Workplace Exams 101: How to Prevent Cheating

John Kleeman

Posted by John Kleeman

A hot topic in the assessment world today is cheating and what to do to prevent it. Many organizations test their employees, contractors and other personnel to check their competence and skills. These include compliance tests, on-boarding tests, internal certification tests, end-of-course tests and product knowledge quizzes.

There are two reasons why cheating matters in workplace exams:

Issue #1: Validity

Firstly, the validity of the test or exam is compromised; any decision made as a result of the test is invalid. For example, you may use a test to check whether someone is safe to sell your products, but if cheating happens, then he/she is not. Or you may be checking if someone is safe to do a task, and if cheating happens, safety is compromised. Tests and exams are used to make important decisions about people with business, financial and regulatory consequences. If someone cheats at a test or exam, you are making the decision based on bad data.

Issue #2: Integrity

Secondly, people who cheat at tests or exams have demonstrated a lack of integrity. If they will cheat on a test or exam, what else might they lie, cheat or defraud your organization about? Will falsifying a record or report be next? Regulators often have rules requiring integrity and have sanctions if someone demonstrates a lack of it.

For example, in the financial sector, FINRA’s Rule 2010 requires individuals to “observe high standards of commercial honor” and is used to ban people found cheating at exams or continuing education tests. In the accountancy sector, both AICPA and CIMA require accountants to have integrity and those found cheating at tests have been banned or otherwise sanctioned. And in the medical and pharmaceutical field, regulators have codes of conduct which include honesty. For example, the UK General Medical Council requires doctors to “always be honest about your experience, qualifications and current role” and interprets cheating at exams as a violation of this.

The well-respected International Test Commission Guidelines on the Security of Tests, Exams and Other Assessments suggests six categories of cheating threats shown below, alongside examples from me of how they can take place in the work environment.


ITC categoriesTypical examples in the workplace
Using test content pre-knowledge– An employee takes the test and passes questions to a colleague still to take it
– Someone authoring questions leaks them to test-takers
– A security vulnerability allows questions to be seen in advance
Receiving expert help while taking the test– One employee sits and coaches another during the test
– IM or phone help while taking a test
– A manager or proctor supervising the test helps a struggling employee
Using unauthorized test aids– Access to the Internet allows googling the answers
– Unauthorized study guides brought to the test
Using a proxy test taker– A manager sends an assistant or secretary to take the test in place of him/her
– Other situations where a colleague stands in for another
Tampering with answer sheets or stored test results– Technically minded employees subvert communication with the LMS or other corporate systems and change their results
Copying answers from another user– Two people sitting near each other share or copy answers
– Organized answer sharing within a cohort or group of trainees


If you are interested in learning more about any of the threats above, I’ve shared approaches to mitigate them in the workplace in our webinar, Workplace Exams 101: How to Prevent Cheating. You can download the webinar recording slides HERE.

What is the Single Best Way to Improve Assessment Security?

John KleemanPosted by John Kleeman

Three intersecting circles, one showing Confidentiality, one showing Availability and one showing IntegrityAssessment results matter. Society relies on certifications and qualifications granted to those who pass exams. Organizations take important decisions about people based on test scores. And individuals work hard to learn skills and knowledge they can demonstrate in tests and exams. But in order to be able to trust assessment results, the assessment process needs to be secure.

Security is usefully broken down into three aspects: confidentiality, integrity and availability.

  • Confidentiality for assessments includes that questions are kept secure and that results are available only to those who should see them.
  • Integrity for assessments includes that that the process is fair and robust, that identify of the test-taker is confirmed and that cheating does not take place.
  • Availability includes that assessments can be taken when needed and that results are stored safely for the long term.

A failure of security, particularly one of confidentiality or integrity reduces the usefulness and trustworthiness of test results. A confidentiality failure might mean that results are meaningless as some test-takers knew questions in advance. An integrity failure means that some results might not be genuine.

