the e-Assessment Association

Top tips for exam security

Top tips for exam security

A blog by Keean Schupke, risr/’s Chief Technology Officer

Testing security has grown significantly stronger over the past decade, with video recording systems, psychometric test analysis, biometrics and more sophisticated cyber security practices all playing a part in tackling exam fraud and bolstering security.

Despite this, it’s important to acknowledge that some parts of the assessment process will always be exposed to some risk. For example, it’s unlikely we’ll ever be able to completely eliminate exam centre cheating. People will always find ways if they’re particularly determined.

But we can make it extremely difficult. The right systems and practices can make exam security as watertight as it’s possible to get, in turn protecting the very principles of assessment: validity, reliability and fairness.

Here are my top five tips on exam security that all assessment providers should consider as part of a best practice approach.

  1. Use an exam management system
    This is probably the single most important piece of advice. To put it simply, if you don’t use an exam management system, you have no control over the data and will never know who has accessed it or what they’ve done to it. Everything is traceable on an exam management system, and some systems can also prevent you from exporting data.
    It means there’s absolutely no exam data on your hard drive, so if your machine is compromised in any way, the data is protected.
  2. Think about who has access to what
    Restrict teams to only the data they really need access to. Question authors, for example, should not have access to exam results. People with access to the question bank shouldn’t necessarily be able to access all parts of the question bank.
    It minimises risk by ensuring that, if someone in a particular team were to fall victim to social engineering, they can only give away information relating to their area.
  3. Aggressively test
    This is especially important if you do not have an exam management system. But even if you do have one, make sure the provider is aggressively testing (like we do!).
    At risr/, for example, we partner with an ethical hacking company called CovertSwarm. Instead of doing an annual penetration test – which many organisations will do as a means of security testing – they give you a certain number of days per month and use that time to continuously attack you, using the same tools as the ‘bad guys’.
    With this type of adversarial testing, you have someone actively trying to break into your system, and if they succeed, it’s via a weak point you didn’t know about.
  4. Run solid psychometrics on your assessments
    Psychometric test analysis is one of your strongest weapons against cheating. If you run good psychometrics, the data will tell you if there’s been a security problem. Start by looking at the basic exam statistics, like average scores.
    It’s important to state here that it’s essential you have as tight a control as possible over all other facets, and then it’s easier to detect if there’s been a breach. Admittedly, this is easier to manage with certain types of assessment.
    For example, if you re-use 20% of the questions from previous exams to calibrate the assessment score to previous years’ assessments, we can easily see if the average score is higher than we expect.
  5. Retire questions from question banks
    The inevitability of question leakage is something we have to contend with. It’s impossible to completely stop questions from getting into shadow question banks. After all, for high stakes exams people may get paid to memorise questions and share them post-exam.
    So, it’s important to retire questions after you’ve used them a certain number of times. Ideally about 20% is a good amount to re-use as an anchor to compare against previous data – the remainder should be freshly generated for each assessment.

Upholding the value of credentials is absolutely vital, especially in professional exams where there is a need to protect both employers and the public from individuals who are not qualified to work in a particular field. We need exams to be a genuine reflection of competency.

While these five areas should form the backbone of a security strategy when it comes to exam management and delivery, there will of course always be new threats emerging – whether that’s increasingly inventive ways of cheating or more sophisticated online attacks. It’s important to remember that as the technology to compromise exam security evolves, so too does the means of detecting that.


Share this: