2025 CASE STUDY | ABOUT - COMPUTER SCIENCE CAFÉ

HOME > IB > ABOUT THE 2025 CASE STUDY

NEXT PAGE >
PENETRATION TESTING

2026 CASE STUDY | AN ETHICAL APPROACH TO HACKING

ABOUT THE 2026 CASE STUDY
DESIGNED FOR IB EXAMINATIONS

ABOUT
ASSESSMENT
SAMPLE PAPER
LEARN

About the 2026 Case Study – An Ethical Approach to Hacking
This year’s IB Computer Science case study focuses on “An Ethical Approach to Hacking,” implemented by CyberHealth Security, a cybersecurity company tasked with assessing the digital safety of MedTechPro Hospital (MTPH).
This case study is a crucial component of your IB Computer Science course and forms the basis of your Higher Level Paper 3 examination.

What Is the 2026 Case Study?
The 2026 case study explores how CyberHealth Security conducts a penetration test on MedTechPro Hospital a healthcare institution that relies on advanced digital systems, such as:

Electronic Health Records (EHRs)
Internal communication networks
Internet of Things (IoT) medical devices

The testing follows the Penetration Testing Execution Standard (PTES) a structured seven-phase process designed to identify and analyze cybersecurity vulnerabilities while maintaining ethical and professional standards.

Your role is to understand how ethical hacking is performed, how vulnerabilities are discovered, and how security recommendations are reported all within the context of patient safety and data protection.

Key Areas of Focus

You will explore six key areas central to this year’s case study:

The PTES Framework | Understanding the seven phases: from pre-engagement and intelligence gathering to post-exploitation and reporting.
Cybersecurity in Healthcare | Examining why hospitals are prime targets and how they manage sensitive data.
Penetration Testing Techniques | Learning about OSINT, network scanning, vulnerability analysis, and exploitation tools.
Ethical and Professional Conduct | Balancing testing with confidentiality, authorization, and non-disruption of services.
Post-Exploitation and Reporting | Evaluating how findings are documented, analyzed, and communicated responsibly.
Challenges and Risk Management |Addressing technical, ethical, and operational obstacles in a real-world healthcare setting.

Importance of the Case Study
This case study allows you to apply your understanding of network security, data protection, system analysis, and ethical computing to a realistic, high-stakes scenario.
You will gain insights into:

How cybersecurity professionals identify and mitigate vulnerabilities.
The importance of protecting critical infrastructure such as hospitals.
The ethical decision-making required in professional computing roles.
The balance between system testing and maintaining operational continuity.

By engaging with this material, you will develop both technical expertise and ethical awareness essential qualities in modern computer science.

How You Will Be Assessed
Your assessment for the case study will take place in the Higher Level Paper 3 exam, where you will be required to:

Analyze the problems presented in the case study scenario.
Apply technical and ethical principles to propose realistic solutions.
Demonstrate understanding of cybersecurity frameworks and terminology.
Evaluate the consequences of different penetration testing approaches.
Present evidence-based reasoning and clear, structured answers.

Your responses should reflect strong analytical thinking, technical accuracy, and ethical consideration.

Preparing for the Case Study
To excel in this year’s case study, you should:

Carefully read and understand the case study booklet.
Review each of the seven PTES phases in detail.
Research cybersecurity tools, testing methods, and ethical practices.
Engage with the learning pages, flip cards, and practice questions on this website.
Discuss ethical dilemmas and technical challenges in study groups or class discussions.
Review sample exam papers and marking schemes to understand assessment expectations.

Conclusion
The 2026 IB Computer Science case study – “An Ethical Approach to Hacking” provides a unique opportunity to explore the intersection of technology, security, and ethics.

By mastering this material, you will strengthen your understanding of cybersecurity principles, professional responsibility, and the real-world implications of computing in critical industries such as healthcare. Use this webpage to support and strengthen your learning from other resources and study materials.

DOWNLOAD THIS CASE STUDY MATERAIL AS A PDF WORKBOOK
File Size:	230 kb
File Type:	pdf

Download File

Overview
Paper 3 of the IB Computer Science course is based on an annual case study provided by the IB. For 2026, the case study focuses on Cybersecurity in Healthcare. You will have a copy of the case study about 1 year before the examination and another copy will be provided in the examination with your exam paper. Here are the key details and criteria you need to know to excel in this paper.

Key Details

Duration: 1 hour
Maximum Mark: 30
Weighting: 20% of the total course grade
Format: Four structured questions related to the case study and additional stimulus material.

Objectives Assessed
Paper 3 assesses your ability to demonstrate the following objectives:

Assessment Objective 1: Know and Understand
Demonstrate knowledge and understanding of the core concepts and principles of computer science.

