To better manage security, it is vital to understand the security vulnerabilities, threats, and risks of your testing program, and to know what mitigation options are possible.
Those key terms, however—vulnerabilities, threats, and risks—are often misunderstood and used incorrectly, sometimes even interchangeably (learn more about that in this white paper
). This short article is intended to define them and briefly show how they fit together.
What Is a Test Security Threat?
A security threat is the source of a potential attack on your testing program. Cheating and piracy are the two broad categories of exam fraud threats, which can be broken down into more specific varieties (as seen in this white paper
). New cheating and piracy threats arise continuously as new ways to cheat or steal test content. A breach occurs when a threat, unimpeded, escalates to actual cheating or theft that causes damage to a program. About the only positive outcome of a breach is that it usually exposes previously unknown program vulnerabilities.
What Is an Exam Security Vulnerability?
A vulnerability is, simply put, a weakness in the security defenses of a testing program. Deciding not to proctor or monitor a high-stakes test administration event is an example of a policy vulnerability. Not proctoring that event well is an example of an operational vulnerability. Every program has security vulnerabilities—some minor, some major. It is much better to learn of these vulnerabilities through a test security audit
or internal program review than from an unexpected breach.
What Is a Test Security Risk?
Risk refers to the amount of potential damage that a threat can cause to your program. Risk has two elements that must be addressed:
How much damage can a specific threat cause?
What is the likelihood of that threat happening, given current security strengths and vulnerabilities?
Risk ranges from low to high. Knowing the risk helps a program manage its security better. The risk is low if the amount of potential damage from the threat is small or because the likelihood of a breach is small. The risk is high if the potential damage is high and if a breach is possible, or even likely. Estimating the risk helps a program plan its security efforts. You can learn how to determine your program's specific risks in this article.
When the risk is low, very little (if any) additional security efforts needs to take place. If the risk is high, either because of new effective threats or serious vulnerabilities (as is the case for many high-stakes programs today), then existing security measures should be added or enhanced.
Vulnerabilities need to be eliminated. New threats need to be neutralized. Appropriate security defenses will allow you to mitigate or completely reduce the risks facing your program, and that should be one of the primary goals of every testing program. You can learn more about assessment vulnerabilities, threats, and risks in this white paper