Graham Brown, Brian Sargent - Cambridge International AS Level Information Technology Student's Book-Hodder Education (2024).pdf

Full Transcript

This page intentionally left blank
005603_FM_CAIE_AS_Level_IT_BP_i-viii.indd Page 1 23/11/23 7:02 AM F-0120 /147/HO02989/work/indd

Cambridge
International AS Level

Information
Technology
Second edition

Graham Brown
Brian Sargent

9781036005603_CIE_AS_Level_IT_Title_Page.indd 1 26/10/2023 14:08
005603_FM_CAIE_AS_Level_IT_BP_i-viii.indd Page 2 30/11/23 7:36 PM elhiddnnew /147/HO02989/work/indd

Endorsement indicates that a resource has passed Cambridge International Education’s rigorous quality-assurance process and is suitable to
support the delivery of a Cambridge syllabus. However, endorsed resources are not the only suitable materials available to support teaching and
learning, and are not essential to achieve the qualification. Resource lists found on the Cambridge website will include this resource and other
endorsed resources.
Any example answers to questions taken from past question papers, practice questions, accompanying marks and mark schemes included in this
resource have been written by the authors and are for guidance only. They do not replicate examination papers. In examinations the way marks
are awarded may be different. Any references to assessment and/or assessment preparation are the publisher’s interpretation of the syllabus
requirements. Examiners will not use endorsed resources as a source of material for any assessment set by Cambridge International Education.
While the publishers have made every attempt to ensure that advice on the qualification and its assessment is accurate, the official syllabus,
specimen assessment materials and any associated assessment guidance materials produced by the awarding body are the only authoritative source
of information and should always be referred to for definitive guidance.
Our approach is to provide teachers with access to a wide range of high-quality resources that suit different styles and types of teaching and
learning.
For more information about the endorsement process, please visit www.cambridgeinternational.org/endorsed-resources.
Cambridge International Education copyright material in this publication is reproduced under licence and remains the intellectual property of
Cambridge University Press & Assessment.
Third-party websites and resources referred to in this publication have not been endorsed by Cambridge International Education.

Answers to the practice questions and activities and all source files needed for the Student’s Book can be downloaded from www.
hoddereducation.com/cambridgeextras.
Computer hardware and software brand names mentioned in this book are protected by their respective trademarks and are acknowledged.
Photo credits: p50 [top] © Courtesy of International Business Machines Corporation, © International Business Machines Corporation; p50
[bottom] © Julian Herzog/CC BY (https://creativecommons.org/licenses/by/4.0); p93 [left] © Alvey & Towers Picture Library/Alamy Stock
Photo; p93 [right] © David Jones/PA Images/Alamy Stock Photo; p93 [bottom] © Justin Kase zsixz/Alamy Stock Photo; p267 © MclittleStock/
stock.adobe.com; p269 [left] © imageBROKER.com GmbH & Co. KG/Alamy Stock Photo; p269 [right] © Firas Nashed/stock.adobe.com; p271
© Designua/stock.adobe.com
Text credits: p46 Table 1.14 reproduced by permission of Lloyd’s Register; p151 Figure 6.3 adapted from, ‘Americans with lower incomes
have lower levels of technology adoption’ Pew Research Center, Washington, D.C. (21 June 2021) https://www.pewresearch.org/
short-reads/2021/06/22/digital-divide-persists-even-as-americans-with-lower-incomes-make-gains-in-tech-adoption/ft_2021-06-22_
digitaldivideincome_01/; Microsoft, (Access, Excel, Movie Maker, Photos, Windows and Word) are trademarks of the Microsoft group of
companies; Apple Mac is a trademark of Apple Inc., registered in the U.S. and other countries and regions.
Although every effort has been made to ensure that website addresses are correct at time of going to press, Hodder Education cannot be held
responsible for the content of any website mentioned in this book. It is sometimes possible to find a relocated web page by typing in the address
of the home page for a website in the URL window of your browser.
Hachette UK’s policy is to use papers that are natural, renewable and recyclable products and made from wood grown in well-managed forests
and other controlled sources. The logging and manufacturing processes are expected to conform to the environmental regulations of the
country of origin.
To order, please visit www.hoddereducation.com or contact Customer Service at [email protected]/+44 (0)1235 827827.
ISBN: 978 1 0360 0560 3
© Graham Brown and Brian Sargent 2024
First published in 2021
This edition published in 2024 by
Hodder Education,
An Hachette UK Company
Carmelite House
50 Victoria Embankment
London EC4Y 0DZ
www.hoddereducation.com
Impression number 10 9 8 7 6 5 4 3 2 1
Year 2028 2027 2026 2025 2024
All rights reserved. Apart from any use permitted under UK copyright law, no part of this publication may be reproduced or transmitted in any
form or by any means, electronic or mechanical, including photocopying and recording, or held within any information storage and retrieval
system, without permission in writing from the publisher or under licence from the Copyright Licensing Agency Limited. Further details of such
licences (for reprographic reproduction) may be obtained from the Copyright Licensing Agency Limited, www.cla.co.uk
Cover photo © cookiecutter – stock.adobe.com
Illustrations by Barking Dog Art
Typeset in India by Aptara Inc
Printed in Bosnia and Herzegovina
A catalogue record for this title is available from the British Library.
005603_FM_CAIE_AS_Level_IT_BP_i-viii.indd Page 3 23/11/23 7:02 AM F-0120 /147/HO02989/work/indd

Contents list
Introduction v

1 Data processing and information 1
1.1 Data and information 1
1.2 Quality of information 7
1.3 Encryption 10
1.4 Checking the accuracy of data 18
1.5 Data processing 27

2 Hardware and software 49
2.1 Mainframe computers and supercomputers 49
2.2 System software 59
2.3 Utility software 64
2.4 Custom-written software and off-the-shelf software 70
2.5 User interfaces 72

3 Monitoring and control 76
3.1 Monitoring and measurement technologies 76
3.2 Control technologies 82

4 Algorithms and flowcharts 98
4.1 Algorithms 98
4.2 Flowcharts 114

5 eSecurity 120
5.1 Personal data 120
5.2 Malware 130

6 The digital divide 137
6.1 What is the digital divide? 137
6.2 Causes of the digital divide 138
6.3 The effects of the digital divide 140
6.4 Groups affected by the digital divide 146

7 Expert systems 155
7.1 What is an expert system? 155
7.2 Different scenarios where expert systems are used 157
7.3 Chaining 162

iii
005603_FM_CAIE_AS_Level_IT_BP_i-viii.indd Page 4 04/12/23 8:07 PM f-0113 /147/HO02989/work/indd