Assessment Objective 2: Apply and Use
Apply your knowledge to solve problems and use techniques relevant to the case study scenario.

Assessment Objective 3: Construct, Analyse, Evaluate, and Formulate
Construct and analyse solutions, evaluate outcomes, and formulate arguments based on the case study.

Structure of the Paper
Questions 1, 2, and 3: These questions are structured and may be subdivided. They cover the entire syllabus in an integrated manner and are directly related to the case study scenario. These questions are normall 2,4 and 6 mark questions.

Question 4: This question requires a synthesis of information from various sources, including independent research and investigations beyond the case study. It will ask you to develop an extended response to a specified issue, demonstrating your ability to integrate and apply knowledge comprehensively. Question 4 is normally a 12 mark question.

Importance of Structured Answers
When preparing your responses for Paper 3, it's crucial to structure your answers effectively and use appropriate terminology. The IB grading system for Paper 3 emphasises the depth of your understanding, the use of terminology, and the clarity of your analysis. Here’s why structuring your answers and using correct terminology is essential:

No Marks (0 marks): Answers in this category show no understanding or knowledge of the relevant issues and concepts. They lack appropriate terminology and fail to address the case study or include any independent research.
Basic Level (1–3 marks): At this level, responses demonstrate minimal knowledge and understanding of the relevant issues or concepts. The use of terminology is minimal, and the answers may be more of a list rather than a structured response. There's no reference to the case study or any independent research, highlighting the importance of integrating these elements to avoid falling into this category.
Adequate Level (4–6 marks): Responses are descriptive with limited knowledge and understanding. The use of appropriate terminology is limited, and there is little evidence of analysis or research. This level underscores the necessity of going beyond mere descriptions and integrating more detailed understanding and terminology.
Competent Level (7–9 marks): These responses show a good level of knowledge and understanding of the relevant issues and concepts. Terminology is used appropriately in places, and there is some evidence of analysis and research. To achieve this level, ensure your answers are well-organized and terminology is used correctly.
Proficient Level (10–12 marks): At the highest level, responses demonstrate detailed knowledge and clear understanding of the issues and concepts. Terminology is used correctly throughout, and the analysis is competent and balanced. Conclusions are clearly linked to the analysis, showing extensive research. Strive for this level by thoroughly understanding the case study, conducting independent research, and clearly articulating your insights with appropriate terminology.

By structuring your answers effectively, using precise terminology, and integrating analysis and research, you can maximize your marks. Aim to move beyond basic descriptions to detailed, well-reasoned responses that show a clear understanding of the case study and relevant concepts. This structured approach will help you demonstrate your competence and proficiency, ensuring you achieve the best possible results in your IB Computer Science exam.

Guidance for Answering 12 Mark Questions
Read Carefully - Begin by carefully reading the question to understand what it's asking. Identify the key
concepts, terms, and the context of the question related to the case study.

Structuring Your Answer into 3 sections Introduction, Body and Conclusion
Introduction

Briefly introduce the main idea or argument you will be discussing.
Mention the aspects or components you will be evaluating or analyzing.

Body

Divide your answer into clear, logical sections, each focusing on a different aspect of the
question.
For each aspect or component:

Define and Explain: Start by defining any technical terms or concepts. Briefly explain their relevance to the question.
Analysis: Provide in-depth analysis of the issue or concept. Discuss how it applies to the scenario in the question, including potential advantages, disadvantages, and implications.
Examples and Research: Include examples or findings from your research that support your analysis. Relate these back to the case study or theoretical concepts where appropriate.
Evaluation: Critically evaluate the significance of each aspect in the context of the overallquestion. Discuss any trade offs, limitations, or contrasting viewpoints.

Conclusion

Summarize your main points and analyses.
Provide a balanced conclusion that draws together your arguments and reflects on the overall question. Make any recommendations if the question calls for it.

Answering the Question

Use Appropriate Terminology: Throughout your answer, use computer science terms and concepts appropriately. This demonstrates your knowledge and understanding.
Mark Allocation Awareness: Be conscious of the marks allocated to each part of the question. Spend more time and detail on sections that are worth more marks.
Research and Examples: Show evidence of research beyond the case study. Incorporate this into your answer to support your points.
Analysis and Evaluation: Go beyond mere description. Analyze the information, evaluate different perspectives, and make judgments based on evidence.
Clarity and Precision: Write clearly and concisely. Avoid unnecessary repetition or overly complex sentences that could confuse the reader.

