ranging from the stand-alone PC to a network of computers Including user accounts, passwords, authentication techniques such as digital signatures and biometrics, firewall, anti-virus software, anti-spyware, encryption
Show understanding of the threats to computer and data security posed by networks and the internet Including malware (virus, spyware), hackers, phishing, pharming
Describe methods that can be used to restrict the risks posed by threats
Describe security methods designed to protect the security of data Including encryption, access rights

Source: Cambridge International syllabus

These sound alike but mean different things:

  • security 安全 — protecting data from unauthorised 未授权 access, change or destruction.
  • privacy 隐私 — an individual's right to control who sees their personal data, with consent and a clear purpose.
  • integrity 完整性 — the data being accurate and complete — not corrupted or accidentally changed.

A file can be secure (only the right people can open it) but lack integrity (a typo corrupted it); or accurate but not private (anyone can read it). All three are needed.

Explore

Risk and responsibility lab

Sort examples by the rule, risk or protection involved.

Vocabulary Train
English Chinese Pinyin
security 安全 ān quán
unauthorised 未授权 wèi shòu quán
privacy 隐私 yǐn sī
integrity 完整性 wán zhěng xìng
6.1

Why security matters

Two things to protect: the data itself (keep it confidential, intact and available) and the computer system (a compromised system can attack others, steal credentials, or be held to ransom).

6.1

Threats from networks and the internet

Threats fall into three groups.

A man-in-the-middle attacker sits between Alice and Bob, reading or altering messages A man-in-the-middle attacker sits between the two parties

1. Malware 恶意软件 (malicious software) — harmful programs:

  • virus 病毒 — self-copying code that attaches to other programs and spreads when they run.
  • worm 蠕虫 — self-copying code that spreads over networks 网络 with no user action.
  • Trojan horse 木马 — looks useful but hides malicious code.
  • spyware 间谍软件 — secretly collects information (keystrokes, passwords).
  • ransomware 勒索软件 — encrypts your files and demands payment.
  • adware 广告软件 — pushes unwanted adverts.

2. Tricking people (social attacks):

  • phishing 网络钓鱼 — fake emails/sites that trick users into giving credentials.
  • pharming 域名欺骗 — redirects a user to a fake site even when they type the correct address.
  • social engineering 社会工程 — tricking people into giving up information.

3. Attacks on the network:

  • hacking 黑客入侵 by hackers 黑客 — unauthorised access, often via weak passwords or software flaws.
  • denial of service 拒绝服务 (DoS/DDoS) — floods a server so real users cannot reach it.
  • eavesdropping 窃听 — capturing data in transit (a risk on open Wi-Fi).
  • man-in-the-middle 中间人攻击 — an attacker secretly relays or alters messages between two parties.

Malware grouped by behaviour: self-spreading types are the virus (attaches to programs) and worm (spreads over networks); hidden or disguised types are the Trojan (looks useful), spyware, ransomware and adware Malware by behaviour: self-spreading (virus, worm) versus hidden/disguised (Trojan, spyware, ransomware, adware)

Vocabulary Train
English Chinese Pinyin
malware 恶意软件 è yì ruǎn jiàn
virus 病毒 bìng dú
worm 蠕虫 rú chóng
networks 网络 wǎng luò
Trojan horse 木马 mù mǎ
spyware 间谍软件 jiàn dié ruǎn jiàn
ransomware 勒索软件 lè suǒ ruǎn jiàn
adware 广告软件 guǎng gào ruǎn jiàn
phishing 网络钓鱼 wǎng luò diào yú
hacking 黑客入侵 hēi kè rù qīn
denial of service 拒绝服务 jù jué fú wù
eavesdropping 窃听 qiè tīng
man-in-the-middle 中间人攻击 zhōng jiān rén gōng jī
social engineering 社会工程 shè huì gōng chéng
pharming 域名欺骗 yù míng qī piàn
hackers 黑客 hēi kè
6.1

Security measures

Measures protect both the security of data (against loss, theft or corruption) and the security of the computer system (its hardware, software and network).

A standalone PC

  • a strong password; antivirus kept up to date; prompt software updates; backup 备份 to separate media; full-disk encryption 加密; a locked screen.

A networked PC

All the above, plus a firewall 防火墙, per-user permissions (admin rights only for admins), central management of user accounts 用户账户, and audit logs 审计日志 (who logged in, what they touched).

A box diagram with the user's computer on the trusted side, then the firewall, then the internet on the untrusted side, connected by double-headed arrows A firewall sits between the user's computer and the internet

Across the internet

  • VPN 虚拟专用网 — encrypts traffic between the user and the corporate gateway.
  • HTTPS / TLS — encrypt web traffic.
  • digital signatures 数字签名 — prove who sent a message and that it was not altered in transit.
  • intrusion detection — watches traffic for known attack patterns.
Explore

Encrypt with a Caesar cipher

Change the shift — that is the key. Each letter slides that many places along the alphabet to make the ciphertext, and the same key slides it back. That shared key is symmetric encryption in miniature.

Vocabulary Train
English Chinese Pinyin
encryption 加密 jiā mì
backup 备份 bèi fèn
firewall 防火墙 fáng huǒ qiáng
audit logs 审计日志 shěn jì rì zhì
VPN 虚拟专用网 xū nǐ zhuān yòng wǎng
user accounts 用户账户 yòng hù zhàng hù
digital signatures 数字签名 shù zì qiān míng
6.1

Matching measures to threats

  • interception in transitencrypt the data (HTTPS, VPN). Intercepted ciphertext is useless without the key.
  • unauthorised access → strong authentication 身份验证 (long passwords; two-factor authentication 双因素认证 with a phone code or key); user authorisation 授权; lock-out after failed logins.
  • malwareanti-virus software and anti-spyware 反间谍软件 with real-time scanning; patching; avoid untrusted downloads.
  • phishing → user training; email filtering; check the URL before entering credentials.
  • internal threats → the least-privilege 最小权限 principle (give each user only what they need); auditing.
  • DDoS → rate limiting and traffic filtering.
Vocabulary Train
English Chinese Pinyin
authentication 身份验证 shēn fèn yàn zhèng
two-factor authentication 双因素认证 shuāng yīn sù rèn zhèng
authorisation 授权 shòu quán
least-privilege 最小权限 zuì xiǎo quán xiàn
anti-spyware 反间谍软件 fǎn jiàn dié ruǎn jiàn
6.1

Protecting the data itself

  • encryption — turn plaintext 明文 into ciphertext 密文 with a key. Symmetric encryption 对称加密 (AES) uses one shared key; asymmetric encryption 非对称加密 (RSA) uses a public key 公钥 and a private key 私钥. Protects data at rest and in transit.
  • access control 访问控制 — file permissions (read/write/execute) and access rights 访问权限, enforced by the OS.
  • authenticationauthentication techniques verify the user: something you know (password), have (token, phone), or are (biometrics 生物识别 — fingerprint, face, iris); strongest combined.
  • backups — keep copies (some off-site) so loss or corruption is recoverable.
  • physical security — locked server rooms, cable locks.

Symmetric encryption uses one shared key to both encrypt and decrypt the message; asymmetric encryption encrypts with the receiver's public key and decrypts with their private key Symmetric uses one shared key; asymmetric uses a public key to encrypt and a private key to decrypt

A grey RSA SecurID key-fob security token with an LCD screen showing a six-digit code A security token shows a changing code for two-factor authentication ("something you have")

A small USB fingerprint reader with an optical sensor pad A fingerprint reader checks "something you are" — a feature of the person, not a password

Vocabulary Train
English Chinese Pinyin
plaintext 明文 míng wén
ciphertext 密文 mì wén
symmetric encryption 对称加密 duì chèn jiā mì
asymmetric encryption 非对称加密 fēi duì chèn jiā mì
public key 公钥 gōng yào
private key 私钥 sī yào
access control 访问控制 fǎng wèn kòng zhì
access rights 访问权限 fǎng wèn quán xiàn
biometrics 生物识别 shēng wù shí bié
6.2

Data integrity

Syllabus
Candidates should be able to: Notes and guidance
Describe how data validation and data verification help protect the integrity of data
Describe and use methods of data validation Including range check, format check, length check, presence check, existence check, limit check, check digit
Describe and use methods of data verification during data entry and data transfer During data entry including visual check, double entry During data transfer including parity check (byte and block), checksum

Source: Cambridge International syllabus

Data has integrity when it is accurate and complete. Two techniques: data validation (catch bad data before storing) and data verification (confirm data was entered or transferred correctly).