8 Spreadsheets 168
Contents list

8.1 Creating a spreadsheet 169
8.2 Testing a spreadsheet 230
8.3 Using a spreadsheet 234
8.4 Graphs and charts 244

9 Modelling 254
9.1 Modelling 254
9.2 Simulations 268
9.3 Using what-if analysis 272

10 Database and file concepts 276
10.1 Database basics 276
10.2 Normalising data 325
10.3 Creating a data dictionary 330
10.4 File and data management 331

11 Video and audio editing 340
11.1 Video editing 340
11.2 Audio editing 355
Glossary 369
Index 377
Answers can be found at www.hoddereducation.com/CambridgeExtras

iv
005603_FM_CAIE_AS_Level_IT_BP_i-viii.indd Page 5 23/11/23 7:02 AM F-0120 /147/HO02989/work/indd

Introduction

INTRODUCTION
This textbook has been written to provide the knowledge, understanding and
practical skills required by those studying the AS Level content (Topics 1–11)
of the Cambridge International AS & A Level Information Technology syllabus
(9626) for examination from 2025. Students studying the full A Level will also
need to become familiar with the A Level content (Topics 12–21), covered in
Hodder Education’s Cambridge International A Level Information Technology.

How to use this book
This textbook, endorsed by Cambridge International Education, has been
designed to make your study of Information Technology as successful and
rewarding as possible.

Organisation
The book comprises 11 chapters, the titles of which correspond exactly with the
topics in the syllabus. Each chapter is broken down into sections, which largely
reflect the subtopics in the syllabus.

Features
Each chapter contains a number of features designed to help you effectively
navigate the syllabus content.
At the start of each chapter, there is a blue box that provides a summary of the
content to be covered in that topic.

In this chapter you will learn:
★ about the sensors and calibration used in monitoring technologies
★ about the uses of monitoring technologies
★ about the sensors and actuators used in control technologies
★ how to write an algorithm and draw a flowchart.

There is also a box that lists the knowledge you should have before beginning to
study the chapter.

Before starting this chapter you should:
★ be familiar with the terms ‘observation’, ‘interviews’, ‘questionnaires’,
‘central processing unit (CPU)’, ‘chip and PIN’, ‘direct access’,
‘encryption’, ‘file’, ‘key field’, ‘RFID’, ‘sort’, ‘validation’ and
‘verification’.

Chapters that require you to do practical work also feature a list of
source files that you will need to use. These can be found here:
www.hoddereducation.com/cambridgeextras.

For this chapter you will need these source files:
n TuckShop.csv n Widget.csv
v
005603_FM_CAIE_AS_Level_IT_BP_i-viii.indd Page 6 23/11/23 7:02 AM F-0120 /147/HO02989/work/indd

The practical chapters contain Tasks. The text demonstrates the techniques used
INTRODUCTION

to carry out the tasks. It provides easy-to-follow step-by-step instructions, so
that practical skills are developed alongside the knowledge and understanding.
Tasks often include the use of source files that you can download from
www.hoddereducation.com/cambridgeextras.

Task 8e
Open and examine the file Stock.csv. Split this so that both types of stock can be
viewed together. Save the spreadsheet as Task_8e.

Each chapter also includes Activities to allow you to check your understanding
of the concepts covered and practise the skills demonstrated in the Tasks. In the
practical chapters, these often require the use of source files from the website.

Activity 1a
Explain the difference between data and information.

Advice and shortcuts for improving your ICT skills are highlighted in Advice boxes.

Advice
A common error made by people writing algorithms with nested loops is
not matching up the number of WHILE statements with the same number of
ENDWHILEs. The same error can happen with REPEATs and UNTILs. You must
always check this and make sure they are correctly indented.

Finally, each chapter ends with practice questions. These practice questions and
their sample answers, as well as the activities throughout the book have been
written by the authors.
Answers to the practice questions and activities and the source files needed
for the Student’s Book can be downloaded from www.hoddereducation.com/
cambridgeextras.

Practice questions
1 A collection of data could be this: johan, , $, , AND
Explain why they are regarded as just items of data. In your explanation
give a possible context for each item of data and describe how the items
would then become information.
2 A company uses computers to process its payroll, which involves updating
a master file.
a State what processes must happen before the updating can begin.
b Describe how a master file is updated using a transaction file in a
payroll system. You may assume that the only transaction being carried
out is the calculation of the weekly pay before tax and other deductions.
3 a Name and describe three validation checks other than a presence
check.
b Explain why a presence check is not necessary for all fields.
4 A space agency controls rockets to be sent to the moon.
Describe how real-time processing would be used by the agency.
5 Describe three different methods used to carry out verification.

vi
005603_FM_CAIE_AS_Level_IT_BP_i-viii.indd Page 7 30/11/23 7:37 PM elhiddnnew /147/HO02989/work/indd

Text colours

INTRODUCTION
Some words or phrases within the text are printed in red. Definitions of these
terms can be found in the glossary at the back of the book. In the practical
section, words that appear in blue indicate an action or location found within
the software package, for example ‘Select the Home tab.’ In the database
sections of the book, words in orange show fieldnames. Words in green show
the functions or formulas entered into the cell of a spreadsheet, for example a
cell may contain the function =SUM(B2:B12).

Assessment
The information in this section is taken from the Cambridge International
Education syllabus. You should always refer to the appropriate syllabus document
for the year of examination to confirm the details and for more information. The
syllabus document is available on the Cambridge International Education website
at www.cambridgeinternational.org.
If you are following the AS Level part of the course, you will take two
examination papers: Paper 1 Theory (1 hour 45 minutes); Paper 2 Practical
(2 hours 30 minutes).

Command words
The table below, taken from the syllabus, includes command words used in the
assessment for this syllabus. The use of the command word will relate to the
subject context. Make sure you are familiar with these.

Command word What it means
Analyse Examine in detail to show meaning, identify elements and the
relationship between them
Assess Make an informed judgement
Compare Identify/comment on similarities and/or differences
Contrast Identify/comment on differences
Define Give precise meaning
Describe State the points of a topic/give characteristics and main features
Discuss Write about issue(s) or topic(s) in depth in a structured way
Evaluate Judge or calculate the quality, importance, amount or value of something
Explain Set out purposes or reasons/make the relationships between things
clear/say why and/or how and support with relevant evidence
Identify Name/select/recognise
Justify Support a case with evidence/argument
State Express in clear terms
Suggest Apply knowledge and understanding to situations where there are a range
of valid responses in order to make proposals/put forward considerations

vii
005603_FM_CAIE_AS_Level_IT_BP_i-viii.indd Page 8 30/11/23 7:40 PM elhiddnnew /147/HO02989/work/indd

Notes for teachers
INTRODUCTION

Key concepts
These are the essential ideas that help learners to develop a deep understanding
of the subject and to make links between the different topics. Although teachers
are likely to have these in mind at all times when they are teaching the syllabus,
the following icons are included in the textbook at points where the key concepts
relate to the text (note that not all of these key concepts are relevant to the AS Level
course and some will only feature in the A Level book).

Hardware and software
Hardware and software interact with each other in an IT system. It is important
to understand how these work and how they work together with each other and
with us in our environment.

Networks
Computer systems can be connected together to form networks allowing them
to share data and resources. The central role networks play in the internet,
mobile and wireless applications and cloud computing has rapidly increased the
demand for network capacity and performance.

The internet
The internet is a global communications network. It uses standardised
communications protocols to allow computers worldwide to connect and share
information in many different forms. The impact of the internet on our lives is
profound. While the services the internet supports can provide huge benefits to
society they have also introduced issues, for example security of data.

System life cycle
Information systems are developed within a planned cycle of stages. They cover
the initial development of the system and continue through to its scheduled
updating or redevelopment.

New technologies
As the information industry changes so rapidly, it is important to keep track of
new and emerging technologies and consider how they might affect everyday life.

Additional support
The Cambridge International AS Level Information Technology Skills Workbook
is a write-in resource designed to be used throughout the course. It provides
students with extra opportunities to test their understanding of the knowledge
and skills required by the syllabus.

viii
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 1 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

1 Data processing and
information

1.1 Data and information
In this chapter you will learn:
★ what is meant by the terms ‘data’ and ★ about the methods and uses of validation and
‘information’ and about their use verification
★ what is meant by the terms ‘direct’ and ★ about the methods and uses of different
‘indirect’ data and about their uses and sources methods of processing (batch, online, real-time)
★ what is meant by ‘quality of information’ ★ how to write a simple algorithm.
★ what is meant by ‘encryption’, why it is
needed, and about the methods and uses of
encryption and protocols

Before starting this chapter you should:
★ be familiar with the terms ‘observation’, ‘interviews’, ‘questionnaires’,
‘central processing unit (CPU)’, ‘chip and PIN’, ‘direct access’,
‘encryption’, ‘file’, ‘key field’, ‘RFID’, ‘sort’, ‘validation’ and ‘verification’.

1.1 Data and information
Before we consider data processing, we need to define the term data. To be
completely accurate, the word ‘data’ is the plural of ‘datum’, a single piece of
data. Often, however, we use data in both the singular and the plural senses.
It seems awkward to say ‘the data are incorrect’ so we tend to say ‘the data is
incorrect’. When we use the word ‘data’, it can mean many different things. A lot
of people frequently confuse the terms ‘data’ and ‘information’. For the purposes
of this course we will consider data to be what is usually known as ‘raw’ data.
Data can take several forms; it can be characters, symbols, images, audio clips,
video clips and so on, none of which, on their own, have any meaning.
It is important for you to learn what the term information means when we use
it in information technology. Information is data that has been given meaning,
which often results from the processing of data, sometimes by a computer. The
processed data can then be given a context and have meaning.
The difference between data and information is that data has no meaning,
whereas information is data which has been given meaning.
Here are some examples:
Sets of data:
110053, 641609, 160012, 390072, 382397, 141186
01432 01223 01955 01384 01253 01284 01905 01227 01832 01902 01981
01926 01597
σωρFma
1
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 2 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

These are sets of data which do not have a meaning until they are put into

1
context.
If we are told that 110053, 641609, 160012, 390072, 382397 and 141186 are
all postal codes in India (a context), the first set of data becomes information as
it now has meaning.
Similarly, if you are informed that 01432, 01223, 01955, 01384, 01253,
01284, 01905, 01227, 01832, 01902, 01981, 01926 and 01597 are telephone
area dialling codes in the UK, they can now be read in context and we can
understand them, as they now have a meaning.
1 Data processing and information

The final set of data seems to be letters of the Greek alphabet apart from F, m
and a, which are letters in the Latin alphabet. However, if we are told that the
context is mathematical, scientific or engineering formulas, we can see that they
all represent a different variable: σ represents standard deviation, ω represents
angular velocity, ρ is density, F is force, m is mass and a is acceleration. They
each now have meaning.

1.1.1 Data processing
On a computer, data is stored as a sequence of binary digits (bits) in the form of
ones and zeros. We will discuss bits later in this chapter, when we look at parity
checks. We can store data on a fixed or removeable media such as hard-disk
drive, solid-state drive, DVDs, SD cards, memory sticks or in R AM. Data is
usually processed for a particular purpose, often so that it can be analysed. The
computer processing involved uses different operations to produce new data
from the source data. You will, perhaps, have met this in previous practical work
you have done, where you may have been given source files, including.csv files.
You may have been asked to open these in a spreadsheet and add formulas. This
is the processing of that data so that it then has meaning.
To sum up, data is input, stored, and processed by a computer, for output
as usable information. Later in this chapter we will look at different types of
processing.

Activity 1a
Explain the difference between data and information.

1.1.2 Direct and indirect data
Direct data is data that is collected for a specific purpose or task and is used
for that purpose and that purpose only. It is often referred to as ‘original
source data’. Examples of sources of direct data are questionnaires, interviews,
observation, and data logging.
Indirect data is data that is obtained from a third party and used for a different
purpose to that which it was originally collected for and which is not necessarily
related to the current task. Examples of sources of indirect data are the electoral
register and businesses collecting personal information for use by other
organisations (third parties).

Direct data sources
Direct data sources are sources that provide the data gatherer with original
data. We will consider four such sources.

2
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 3 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

Questionnaires
A questionnaire consists of a set of questions, usually on a specific subject
or issue. The questions are designed to gather data from those people being
questioned. A questionnaire can be a mixture of what are called closed
1
questions (where you have to choose one or more answers from those
provided) and open-ended questions (questions where you can write in your
answers in more detail). Questionnaires are easy to distribute, complete and
collect as most people are familiar with the process. They can be completed on
paper or on computer.

1.1 Data and information
Interviews
An interview is a formal meeting, usually between two people, where one of
them, the interviewer, asks questions, and the other person, the interviewee,
answers those questions. Interviews are used to collect data about a topic
and can be structured or unstructured. Structured interviews are similar to
a questionnaire, whereby the same questions are asked in the same order for
each interviewee and with a choice of answers. Unstructured interviews can be
different for each interviewee, particularly as they give them the opportunity
to expand on their answers. There is usually no pre-set list of answers in an
unstructured interview.

Observation
Observation is a method of data collection in which the data collectors
watch what happens in a given situation. The observer collects data by seeing
for themselves what happens, rather than depending on the answers from
interviewees or the accuracy of completed questionnaires. The collected data is
then recorded and analysed. An activity could be for students to decide whether
traffic lights are needed at a road junction to allow the smooth flow of traffic.
Observation could consist of watching and counting the number of cars passing
through the junction. It might also involve watching the traffic at the junction
and timing how long it takes for a certain number of vehicles to pass.

Data logging
Data logging means using a computer and sensors to collect data. The
data is then analysed, saved and the results are output, often in the form of
graphs and charts. Data logging systems can gather and display data as an
event happens. The data is usually collected over a period of time, either
continuously or at regular intervals, in order to observe particular trends. It
involves recording data from one or more sensors and the analysis usually
requires special software. Data logging is commonly used in scientific
experiments, in monitoring systems where there is the need to collect
information faster than a human possibly could, in hazardous circumstances
such as volcanoes and nuclear reactors, and in cases where accuracy is
essential. Examples of the types of information a data logging system can
collect include temperatures, sound frequencies, light intensities, electrical
currents, and pressure.

Uses of direct data
An example of a use of direct data could be planning the alteration of a bus
route. A committee of residents on a new housing development, just outside
a local village, wants a bus company to re-route the bus service from the local
village to the town centre so that residents on the new development are able
to get to the town centre more easily. It will, however, involve the bus route
3
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 4 23/11/23 12:25 PM f-0117 /147/HO02989/work/indd

running through open countryside near the village. In order to persuade the

1
bus company to change the bus route, the committee will need to collect some
original data to present to them.
This data will include:
» How long it takes to walk from the new development to the existing bus
routes.
» The number of passengers who use the existing route.
» The number of passengers who would use the new route.
» The effect the villagers think the changed route would have on their daily
1 Data processing and information

lives.

Here are some examples of how data could be collected.
» How long it takes to walk from the new development to the existing bus
routes.
Original data could be collected by actually walking from various points in
the new development and timing how long it would take. This might not be
practical if several points on the new development have to be considered, given
the time it would take to measure all the possible walking times. This could be
considered to be a form of observation.

» The number of passengers who use the existing route.
The suggested method to be used is a data-logger. Sensors fitted around the
door of each bus could be used to count the numbers of passengers boarding
and getting off at each stop. From these it can be calculated how many
passengers are on the bus at any point along its route. The data would be fed
back to a data-logger or a tablet computer.

» The number of passengers who would use the new route.
In order to save time, questionnaires could be used. People living on the new
development would be asked to complete the questionnaires. The completed
questionnaires could then be transferred to a computer. Provided that the
questionnaires were completed honestly, an accurate assessment of how many
passengers would use the new route could be obtained.

» The effect the villagers think the changed route would have on their daily
lives.
In order to ensure completely honest responses, face-to-face interviews would be
best. The disadvantages of interviews are the length of time the process would
take and the potential difficulties of transferring the responses into a format that
a computer could deal with. However, because the interviewer can add follow-
up questions, the answers would be more accurate.

Indirect data sources
Indirect data sources are third-party sources that the data gatherer can obtain
data from. We will consider five such sources.

Weather data
In Chapter 2, we will see how supercomputers are used to help with forecasting
the weather. In the UK, the meteorological office (Met Office) has many weather
stations around the country. Many different weather variables are recorded using
computerised weather stations. This data is collected by the Met Office for use
4
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 5 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

in weather forecasting. Because these weather stations belong to the Met Office

1
and the data is collected solely for the purpose of weather forecasting, it can be
considered to be direct data. If, however, a construction company purchases the
data, it becomes indirect data. This is because designing the construction of a
building is not the purpose the original weather data was collected for.

Electoral register
The electoral register, also referred to as the electoral roll, is an example of
an indirect data source. It is a list of adults who are entitled to vote in an

1.1 Data and information
election. Some countries have an ‘open’ version of the register which can be
purchased and used for any purpose. Electoral registers are used in countries
such as the USA, the UK, Australia, New Zealand, and many others. They
contain information such as name, address, age and other personal details,
although individuals are often allowed to remove some details from the open
version. In many countries, the full register can only be used for limited
purposes specified by the law in that country. The personal data in the
register must always be processed in a way that complies with the country’s
data protection laws.

Businesses collecting data from third parties
Businesses collect a great deal of personal information from third parties,
such as their customers, when they sell them a product. Whenever they buy
something online, customers have to enter personal information or they have
already done this on a previous visit to that business’s website. It is often the
case that they agree to the business sharing this with other organisations.
Another development, in this regard, has been the emergence of data brokers.
These are companies that collect and analyse some of an individual’s most
sensitive personal information and sell it to each other and to advertisers and
other organisations without the individual’s knowledge. They usually gather it
by following people’s internet, social media, and mobile phone activity.

Research from textbooks, journals and websites
Indirect sources also include research from textbooks, journals and websites.
These are the main sources that students tend to use when they are researching
information on a particular subject. The students have not collected the
information themselves but are relying on information others have collected and
analysed. Because they did not collect the information directly from the authors’
sources, these are regarded as indirect sources.

Census
We will learn more about censuses in Chapter 2. A population census is usually
carried out by a government to determine the number of people in a country
and information is collected about them. Everybody has to provide data to the
government, usually in the form of a questionnaire. When the government
uses the data to plan and run public services, it could be considered to be a
direct source. However, the main uses of census data are for others who did
not collect the information directly, such as businesses, voluntary organisations
and academics. The census also provides a lot of information for genealogists,
historians and family tree enthusiasts. Without the census, the lives and lifestyles
of our ancestors would remain undocumented, making historical research
much more difficult. When used by organisations and people other than the
government, a census is considered to be an indirect source.