Final Checks

Review Your Work: Re-read your answer to check for any mistakes or omitted points. Ensure that your argument flows logically and that you've addressed all parts of the question.
Adherence to Markschemes: Familiarize yourself with markscheme descriptors for high-levelresponses. Aim to meet the criteria for the "Proficient" level by demonstrating detailed knowledge, clear understanding, competent analysis, and extensive research.

For members of Computer Science Cafe click the link below to view 5 sample papers for the 2025 Case Study

2025 - PAPER 3 SAMPLE PAPERS

IB CS HL – Paper 3 (2026) • Case Study: An Ethical Approach to Hacking

Answer all questions. Time: 1 hour • Max mark: 30

Questions

1(a) Identify two reasons why MedTechPro Hospital is a high-value target for cyberattacks. [2]
1(b) Define the term penetration testing in the context of cybersecurity. [2]
2(a) Explain how open-source intelligence (OSINT) can assist during the intelligence gathering phase of PTES. [4]
2(b) Explain how ethical and operational constraints must be considered when performing penetration tests in a hospital. [4]
3 Describe the key steps in vulnerability analysis and exploitation (automated tools + manual techniques). [6]
4 Discuss why maintaining ethical & professional standards is critical at MedTechPro Hospital (privacy, non-disruption, reporting, consequences). [12]

Sample Answers (Indicative Content)

Use concise, technical phrasing. Award marks for any valid, equivalent points.

1(a) [2] Any two valid reasons, e.g.:

High-value data: EHRs contain rich PII/medical/insurance info that can be monetized (identity/insurance fraud).
Low tolerance for downtime: 24/7 clinical operations → strong ransomware leverage.
Large, interconnected attack surface: many systems (EHR, IoT devices, comms, third-party links).
Reputation/regulatory risk: breaches carry heavy reputational and compliance impact.

1(b) [2] Penetration testing: an authorized, planned simulation of attacks against systems/networks to identify exploitable vulnerabilities and assess risk, following a defined methodology (e.g., PTES), with results reported to the client.

2(a) [4] OSINT support in intelligence gathering (any four clear points/examples):

External footprinting: domains, subdomains, exposed portals, staff directories, public policies.
Search engine dorking: discover misconfigured assets, leaked docs, login pages.
Tech stack inference: versions, vendors, cloud services → map potential CVEs.
Social profiling: roles and habits for spear-phishing/pretexting (e.g., IT/admin staff targets).
Prior incidents: news/breach disclosures informing likely weaknesses.

2(b) [4] Ethical & operational constraints in hospitals (four well-explained points):

Authorization & scope control: formal approval; rules of engagement to protect patient care systems.
Non-disruption: avoid tests that risk availability of clinical services/medical devices; safe timing & throttling.
Data protection: least-privilege access, handle/minimize PHI; encryption & secure storage of evidence.
Safety & rollback: test plans with containment/rollback; notify stakeholders; on-call support.

3 [6] Vulnerability analysis → exploitation (indicative flow; credit comparable sequences):

Enumerate assets & services: from recon, confirm IPs, ports, OS, versions, dependencies.
Automated scans: run authenticated/unauthenticated scanners to identify known CVEs/misconfigs.
Manual validation & triage: verify findings, reduce false positives, assess impact/likelihood, prioritize.
Attack path analysis: chain weaknesses (e.g., weak creds + exposed admin portal + flat network).
Exploitation: safely attempt attacks (e.g., SQLi, XSS, password attacks, deserialization, misconfig abuse); develop PoC with minimal data access; observe effects.
Evidence & containment: capture proof (screens, hashes, logs) without exfiltrating PHI; stop if risk to services.

Award for mention of tooling (scanners, proxies, fuzzers), safe-guards, and linking to PTES phases.

4 [12] Discuss ethics/professionalism at MTPH (balanced argument; structure matters). Indicative coverage:

Confidentiality: protect PHI; data minimization; secure handling; audit trails; NDA adherence.
Integrity & availability: avoid corrupting records or interrupting clinical workflows; sandboxing; change control.
Proportionality: choose least-intrusive tests that still meet objectives; justify any higher-risk actions.
Transparency & reporting: accurate, evidence-based findings; clear risk ratings; actionable remediation; no tool dumping.
Professional conduct: follow scope; responsible disclosure; cease on unsafe impact; coordinate with incident teams.
Consequences of failure: patient harm, legal/regulatory exposure, reputational loss, mistrust of security programs.
Reasoned stance: defense-in-depth + incident response; training; segmentation; monitoring; patch governance; IoT controls.

Top-band answers justify trade-offs (security vs. care speed), reference PTES phases, and prioritize mitigations with rationale.

2025 CASE STUDY CONTENT