Protection: The Primary Purpose of Security
Written by Dr. David Foster, CEO
I’ve been involved in the field of testing since 1982. I started my career as a testing program manager and psychometrician, where I experienced first-hand the use of test security procedures.
Eventually (after several unexpected twists and turns) I started Caveon Test Security, the first company of its kind in this industry. I have now spent nearly 15 years working in the exciting (to me and other converts) and often-overlooked world of exam security.
Even though I have been promoting the value of test security for nearly two decades, it wasn’t until just a few years ago that I truly began to understand the meaning of the term “security” and why our industry needs to care about it. Oddly enough, my new understanding began by looking at how security is approached in areas other than testing. My quest took me through a wide variety of industries including military base security, home security, casino security, financial security and an area that currently dominates news headlines, the security of information systems that protect our personal information stored on computers and the cloud.
In learning about how these other industries approach security, I soon came to realize that even though these security efforts are vastly different in many ways, they all have core principles in common. In fact, the basic principle of security for each is the concept of protection — they have something valuable, an asset of some sort, that needs to be protected from those who would try and undermine it. I learned that this concept is the starting point of all effective security, whether in the field of testing or elsewhere. Shame on me for taking so long to figure it out.
Protection is a goal, not a method or tool. All industries that have valuable assets—and we can include our own industry on that list—should have the the same goal of protecting them. If those of us who work in the field of testing accept that we offer something valuable to this world, something that needs to be protected from people who want to tarnish it, it should become our #1 priority to protect it. To do so, we must ask ourselves a few central questions:
What are we protecting?What are we protecting it from?And what are the best ways to protect it?
If we can answer these questions, well, the battle is pretty much won.
You might ask, “Dave, isn’t protecting our exams what we are doing today, and what we have been doing for the last century?” I have asked myself that question many times, and it is after many hours of consideration that I have come up with an answer. Here it is: “Not really.” What we do today is simply accept security practices that have been in place for decades, even centuries, without considering if those practices still work, still protect our exams. In all honesty, the persistently large (and even growing) number of security incidents seem to suggest that perhaps the security measures we have relied on up until now don’t really work anymore.
Maybe my instinct is wrong and our current security measures are the best we can do, but we need to look closely at them to find out! We in the testing industry work hard to create exams that produce valid test scores, and we need to at least consider that we are putting our own tests at risk by not upgrading our security policies and procedures. We work too hard to just throw it all out the window on the assumption that we are doing everything in our power to keep our exams safe. The first step is to answer the three questions listed above, for as the various security industries listed above know, the continual evaluation of security practices is the first and most fundamental step towards protection.
Let’s get to it.
What are we protecting?
What are we protecting against?
With our focus now directed at protecting useful test scores, we need to look at the second question: what are we protecting test scores against… (continue reading).