Test security

Suzana Lopes, EMEA VP Sales and Marketing at Pearson VUE, explains the need for rigorous exam security, and looks at how it is done todayMore and more emphasis is being placed worldwide upon certification. Increasing numbers of companies and organisations insist on their staff holding the correct, up-to-date, industry recognised qualifications for many reasons.
    
Candidates who are certified to a higher level have proven that they have the competencies and skills to deliver higher-value services for their company. A better, higher qualified workforce gives a company a competitive advantage: training and certification add value to companies and give reward and motivation to employees.
    
The IT sector is a perfect example of this, and it has been leading the way in terms of training and testing of skills. Because of the rapid pace at which technology is evolving, it is vital that people’s knowledge and skills are current.
    
Often, whole careers hinge upon the passing or failing of a high stakes test. If a test or exam is to be truly meaningful, it is of course imperative that the most rigorous security is applied at every stage, to ensure that candidates are who they say they are and thus limit the possibility of cheating by impersonation. The number one threat to test security is test content theft, whereby the test taker memorises as much of the test content as they can and then makes it available, for example by publishing it on the Internet, frequently for commercial gain.
    
This is an important matter for training providers too. If the certification standard is compromised then so too is the value in training for that certification. If it were possible to pass a test via some illicit short cut, then fewer people would pay for training.
    
Thankfully, much technology exists to ensure security for the whole life cycle of a test. From the creation of the items (questions or tasks) and their use in exams, through the delivery at the test centre, to forensic analysis of exam results, there are proven procedures to make sure content does not fall into the wrong hands or risk being misused.

Secure test development
Owing to the complexity of the modern test, many people are involved in creating it. It is not simply a case of one chief examiner deciding what the questions should be: the creation process involves input from many people – from psychometricians, who analyse the reliability and validity of the items and exams, to subject matter experts, who keep a check on the accuracy of content. In addition, the test also needs to be created in such a way that it is suitable for its target audience; i.e. has adequate geographic reach, is culturally appropriate, measures the skills for a particular role or doesn’t hinder the test candidate in language or tone. Many tests also involve the co-operation of employers and organisations to ensure that certifications are aligned with the job roles they are testing for.
    
Once the appropriate panel of experts has been formed, the creation of the items can begin and each stage of the authoring process can be securely controlled by limiting access to each item. This security procedure can be implemented in a number of ways, for example by using a particular test authoring program.
    
Another important factor to consider is the security of the delivery of your exam, be that on paper or computer. It’s crucial that checks are in place to ensure that only authorised personnel handle the test, in whatever format it is to be delivered in, and that the process of delivery for each location is the same. Streamlining your delivery process is critical to smooth and secure test delivery.

Global identity management
Frequently, as organisations become more global, their employees often need to take exams on a regular basis throughout their careers. This is particularly prevalent in the IT sector, where IT personnel need to keep their skills current and take regular assessments.         

To help facilitate this, certain biometric data can be stored and accessed by the test administration system to allow straightforward candidate ID verification. Once the candidate produces their sanctioned ID, a process of matching stored information to the ID can take place and a record of the candidate’s test history and results can be updated.

Palm vein recognition
For the highest of high-stakes exams, such as those related to a top-level certification, some organisations are choosing to test in centres which feature state-of-the-art test centre technology for candidate identification, one of which is palm vein recognition. With fewer negative cultural connotations than fingerprinting, and greater accuracy, palm vein recognition involves an infrared scanner that examines the unique patterns in the veins of the palm of a candidate’s hand.
    
This streamlines the check-in process and gives each candidate a single record that is virtually impossible to forge or tamper with, thereby eliminating the possibility that multiple people could test under a single identity.
    
How does it work? The palm is scanned, and the information about the individual’s unique vein patterns is stored as an encrypted digital template. After the test is complete, this template is sent along with the test taker’s results via encrypted transmission to the testing company. Because of its accuracy, ease-of-use and built-in privacy controls, palm vein technology is increasingly becoming recognised as a valid method of verifying candidate identity in high-stakes testing environments.

Item banking
Having verified that each test-taker is the genuine candidate, there is then the consideration of making sure that test content cannot be taken from the test room and passed on to future candidates for cheating purposes, or posted on an online “brain dump” site. This is where the Computer-Based Testing (CBT) concept of item banking comes into its own. A paper-based test form can only be delivered once before the content is considered public knowledge – cheating in subsequent sittings would be easy if that paper were to be re-used. With CBT item banking, however, the testing body can select items from a suitably sized computerised item bank and create a new test form each time. Firstly, this means that a number of different tests can be compiled from the same item bank, and that each item can be used more often because the software controls how much exposure each item gets. As long as items do not become stale or over-exposed then candidates will not become able to pass them too easily.
    
Secondly, it means that on any given day, every candidate could be sitting a different test, containing a unique mix of items that add up to a test of the same difficulty level as the one being sat by the next candidate. With this model, the test could be available for candidates to sit at their convenience on any day of the year, without every test requiring all-new items to be created, and because every test is different, no candidate can take the shortcut of completing a test from memory of a “past paper”. On top of this, any unscrupulous individual would not stand to gain anything from leaking or selling exam content after their test, as it is highly unlikely that the same content will occur in the same combination in other people’s sittings of the same test.
    
Even with security measures such as the above in place, testing providers must always still monitor all tests to look for any aberrant trends or to detect if the test has been compromised in any way. There are many tools that can do this, both while the test is live and also after the fact. For example, forensic analysis software can detect any unusual patterns in scores, pass rates or other aspects of the test (such as how fast the candidate answers different types of questions, or how well they perform on easy questions compared to difficult ones). This analysis can be performed immediately following each test so that aberrant trends can be quickly identified and action taken to minimise further risk while further investigation or other action takes place.
    
It is thanks to security like this that modern Computer-Based Testing can be trusted as a reliable proof of an individual’s skills and competencies, and those individuals can be confident that their qualifications gained in this way really are valid and meaningful.

Article appears by kind permission of BCS, the Chartered Institute for IT.About the author
Suzana Lopes is the commercial director at Pearson VUE (www.pearsonvue.co.uk), a global leader in computer-based testing for information technology, academic, government and professional testing programmes around the world. Pearson VUE provides a full suite of services from test development to data management, and delivers exams through the world’s most comprehensive and secure network of test centres in 165 countries. Pearson VUE is a business of Pearson (NYSE: PSO; LSE: PSON), the international media company, whose businesses include the Financial Times Group, Pearson Education and the Penguin Group.For more information
Contact pvemeamarketing@pearson.com