The World's Only Test Security Blog
Pull up a chair among Caveon's experts in psychometrics, psychology, data science, test security, law, education, and oh-so-many other fields and join in the conversation about all things test security.
Posted by Caveon
updated over a week ago
Picture this: You’re a business school candidate. You’re about to take an exam that is built to predict your success in graduate school.
If you do well on the exam, you could get into the “right” school. If you get into the “right” school, you might meet the “right” people. If you know the “right” people, you might get the “right” job and lead the “right” life. If you follow this path to its logical conclusion, you’ll find the stakes to do well on this exam are pretty high.
So you decide that the stakes are indeed high enough that you’d do anything within your power to ensure that you do well. You heard from a friend (who heard from a friend who heard from their cousin) that there’s a website that hosts study materials for the exam. If you pay a small fee, you can even get your eyes on some live exam questions! It’s risky. You know that. But you’ve already considered this from every angle. After all, you weren’t the one who copied exam questions. You're not the one selling them on the internet. And who really gets hurt here, anyway? It’s possible that what you’re doing is a crime, but even then it’s a victimless crime….
So you go to the site.
There, on the home page, you find a message. It appears the owner of the exam found this website before you did—they’ve taken the site down and posted a warning to all who may enter:
By now, you’re probably feeling sheepish. You weren’t trying to cheat! You’re sure of that now. You didn’t realize that viewing stolen intellectual property might put your exam scores at risk. But it’s spelled out for you right on the home page—the people who’d stolen and used this content were punished. They were detected because the testing program conducts monitoring on the web for stolen intellectual property. That could have been you!
What you’ve just witnessed as you tentatively moved forward was an example of deterrence:
Your intentions, which had been to view illicit test content to gain an advantage on a test, have now been thwarted.
Okay, you can assume your own identity again. You may be wondering, what are some ways that I can introduce fraud deterrents into my own program? Chances are, you probably already have everything you need:
Purpose: To remind examinees of the importance of morality
Target Audience: Those who are sensitive to moral judgments
Immune Audience: Those who don’t care about the moral implications of cheating
An example of a straightforward deterrent solution could be a sign at the front of the testing room that says “You know cheating is wrong. Don’t do it.” Simple. It reminds your test takers of the moral implications of cheating, so that should be effective. But is it? What if you’re the person who came to sit this exam with the singular purpose of stealing exam content or fraudulently taking the test for another examinee? Would you be deterred by the moral argument on the poster?
Purpose: To remind examinees what consequences they’ll face if they violate the rules
Target Audience: Opportunistic rule-breakers who fear the promise of punishment
Immune Audience: Rationalization-prone rule-breakers who don’t believe they’ll get caught
For those who might not be deterred by appealing to morality, another method of deterrence would be basic education about your security policies. For example, educate your examinees about the sanctions your program has in place for fraudsters and violators of non-disclosure agreements. You can compound this strategy by requiring examinees to sign security oaths before taking the exam, simultaneously reminding test takers of your commitment to security and the potential consequences of violating that security. This strategy alone might deter a person who is afraid of the consequences of “wrongdoing,” but who defines wrongdoing?
In The Influence of Situational Ethics on Cheating¹, 6,096 former college students reported their past behavior with cheating. More than two-thirds of the participants self-reported to have cheated at least once on a test or major assignment. The study also reinforced previous research from Situational Ethics and College Student Cheating² that illustrates how students rationalize their academic dishonesty in a number of ways, including:
A surprising 14 of the 31 institutions represented in the study had long-standing honor-code traditions. However, the students acted against those codes willingly and even self-reported those events for an academic study later on.
The simple fact is, some fraudsters know that what they’re doing is wrong—they’ve just found a subconscious way to rationalize their dishonesty. How does a program provide deterrents when the brain subconsciously seeks ways around them? Moreover, how does a program convince confident individuals or career rule-breakers that they can even be caught in the first place? Would you fear punishment if you’ve committed the same crime over and over again without being caught? Likely not as much as the opportunistic rule-breaker. Consider security solutions such as data forensics that effectively detect and deter fraud.
