Security: Risk Management—Protecting Our Tests
Risk management is a key component of doing business in any industry. Were a business manager to neglect risk management when running an amusement park, the results could be catastrophic. Similarly, financial managers must be keenly aware of the risks to financial assets and must take steps to minimize the “the downside.” But what about testing/credentialing program managers? What risks are associated with creating and deploying tests, and how can they be minimized?
Make no mistake, high-stakes tests (i.e., relied upon for making important decisions) provide incentives for a few unscrupulous individuals to steal and distribute the test content and for others to acquire and use that content. In other words, the mere act of using a “test as a test” introduces the concomitant risk that certain examinees will resort to deception to “beat the test.”
What’s at risk? First and foremost, the reputation of your organization and its credentials. “Qualification of the unqualified,” as witnessed in several recent examples, is a prescription for cynicism about a program’s goals and, eventually, its irrelevance. Beyond that, intellectual property is at risk—the contents of the tests themselves. Unanticipated cost, of course, is the most familiar way to summarize what is jeopardized by a failure to anticipate and manage risk. For testing programs therefore, the costs associated with test theft and various forms of cheating can be roughly summarized as follows:
- Public relations and marketing costs (loss of program reputation/credibility).
- Economic costs (i.e., loss of testing revenue and other related revenue streams resulting from the loss of program reputation/credibility).
- Measurement costs (loss of test measurement reliability and test utility).
- Opportunity costs (dealing with emergencies at the expense of other activities).
- Replacement costs (based only on the time and expense involved in creating such tests; for many testing programs, such as Wechsler, the SAT and others, the value of test content can equal thousands or millions of dollars as well as six to 24 months of lost opportunity).
Just as a systems engineer must be vigilant in identifying and minimizing possible points of failure, in the testing industry, program managers need to manage risks of test disclosure and cheating. While the following list of activities is not comprehensive, it provides a general idea of where risk management principles (aka, test security) can be applied to testing programs:
- Item Development: During this phase of test development up through beta testing, there are many people involved with the creation of test content—contract item writers, subject-matter experts, translators, beta-test participants. Appropriate security measures should be applied to prevent loss or questions regarding ownership of the developed content.
- Test Delivery: Test delivery involves two types of risk: the first at the point of test disclosure to examinees, and the second when the examinee formulates and provides a response. Appropriate security measures should be applied to ensure that both the exposure and response are trustworthy.
- Data Management: Even after the test items are safely locked away, the credential can still be compromised by data mismanagement. Routine backups and reconciliations should be performed to ensure that test response data is not corrupted.
Each of these topics, as well as methods for calculating your return on test security investments and case studies of best and worst test security practices will be discussed in future issues of this periodical. It’s my hope that this column will become a valuable reference for testing program managers. Address any test security questions or recommendations to me via e-mail.
Cyndy Fitzgerald, Ph.D., is co-founder and senior security director at Caveon Test Security (www.caveon.com) and is a member of Association of Test Publishers. She can be reached at firstname.lastname@example.org.