5
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 6 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

Uses of indirect data

1 A construction company can use weather data to design buildings capable of
withstanding climate change. It is vital that buildings can withstand the effect
of high winds and temperatures. Apart from elections and other government
purposes, the electoral register can only be used to select individuals for jury
service or by credit reference agencies. These agencies are allowed to buy the
full register to help them check the names and addresses of people applying for
credit. They are also allowed to use the register to carry out identity checks in
an attempt to deal with money laundering. It is a criminal offence for anyone to
1 Data processing and information

supply or use the register for anything else. The open register, however, can have
various uses; businesses can use it to perform identity checks on their customers,
charities often use it for fundraising purposes, debt-collection agencies use it to
track down people who owe money. Whenever the address of an individual is
required, a business could use the open register to check it.
Businesses which collect personal information often use it to create mailing lists
that they then sell to other organisations, which are then able to send emails or
even brochures through the post.
Apart from the uses of census data to create family trees, there are many
other uses of such data. Police forces can use census statistics to know where
to concentrate their crime prevention efforts. For example, they can see the
areas where there are lots of people over 65 years old. Older residents often
experience a high number of burglars tricking homeowners into letting
them in by claiming they are from utility companies. Police officers giving
crime prevention advice can concentrate their efforts in these areas. Census
statistics are also essential to local voluntary organisations to understand the
local communities they are working in. They provide data such as age, race,
gender, ethnicity, languages spoken and household structures.
These examples are not the only type of indirect data source. Any
organisation that provides data or information to the general public for
use by them can be said to be an indirect source. In the bus route example
described above, an indirect source could be used to provide some of the
required information. For instance, the timetable of the current bus service
could be used by the committee to work out the number of passengers using
the route by seeing how many times the bus runs during the day. However,
this would not be very accurate, as the buses may not carry a full load of
passengers each time and this is clearly not the purpose for which the data
was intended.
Another scenario could be studying pollution in rivers. Direct data sources
could be used, of course; questionnaires could be handed out to local
landowners and residents in houses near to the river, asking about the effects
on them of the pollution, and they could also be interviewed. Computers
with sensors could be used to collect data from the river. However, indirect
data sources could also be used; documents may have been published by
government departments showing pollution data for the area and there may be
environmental campaigners who have also published data related to pollution
in the area.

6
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 7 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

1.1.3 Advantages and disadvantages of direct
and indirect data
Here is a table showing the advantages and disadvantages of direct data when
1
compared to indirect data. Notice how each paragraph contains comparisons:
▼ Table 1.1 Advantages and disadvantages of direct and indirect data

Advantages of direct data Disadvantages of direct data
We know how reliable direct data is since Because of time and cash restraints, the sample or group size may be small

1.2 Quality of information
we know where it originated. Where data whereas indirect data sources tend to provide larger sets of data that would
is required from a whole group of people, use up less time and money than using direct data collection with a larger
we can ensure that a representative sample size.
cross-section of that group is sampled. The person collecting the data may not be able to gain physical access to
With indirect data sources we may not particular groups of people (perhaps for geographical reasons), whereas the use
know where the data originated and it of indirect data sources allows data from such groups to be gathered.
could be that the source is only a small
In addition, using a direct data source could be problematic if the people
section of that group, rather than a
being interviewed are not available, thus reducing sample size, whereas using
cross-section of the whole group. This is
indirect data sources allows the sample size to be greater, resulting in increased
often referred to as sampling bias.
confidence in the results produced.
The person collecting the data can use It may not be possible to gather original data due to the time of year;
methods to gather specific data even if for example summer rainfall data may be needed but at the time of the
the required data is obscure, whereas with data-gathering, it is winter. With indirect data, historical weather data is
indirect data sources this type of data available irrespective of the time of year.
may never have been collected before.
The data collector or gatherer only needs To gather data from a specific sample would take a lot longer than it would
to collect as much or as little data as with indirect data. In addition, by the time all the required data has been
necessary compared to indirect data collected it may possibly be out of date so an indirect data source could
sources, where the original purpose for have been used.
which data was collected may be quite Indirect data may be of a higher quality as it might have already been
different to the purpose for which it is collated and grouped into meaningful categories whereas with direct data
needed now. Irrelevant data may need to sources, questionnaire answers can sometimes be difficult to read and
be removed. the transcripts of interviews take time to read in order to create the data
source.
Once the data has been collected it Compared to indirect data sources, the collection of data may be more
may be useful to other organisations expensive than using an indirect data source as people may have to be
and there may be opportunities to sell paid to collect it. Extra cost may be incurred as special equipment has to
the data to them, reducing the expense be bought, such as data-loggers and computers with sensors, or purchasing
of collection. With indirect data this the paper for questionnaires, whereas this would not be needed using an
opportunity will probably not arise as indirect source. There are, however, still costs involved when using indirect
organisations can go direct to the source data sources, such as the travelling expenses and time taken to go to the
themselves. source, which can be fairly expensive but not as expensive as using direct
data sources.

Activity 1b
1 Explain why observation is considered to be a direct data source.
2 Give two differences between indirect data and direct data.

1.2 Quality of information
Measuring the quality of information is sometimes based on the value which
the user places on the information collected. As such it could be argued that
the judgement regarding the quality of information is fairly subjective, that is,
7
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 8 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

it depends on the user and such judgements can vary between users. However,

1
many experts do suggest that these judgements can be objective if based on
factors which are believed to affect the quality of information.
Poor quality data can lead to serious consequences. Poor data may give a
distorted view of business dealings, which can then lead to a business making
poor decisions. Customers can be put off dealing with businesses that give poor
service due to inaccurate data, causing the business to get a poor reputation.
With poor quality data it can be difficult for companies to have accurate
knowledge of their current performance and sales trends, which makes it hard
1 Data processing and information

for them to identify worthwhile future opportunities.
One example can be seen in the data provided by a hospital in the UK, which
resulted in it being temporarily closed down, until it was realised that the death
rate data provided had been incorrect and it was actually significantly lower.
Meanwhile, in the USA, incorrectly addressed mail costs the postal service a
substantial amount of money and time to process correctly.
Some of the factors that affect the quality of information are described here.

1.2.1 Factors that affect the quality of information
Accuracy
As far as possible, information should be free from errors and mistakes. The
accuracy of information often depends on the accuracy of the collected
data before it is processed. If the original data is inaccurate then the resulting
information will also be inaccurate. In order to make sure the information is
accurate, a lot of time needs to be given to the collection and checking of the
data. Mistakes can easily occur. Consider a simple stock check. If it is carried
out manually, a quantity of 62 could easily be copied down as 26 if the digits
were accidentally transposed. This information is now inaccurate. More careful
checking of the data might have prevented this.
We will look at methods of checking the accuracy of data, such as verification and
validation, later in this chapter. It is easy to see how errors might occur during the
data collection process. When using a direct data source, if we have not made the
questions clear then the people answering the questionnaires or being interviewed
may not understand them. We need to make sure that questions are clearly phrased
and are unambiguous, otherwise they might lead interviewees into providing the
answers that they think the interviewer is expecting. This can lead to the same
response being given by everyone, even though the question is open-ended. If
the questions are too open-ended, it could be difficult to quantify the responses.
It is often a good idea to include multiple-choice questions where the respondent
chooses an answer from those provided. These can be quantified quite easily. It is
important, however, to include a sufficient number of alternative answers.
Other reasons why the information derived from a study might be inaccurate
are that the sample chosen is not representative of the whole group or that the
data collector makes some errors when collecting or when entering the data into
a computer. If sensors are being used, these must be calibrated before use and
must be properly connected to the computer. In addition, the computer system
needs to be set up correctly so that the readings are interpreted correctly.