Perhaps the most compelling way to deter potential wrongdoers is the solution we’ve all been wary to accept; we need to publicize our security measures. We worry, of course, that by sharing any morsel of information about our security practices we’d actually be giving potential fraudsters the tools they need to find holes in our armor. If we share what we do, wouldn’t it be easier to find ways around it? The short answer is: Not if you craft your messages with precision, being careful with detail and spotlighting the effectiveness of your program’s security features to illustrate a larger point.
Consider our previous example: You knew from reading the messages displayed on the formerly-fraudulent website that searching for live exam questions on this website was wrong (a moral appeal) and that you’d be punished and have your scores canceled if you broke the rules (an education-about-consequences deterrent). But didn’t you already know those risks going in? Or did you simply not believe that you’d be affected by them.
What likely shook you to your rational core was the knowledge that the owner of this exam actively patrols the web for people just like you who may be attempting to do exactly what you were going to do. You see now that you wouldn’t be able to get away with using exam-prep sources like this one. Even if you found a different source to buy your illicit test questions from, who’s to say that website wouldn’t be the next one on the security radar?
The “wrong” we can rationalize away. But the relative risk of getting caught or of not being successful is something all wrong-doers calculate. From the little white lie to the grandest conspiracy, we all want to avoid detection. Therefore, deter potential test fraudsters from stealing your intellectual property by publicly:
NOTE: There is an important distinction to be made here between security measures that deter fraud, as discussed in this article, and those that prevent or detect it (learn more about how to protect your exams here). In summary, prevention techniques play an important role in keeping fraud from happening by making it less possible. Detection techniques play an important role in pinpointing fraud after it’s occurred to eradicate its negative effects. But, when using the spotlight method, these prevention and detection techniques can act a whole lot like deterrents. Prevent fraud. Detect fraud. Then spread the word to deter it in the first place.
Leverage your existing prevention and detection methods and transform them into fraud deterrents, simply by making them known to your stakeholders.
By publicizing your current test security efforts, you double their effectiveness. Not only can you employ security strategies that are specifically designed to deter test fraud (such as examinee agreements or anti-cheating signs) but you’ll also get more bang for your buck when you leverage your prevent-and-detect security measures to your advantage, too.
Explore how you’ll utilize your existing security methods as deterrence measures. What mediums will you use to communicate your test current security measures? Where can your messaging reach those who need to hear it? Try using language that summarizes your test security measures in a way that illustrates their effectiveness without revealing too much of the inner machinations of your program’s security. You can certainly appeal to your test-takers’ morality. You can also explain what consequences lie ahead for those who break the rules. But the best way to maximize the security measures you already have is to make them known.
Whether you practice patrolling the web for intellectual property, data forensics analysis on your scores, strict identification procedures, or video monitoring, the best thing you can do to deter potential fraudsters is to tell them so. If candidates don’t believe they’d have a shot at cheating successfully, they may not try at all.
Don’t be shy about the fact that you’ve implemented security features into your exams. Publicizing your security features carries no implied wrongdoing or evidence of prior security concerns. It simply means that you’re taking steps to make your intellectual property as secure as possible.
Consider how you’ll send these messages to your test takers. Appeal to moral integrity and educate about the consequences. Try using language that summarizes your test security measures in a way that illustrates their effectiveness, without revealing too much of the inner machinations of your program’s security. Clearly send the message to all who need to hear it: “We’re actively protecting our intellectual property. Move along.”
For more than 18 years, Caveon Test Security has driven the discussion and practice of exam security in the testing industry. Today, as the recognized leader in the field, we have expanded our offerings to encompass innovative solutions and technologies that provide comprehensive protection: Solutions designed to detect, deter, and even prevent test fraud.