DATA SECURITY AND PRIVACY

Degree course: 
Corso di Second cycle degree in COMPUTER SCIENCE
Academic year when starting the degree: 
2025/2026
Year: 
1
Academic year in which the course will be held: 
2025/2026
Course type: 
Compulsory subjects, characteristic of the class
Language: 
English
Credits: 
9
Period: 
Second semester
Standard lectures hours: 
80
Detail of lecture’s hours: 
Lesson (56 hours), Exercise (24 hours)
Requirements: 

Good knowledge of English. It is also recommended to have taken a basic security course.

Final Examination: 
Orale

Student learning is assessed through a written exam and a project. The written exam lasts approximately 1 hour and 45 minutes. Students are not allowed to consult textbooks or any other learning materials during the exam nor to use a laptop. The written exam is divided into two parts. The first part consists of five open-ended questions assessing the conceptual aspects of the course. The second part consists of three to four exercises designed to evaluate the student's ability to specify access control and privacy policies using the models, languages, and tools covered in the course. Each part is graded on a scale of thirty (thirtieths). The final grade for the written exam is calculated as follows: one-third from the first part and two-thirds from the second part. To pass the written exam, students must achieve a minimum grade of 18/30 in each part. The project is intended to assess the knowledge and skills acquired during the practical sessions. It is also graded on a scale of thirty and is considered passed if the student obtains a grade of at least 18/30. The final course grade is calculated as one-third of the project grade and two-thirds of the written exam grade. To pass the course, students must earn at least 18/30 in both the written exam and the project.

Assessment: 
Voto Finale

The main goal of the course is to introduce the models, languages, and tools used for managing access control and privacy policies within data management systems. Part of the course will also address access control and privacy challenges in emerging contexts, such as the Internet of Things (IoT) and Big Data. More specifically, the main objectives of the course are to: 1. Understand the basic concepts and terminology related to cybersecurity and privacy. 2. Learn the main access control models and how to adapt them to the needs of specific application domains. 3. Understand and use the support provided by SQL for implementing access control. 4. Explore in depth the access control services offered by the Oracle DBMS. 5. Become familiar with the main laws and regulations related to data privacy. 6. Understand the differences between online and offline privacy and learn the main techniques used to achieve both. 7. Gain awareness of current research trends and open challenges in the fields of cybersecurity and privacy. In addition, students are expected to develop the ability to independently translate specific access control or privacy requirements into appropriate implementations using the languages and mechanisms studied in the course. They should also be able to evaluate and choose the most suitable solution for a given domain when multiple options are available. The knowledge acquired in the course will support further independent learning and skill development. For example, a student who successfully completes the course should be able to independently understand the principles behind a new access control mechanism or a novel privacy protection technique. This is further supported by the course’s focus on current research trends in the field.

Lessons will cover the following topics:
Privacy and security: basic concepts (6h, objective 1)
Access control within DBMSs (18 h, objective 2)
- basic concepts
- traditional access control models (DAC, MAC, RBAC)
- innovative access control models (e.g., ABAC, content-based, time-based, location-based)
Access control support in SQL (4h, objective 3)
Advanced access control services in Oracle (8 h, objective 4)
- VPD
- OLS
- Vault
Data privacy (16 h, objectives 5/6)
- basic concepts
- GDPR
- off-line vs on-line privacy
- Hippocratic DBs
- purpose-based access control
- data anonymization (k-anonimity, l-diversity, m-invariance, differential privacy)
Data privacy and security: research trends (4 h, objective 7)

Exercises will cover the following topic
(24h, objectives 2,3,4):
- Specifying and implementing access control constraints in the Oracle DBMS: hands-on

See the Course content section.

Convenzionale

The course consists of lectures (56 hours) and practical sessions (24 hours). The lectures cover the fundamental concepts of cybersecurity and privacy, and present the main existing access control models for both traditional and emerging contexts, with a particular focus on commercial data management systems. Part of the course is dedicated to data privacy and privacy-preserving data management techniques designed to comply with current legislation. The practical sessions provide hands-on experience with Oracle access control features. Through critical thinking exercises, students learn how to configure and manage access control policies using Oracle VPD and OLS.

During the course period, students can meet the instructor at the end of lessons on class days. Outside of this period, students should contact the instructor by email to arrange an appointment: name.surname@uninsubria.it. Please note that the instructor will only respond to emails sent from addresses within the studenti.uninsubria.it domain.