Relevance
When judging the quality of information, we need to consider the data that is
being collected. Relevance is an important factor because there has to be a good
reason why that particular set of data is being collected. Data captured should be
8
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 9 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

relevant to the purposes for which it is to be used. It must meet the requirements

1
of the user. The question needs to be asked is the data really needed or is it
being collected just for the sake of it. The relevance of data matters because the
collection of irrelevant data will entail a waste of time as well as money.
There are a number of ways in which the data may or may not be relevant to the
user’s needs. It could be too detailed or concentrate too much on one aspect.
On the other hand, it might be too general, covering more aspects of the task
than is necessary. It may relate to geographical areas that are not really part of
the study. Where the study is meant to be about pollution in a local area, for

1.2 Quality of information
example, data from other parts of the country would not be relevant. When
looking for relevant information, it is important to be clear about what the
information needs are for each specific search.
It is also necessary to be clear about the search strategy: what the user wants
and does not want to find and therefore what the user needs to look for. In
an academic study, it is important to select academic sources. Business sources
or sources which appear to have a vested interest should be ignored. Having
selected the sources, it is important to select the relevant information within
them. Consider a school situation. You need to study a tremendous amount of
information to prepare for your exams. How would you feel if your teachers
chose to spend several lessons talking about aspects of the subject that they
found really interesting? You may find that it was very interesting, but it
probably would not be very relevant to what you need to pass your course.

Age
How old information is can affect its quality. As well as being accurate and
relevant, information needs to be up-to-date. Most information tends to change
over time and inaccurate results can arise from information which has not been
updated regularly. This could apply, for example, to personal information in a
database being left unchanged. Someone could get married and have a baby.
If the original information was used, which had the person as single with no
dependants, this would produce inaccurate results if the person was applying for
a loan. This is because people who are married with children tend to be viewed
as being more responsible and more likely to keep up with repayments. This
inaccurate information would also affect a retailer’s targeted advertising if it
wanted to sell baby products to such customers, as the person would not appear
on its list of targets. The age of information is important, because information
that is not up-to-date can lead to people making the wrong decisions. In turn,
that costs organisations time, money, and therefore, profits.

Level of detail
For information to be useful, it needs to have the right amount of detail.
Sometimes, it is possible for the information to have too much detail, making it
difficult to extract the information you really want. Information should be in a
form that is short enough to allow for its examination and use. There should be
no extraneous information. For example, it is usual to summarise statistical data
and produce this information either in the form of a table or using a chart. Most
people would consider a chart to be more concise than data in tables, as there is
little or no unnecessary information in a chart. A balance has to be struck between
the level of detail and conciseness. Suppose a car company director wants to see a
summary of the sales figures of all car models for the last year. The information
with the correct level of detail would be a graph showing the overall figures for
each month. If the director was given figures showing the sales of each model
every day of the previous 12 months in the form of a large report, this would be
9
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 10 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

seen as the wrong level of detail because it is not a summary. It is important to

1
understand what the user needs when they ask you for specific information.
On the other hand, the information might not have enough detail, meaning
that you do not get an overall view of the problem. This links closely to the
issue of the completeness of the information, which we will look at next.

Completeness of the information
In order for information to be of high quality it needs to be complete. To be
complete, information must deal with all the relevant parts of a problem. If it is
1 Data processing and information

incomplete, there will be gaps in the information and it will be very difficult to
use to solve a particular problem or choose a certain course of action. Discovering
and collecting the extra information in order to remove these gaps may result in
improving the quality of the information, but can prove to be time-consuming.
Therefore, if the information is not complete, a decision has to be made: either
that it is complete enough to make a decision about a problem or that additional
data needs to be collected to complete the information. Consider the car company
director mentioned above who wants to see a summary of the sales figures for
the last year. If the director was given figures showing the sales for the first six
months, this would be incomplete. If the director was shown the figures for only
the best-selling models, this would be incomplete. It is important to understand
what the user needs when they ask you for specific information. To sum up,
completeness is as necessary as accuracy when inputting data into a database.

Activity 1c
1 List two factors that affect the quality of information.
2 Briefly describe what is meant by the quality of information.

1.3 Encryption
1.3.1 The need for encryption
Whenever you send personal information across the internet, whether it is credit
card information or personal details, there is a risk that it can be intercepted.
Once it is intercepted the information can be changed or used for purposes such
as identity theft, cyber-fraud, or ransomed off. If it is information regarding a
company’s secrets, it could be sold by hackers to rival companies. If, however,
the information is intercepted but it is unreadable or cannot be understood, it
becomes useless to the hacker or interceptor. Too many companies or individuals
become victims of hackers taking advantage of readily available usernames
and passwords. No matter how vigilant we are regarding the security of our
computer systems, hackers will always find a way of getting into them, but if
they cannot decipher the information, it will mean the act of hacking is not
worthwhile. This is where encryption comes in. Encryption keeps much of our
personal data private and secure, often without us realising it. It prevents hackers
from reading and understanding our personal communications and protects
us when we bank and shop. Data is scrambled or jumbled up so that it is
completely unreadable. This prevents hackers understanding the data, as all they
see is a random selection of letters, numbers and symbols.
Encryption is a way of scrambling data so that only authorised people can
understand the information. It is the process of converting information into a

10
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 11 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

code which is impossible to understand. This process is used whether the data is

1
being transmitted across the internet or is just being stored. It does not prevent
cyber criminals intercepting sensitive information, but it does prevent them
from understanding it. Technically, it is the process of converting plaintext to
ciphertext.
It is not just personal computers that are affected; businesses and commercial
organisations are also liable to be affected by hacking activities. Employing data
encryption is a safe way for companies to protect their confidential information
and their reputation with their clients, since the benefits of encryption do not

1.3 Encryption
just apply to the use of the internet.
Information should also be encrypted on computers, hard-disk drives, pen
drives and portable devices, whether they be laptops, tablets, or smartphones.
The misuse of the data on these devices will be prevented, should the device be
hacked, lost, or stolen.

1.3.2 Methods of encryption
Encryption is the name given to converting data into a code by scrambling it,
with the resulting symbols appearing to be all jumbled up. The algorithms (we
will be looking at the topic of algorithms in much more detail in Chapter 4)
which are used to convert the data are so complex that even the most dedicated
hacker with plenty of time to spare and hacking software to help them would be
extremely unlikely to discover the meaning of the data. Encrypted data is often
called ciphertext, whereas data before it is encrypted is called plaintext.
The way that encryption works is that the computer sending the message
uses an encryption key to encode the data. The receiving computer has a
corresponding decryption key that can translate it back again. The process of
decryption here is basically reversing the encryption. A key is just a collection of
bits, often randomly generated by a computer. The greater the length of the key,
the more effective the encryption. Many systems use 128-bit keys which gives
2128 different combinations. It has been estimated that it would take a really
powerful computer 1018 (1 000 000 000 000 000 000 [one quintillion]) years
to go through all the different combinations. Modern encryption uses 256-
bit keys which would take very much longer to crack. As you can imagine, this
makes this form of encryption virtually impossible to crack. The key is used in
conjunction with an algorithm to create the ciphertext.
Plaintext Ciphertext Plaintext

Encryption Fhk*$r Decryption
This is a test algorithm tldbh6 algorithm This is a test
message 0)qARt message
which is to
be encrypted.
+ B!&Dl
Ntf8aL
+ which is to
be encrypted.
Kwas7
Encryption key Decryption key

▲ Figure 1.1 Encryption

There are two main types of encryption. One is called symmetric encryption
and the other is asymmetric encryption, which is also referred to as public-key
encryption.

Symmetric encryption
Symmetric encryption, often referred to as ‘secret key encryption’, involves the
sending computer, or user, and the receiving computer, or user, having the same
11
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 12 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

key to encrypt and decrypt a message. Although symmetric encryption is a much

1
faster process than asymmetric encryption, there is the problem of the originator
of the message making sure the person receiving the message has the same private
key. The originator has to send the encryption key to the recipient before they
can decrypt the message. This, however, leads to security problems, since this key
could be intercepted by anybody and used to decrypt the message. Many companies
overcome this problem by using asymmetric encryption to send the secret key but
use symmetric encryption to encrypt data. So, with symmetric encryption both
sender and recipient have the same secret, private, encryption key which scrambles
1 Data processing and information

the original data and unscrambles it back to an understandable format.

Asymmetric encryption
Asymmetric encryption, sometimes referred to as ‘public-key encryption’, uses
two different keys, one public and one private. A public key, which is distributed
among many users or computers, is used to encrypt the data. Essentially, this public
key is published for anyone to use to encrypt messages. A private key, which is only
available to the computers, or users, receiving the message, is used to decrypt the
data. When a message is encrypted using the public key, it can be sent across a public
channel such as the internet. This is not a problem as the public key cannot be used
to decrypt a message that it was used to encrypt. It is incredibly complicated, if not
impossible, to guess the private key using the public key and the encrypted message.
Basically, any user who needs to send sensitive data over the internet securely, can do
so by using the public key to encrypt the data, but the data can only be decrypted
by the receiving computer if it has its own private key. Asymmetric encryption is
often used to send emails and to digitally sign documents.

1.3.3 Encryption protocols
An encryption protocol is the set of rules setting out how the algorithms should be
used to secure information. There are several encryption protocols. IPsec (internet
protocol security) is one such protocol suite which allows the authentication of
computers and encryption of packets of data in order to provide secure encrypted
communication between two computers over an internet protocol (IP) network.
It is often used in VPNs (virtual private networks). SSH (secure shell) is another
encryption protocol used to enable remote logging on to a computer network,
securely. SSH is often used to login and perform operations on remote computers,
but it can also be used for transferring data from one computer to another. The
most popular protocol used when accessing web pages securely is transport layer
security (TLS). TLS is an improved version of the secure socket layer (SSL)
protocol and has now, more or less, taken over from it, although the term SSL/TLS
is still sometimes used to bracket the two protocols together.

The purpose of secure sockets layer (SSL)/transport layer security (TLS)
Because TLS is a development of SSL, the terms TLS and SSL are sometimes
used interchangeably. We will use the term SSL/TLS in this book. The three
main purposes of SSL/TLS are to:
» enable encryption in order to protect data
» make sure that the people/companies exchanging data are who they say they
are (authentication)
» ensure the integrity of the data to make sure it has not been corrupted or altered.
Two other purposes are to:
» ensure that a website meets the Payment Card Industry Data Security
Standard (PCI DSS) rules. The PCI DSS was set up so that company
12
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 13 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

websites could process bank card payments securely and to help reduce card

1
fraud. This is achieved by setting standards for the storage, transmission and
processing of bank card data that businesses deal with. Later versions of TLS
are required to meet new standards which have been imposed
» improve customer trust. If customers know that a company is using the SSL/
TLS protocol to protect its website, they are more inclined to do business
with that company.
Many websites use SSL/TLS when encrypting data while it is being sent to
and from them. This keeps attackers from accessing that data while it is being

1.3 Encryption
transferred. SSL/TLS should be used when storing or sending sensitive data
over the internet, such as when completing tax returns, buying goods online,
or renewing house and car insurance. Only going to websites which use SSL/
TLS is good practice. The SSL/TLS protocol enables the creation of a secure
connection between a web server and a browser. Data that is being transferred
to the web server is protected from eavesdroppers (the name given to people
who try to intercept internet communications).
The SSL/TLS protocol verifies the identity of the server. Any website with an
HTTPS address uses SSL/TLS. In order to verify the identity of the server, the
protocol makes use of digital certificates, which contain such information as the
domain name that the certificate is issued for, which organisation, individual or
device it was issued to, the certificate authority (CA) that issued it, the CA’s digital
signature, and the public key, as well as other items. Although SSL was replaced by
TSL many years ago, these certificates are still referred to as SSL certificates today.
As well as keeping the user’s data secure, a website needs a digital certificate in order
to verify ownership of the website and also to prevent fraudsters creating a fake
version of the website. Valid SSL certificates can only be obtained from a CA. CAs
can be private companies or even governments. Before allowing someone to have
an SSL certificate, the CA will carry out a number of checks on an applicant and
following that, it is the responsibility of the CA to make sure that the company or
individual receives a unique certificate. Unfortunately, if hackers are able to break
through a CA’s security, they can start issuing bogus certificates to users and will
then be in a strong position to crack the user’s encryption.

