The World's Only Test Security Blog

Pull up a chair among Caveon's experts in psychometrics, psychology, data science, test security, law, education, and oh-so-many other fields and join in the conversation about all things test security.

Defining Security Challenges: Risks, Threats & Vulnerabilities

Posted by David Foster, Ph.D.

updated over a week ago

To better manage security, it is vital to understand the security vulnerabilities, threats, and risks of your testing program, and to know what mitigation options are possible.
Those key terms, however—vulnerabilities, threats, and risks—are often misunderstood and used incorrectly, sometimes even interchangeably (learn more about that in this white paper). This short article is intended to define them and briefly show how they fit together. 

What Is a Test Security Threat?

A security threat is the source of a potential attack on your testing program. Cheating and piracy are the two broad categories of exam fraud threats, which can be broken down into more specific varieties (as seen in this white paper). New cheating and piracy threats arise continuously as new ways to cheat or steal test content. A breach occurs when a threat, unimpeded, escalates to actual cheating or theft that causes damage to a program. About the only positive outcome of a breach is that it usually exposes previously unknown program vulnerabilities.

What Is an Exam Security Vulnerability?

A vulnerability is, simply put, a weakness in the security defenses of a testing program. Deciding not to proctor or monitor a high-stakes test administration event is an example of a policy vulnerability. Not proctoring that event well is an example of an operational vulnerability. Every program has security vulnerabilities—some minor, some major. It is much better to learn of these vulnerabilities through a test security audit or internal program review than from an unexpected breach.

What Is a Test Security Risk? 

Risk refers to the amount of potential damage that a threat can cause to your program. Risk has two elements that must be addressed:
  1. How much damage can a specific threat cause?

  2. What is the likelihood of that threat happening, given current security strengths and vulnerabilities?

Risk ranges from low to high. Knowing the risk helps a program manage its security better. The risk is low if the amount of potential damage from the threat is small or because the likelihood of a breach is small. The risk is high if the potential damage is high and if a breach is possible, or even likely. Estimating the risk helps a program plan its security efforts. You can learn how to determine your program's specific risks in this article.

When the risk is low, very little (if any) additional security efforts needs to take place. If the risk is high, either because of new effective threats or serious vulnerabilities (as is the case for many high-stakes programs today), then existing security measures should be added or enhanced.


Vulnerabilities need to be eliminated. New threats need to be neutralized. Appropriate security defenses will allow you to mitigate or completely reduce the risks facing your program, and that should be one of the primary goals of every testing program. You can learn more about assessment vulnerabilities, threats, and risks in this white paper.

David Foster, Ph.D.

A psychologist and psychometrician, David has spent 37 years in the measurement industry. During the past decade, amid rising concerns about fairness in testing, David has focused on changing the design of items and tests to eliminate the debilitating consequences of cheating and testwiseness. He graduated from Brigham Young University in 1977 with a Ph.D. in Experimental Psychology, and completed a Biopsychology post-doctoral fellowship at Florida State University. In 2003, David co-founded the industry’s first test security company, Caveon. Under David’s guidance, Caveon has created new security tools, analyses, and services to protect its clients’ exams. He has served on numerous boards and committees, including ATP, ANSI, and ITC. David also founded the Performance Testing Council in order to raise awareness of the principles required for quality skill measurement. He has authored numerous articles for industry publications and journals, and has presented extensively at industry conferences.

View all articles

About Caveon

For more than 18 years, Caveon Test Security has driven the discussion and practice of exam security in the testing industry. Today, as the recognized leader in the field, we have expanded our offerings to encompass innovative solutions and technologies that provide comprehensive protection: Solutions designed to detect, deter, and even prevent test fraud.

Topics from this blog: Test Security Consulting Test Security Basics Detection Measures Prevention Measures Test Security Plan Security Incident Response Plan