Validation — does the data make sense?

Validation 验证 checks data against sensible rules, automatically:

  • range check — within limits (a month is 1–12).
  • limit check — on the correct side of a single limit (e.g. age ≥ 18).
  • existence check — the referenced item exists (e.g. a product code is in the table).
  • length check — the right number of characters.
  • type / character check — the right kind of data (a phone field allows only digits).
  • format check — matches a pattern (an email must contain @).
  • presence check — required fields are not empty.
  • check digit 校验位 — an extra digit computed from the others (ISBN, card numbers) that spots transcription errors.
  • lookup check and consistency check (e.g. delivery date ≥ order date).

Validation catches data that is wrongly formatted, but not data that is the right format yet factually wrong ("Bob" for "Bib").

Verification — was the data entered or transferred correctly?

Verification 核对 checks the data was not changed in moving from one place to another.

During entry: double entry (type it twice and compare, as for a new password) or visual check.

During transfer (bits can flip):

  • parity check 奇偶校验 — an extra bit makes the number of 1s even (even parity) or odd. The receiver re-counts. Catches single-bit errors.
  • checksum 校验和 — the sender sends a summary value of the data; the receiver recomputes it and compares.
  • cyclic redundancy check 循环冗余校验 (CRC) — a stronger checksum using polynomial division, catching many more error types.

The same seven data bits shown twice: a 0 parity bit gives four 1s for even parity, a 1 parity bit gives five 1s for odd parity The parity bit is set to make the number of 1s even or odd

The sender computes a checksum and sends it with the data block; the receiver recomputes the checksum and compares, plus a worked example of the byte-sum-mod-256 calculation Working out a checksum for a block of data

Verification only proves what arrived matches what was sent — not that the data is correct, and not against deliberate tampering. Validation asks "is this sensible?"; verification asks "was this copied correctly?" — use both.

Side by side: validation asks "is this data sensible?" and checks rules like range, type and format before storing (catching nonsense data); verification asks "was it copied correctly?" and uses double entry, parity and checksums (catching copying errors) Validation checks the data makes sense; verification checks it was copied without change

Worked example. A user types their date of birth as 31/02/2009, and types their email address twice. Which check catches which error, and what is the difference? Validation asks "is this data sensible?" - the computer tests it against a rule, and a format or range check rejects 31/02/2009 because February never has 31 days. Verification asks "was this data entered correctly?" - typing the email twice is double entry, and comparing the two copies catches a typing slip. The limit is what makes this a favourite question: validation can never tell you the data is right, only that it is possible - 01/02/2009 passes every validation rule even if the user was actually born on a different day. Say what each check can and cannot catch.

Explore

Computing concept lab

Classify concrete examples by the computing idea they demonstrate.

Vocabulary Train
English Chinese Pinyin
validation 验证 yàn zhèng
check digit 校验位 jiào yàn wèi
verification 核对 hé duì
parity check 奇偶校验 jī ǒu jiào yàn
checksum 校验和 jiào yàn hé
cyclic redundancy check 循环冗余校验 xún huán rǒng yú jiào yàn
6.2

Exam tips

  • Keep the three ideas separate: security (keeping data safe), privacy (who may see it), integrity (keeping it correct).
  • Match each threat (malware, hacking, phishing, interception) to a measure (firewall, encryption, authentication, access rights).
  • Encryption protects confidentiality, not integrity — use a checksum, parity or check digit for integrity.
  • Distinguish a virus, worm and Trojan and how each spreads.

Log in or create account

IGCSE & A-Level