The purpose of Internet Protocol Security (IPsec)
IPsec (Internet Protocol Security) is a suite of protocols used to secure data
transmitted over a public network. It was added as an extension to the IP
layer (explained in more detail in the A Level book). The IPsec protocols were
developed in the mid-1990s to provide this security. Devices are authenticated
to each other, thereby ensuring data integrity. IP network packets are encrypted
so that the data remains confidential. In short, IPsec provides authentication,
integrity and confidentiality of data.
IPsec commonly includes three protocols. These are the Authentication Header
(AH) protocol, the Encapsulating Security Payload (ESP) protocol and the
Internet Key Exchange (IKE) protocol. The AH protocol is used to authenticate
data packets whereas the ESP protocol both authenticates and encrypts the data
packets. The IKE generates security associations (SA) used to negotiate the
encryption keys and algorithms which will be used in a session. The purpose
of IPsec is to protect confidential data and to provide secure transfer of this
data across a public network such as the internet. It is aimed at preventing
interception of data by hackers as well as protecting the data being transmitted
from being understood.

13
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 14 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

The use of SSL/TLS in client–server communication

1 Transport layer security (TLS) is used for applications that require data to
be securely exchanged over a client–server network, such as web browsing
sessions and file transfers. Just like IPsec it can enable VPN connections and
Voice over IP (VoIP).
In order to open an SSL/TLS connection, a client needs to obtain the public
key. For our purposes, we can consider the client to be a web user or a web
browser and the server to be the website. The public key is found in the server’s
digital certificate. From this we can see that the SSL/TLS certificate proves that
1 Data processing and information

a client is communicating with the actual server that owns the domain, thereby
proving the authenticity of the server.
When a browser (client) wants to access a website (server) that is secured by
SSL/TLS, the client and the server must carry out an SSL/TLS handshake. A
handshake, in IT terms, happens when two devices want to start communicating.
One device sends a message to the other device telling it that it wants to set up
a communications channel. The two devices then send several messages to each
other so they can agree on the rules for communicating (a communications
protocol). Handshaking occurs before the transfer of data can take place.
With an SSL/TLS handshake, the client sends a message to the server telling it
what version of SSL/TLS it uses together with a list of the different ciphersuites
(types of encryption) that the client can use. The list of ciphersuites has the client’s
preferred type at the top and its least favourite at the bottom. The server responds
with a message which contains the ciphersuite it has chosen from the client’s list.
The server also shows the client its SSL certificate. The client then carries out a
number of checks to make sure that the certificate was issued by a trusted CA and
that it is in date and that the server is the legitimate owner of the public and private
keys. The client now sends a random string of bits that is used by both the client
and the server to calculate the private key. The string itself is encrypted using the
server’s public key. Authentication of the client is optional in the process. The client
sends the server another message, encrypted using the secret key, telling the server
that the client part of the handshake is complete. We will see in more detail in the
section on HTTPS how any further transmitted data is encrypted.

The use of IPsec in client–server communication
IPsec is used for protecting confidential data transmitted across a network, for
example, financial transactions, medical records and communications between,
and within, businesses. The main use of IPsec, however, is in virtual private
networks (VPNs). A VPN creates a secure connection between two computers
over the public internet. It is almost as secure as a private internal network
such as a LAN. It is used so that employees working from home on a client
computer can access confidential files securely from the company’s server as
though they were working in the company’s offices.

1.3.4 Uses of encryption
Data protection
There are many reasons to encrypt data. Companies often store confidential
data about their employees, which could include medical records, payroll data,
as well as personal data. These need to be encrypted to prevent them becoming
public knowledge. An employee in a shared office may not want others to
have access to their work which may be stored on a hard disk, so it needs to be
encrypted. A company’s head office may wish to share sensitive business plans

14
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 15 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

with other offices using the internet. If the data is encrypted, they do not have

1
to worry about what would happen if it were intercepted. Company employees
and individuals may need to take their laptops or other portable devices with
them when they travel for work or pleasure. If the device contains sensitive
information which is not encrypted, it is possible that the information could be
retrieved by a third party if the device is left unattended.
As recently as 2018, it was reported that over the previous four years, staff
in five UK government departments had lost more than 600 laptops, mobile
phones and memory sticks. Fortunately, the data had been encrypted and was

1.3 Encryption
therefore protected from prying eyes. Unfortunately, there have been occasions
where laptops have been left on trains and the data was unencrypted, causing
great embarrassment to the government when this was discovered.
There are other situations where encryption should be used. One example is
when individuals are emailing each other with information they would want
to remain confidential. They need to prevent anybody else from reading and
understanding their mail. People use websites for online shopping and online
banking. When doing so, the debit/credit card and other bank account details
should be encrypted to prevent fraudulent activity taking place.
Let us now consider some specific uses of encryption.

Systems encryption
Systems encryption can be considered to be encryption of the device being
used or the file system being used. Device encryption is when the whole device
is encrypted such as a laptop. If a laptop is stolen after it has been encrypted
the data on it will still be secure. The files can only be accessed if the device
is turned on and the owner has logged in to it. Otherwise the encrypted
data cannot be understood by anyone without the password or recovery key.
Filesystem-level encryption or file-based encryption (FBE), is when individual
files or directories are encrypted by the file system itself. This is different to
full disk encryption which involves encrypting the whole disk. A description
of which follows below. FBE can allow different files to be encrypted using
different keys, thereby making it even more difficult for hackers to unencrypt
all the data in a system. It does not encrypt metadata such as the time the file
was modified or its size.

Hard-disk encryption
The principle of hard-disk encryption is fairly straightforward. When a file is
written to the disk, it is automatically encrypted by specialised software. When a
file is read from the disk, the software automatically decrypts it while leaving all
other data on the disk encrypted. The encryption and decryption processes are
understood by the most frequently used application software such as spreadsheets,
databases and word processors. The whole disk is encrypted, including data files,
the OS and any other software on the disk. Full (or whole) disk encryption is your
protection should the disk be stolen, or just left unattended. So, even if the disk is
still in the original computer, or removed and put into another computer, the disk
remains encrypted and only the keyholder can make use of its contents.
Another benefit of full disk encryption is that it automatically encrypts the data
as soon as it is saved to the hard disk. You do not have to do anything, unlike
the encryption of files and folders, where you have to individually encrypt them
as you go.
There are, however, drawbacks to encrypting the whole disk. If an encrypted disk
crashes or the OS becomes corrupted, you can lose all your data permanently or,
15
005603_01_CAIE_AS_Level_IT_BP_001-048.indd Page 16 23/11/23 7:11 AM F-0120 /147/HO02989/work/indd

at the very least, disk data recovery becomes problematic. It is also important to

1
store encryption keys in a safe place, because as soon as a disk is fully encrypted,
no one can make use of any of the data or software without the key. Another
drawback can be that booting up the computer can be a slower process.
Email encryption
When sending emails, it is good practice to encrypt messages so that their
content cannot be read by anyone other than the person they are being se