So how do you approach making an assessment program secure? The best way to think about this is in terms of risk. Risk assessment is at the heart of all successful security systems and central to the widely respected ISO 27001 and NIST 800-53 security standards. In order to focus resources to make an assessment program secure and to reduce cheating, you need to enumerate and quantify the risks and identify probability (how likely they are to happen) and impact (how serious it is if they do). You then allocate mitigation effort at the ones with higher probability and impact. This is shown illustratively in the diagram – the most important risks to deal with are those that have high probability and high impact.

Four quadrants showing high probability, high impact in red and Low probability, low impact in green. With yellow squares for high probability, low impact and low probability, high impact

One reason why risk assessment is sensible is that it focuses effort on issues that matter. For example, the respected Verizon data breach investigations report for 2017 reported that 81% of hacking-related breaches involved weak or stolen passwords. For most assessment programs, it will make sense to put in place measures like strong passwords and training on good password practice for assessment administrators and authors to help mitigate this risk.

There is no “one size fits all approach”. Some risks will differ between assessment programs. To give a simple example, some organizations are concerned  about people having reference materials or “cheat sheets” to look up answers in and this can be an important risk to mitigate against; whereas in other programs, exams are open book and this is not a concern. In some programs, identity fraud (where someone pretends to be someone else to take the exam for them) is a big concern; in others the nature of the proctoring or the community makes this much less likely.

If you’re interested in learning more about the risk approach to assessment security, I’m presenting a webinar “9 Risks to Test Security (and what to do about them)” on 28th November which:

  • Explains the risk approach to assessment security.
  • Details nine key risks to assessment security from authoring through delivery and into reporting.
  • Gives some real examples of the threats for each risk.
  • Suggests some mitigations and measures to consider to improve security.

You can see more details on the webinar and register here.

Assessment security matters because it impacts the quality and trustworthiness of assessment results. If you are not already doing it, starting a risk-based approach to analyzing risks to your security is the single best way to improve assessment security.

Exams and social media: is it really spying?

Steve Lay HeadshotPosted by Steve Lay

While I was traveling back from our US Users Conference several weeks ago, a debate was raging on social media following news that a testing company had been monitoring Twitter to detect evidence of leaked content. The Guardian newspaper, for example, reported that a New Jersey superintendent had found this ‘disturbing’.

In case you haven’t read about this case, here are the basics: after school, a student tweeted information about a test administered earlier that day. An automated Web monitoring system discovered the tweet, and the school was notified. The student later deleted the offending tweet.

According to the test provider, administrators are supposed to tell participants that sharing any test question online is prohibited. It isn’t clear from the press reports whether this warning was issued prior to the test or whether the student would have considered the tweet prohibited or not. Whatever the case may be, enough information was shared to trigger the automated warning.

Perhaps more interesting than the story itself is the reaction to it. Strong words have been used, but should monitoring social media really be regarded as spying?

The monitoring of online forums to check for exam leaks is not new. It goes back to the very earliest days of the Internet. When I first read about this case my first reaction was that this type of thing is happening all the time. Indeed, brand owners are constantly monitoring social media to help them understand the public’s reaction to their products and services and to help them target their advertising more effectively. Copyright owners also monitor the web to check for infringement. Trademark owners must pro-actively monitor for misuse to prevent their trademarks from becoming unenforceable. So if an organization has such rights, wouldn’t monitoring the web–including social media–to enforce them surely be expected?

This assumption is probably naive. Many people are not aware that this information is available in a form that can be subscribed to. They do not understand the subtle difference between a comment being made in a ‘public place’ like twitter and it being instantly discoverable. In our everyday experience, a conversation that happens in a public place like a café or store is not recorded, transcribed and then made instantly available to business partners of the venue. In this case, the student, the student’s parents and even the superintendent were surprised and shocked by the level of surveillance. They reacted as if a private conversation had been overheard.

It is interesting to contrast this recent case with one reported by Techcrunch in 2009, when information from Facebook was used to hold students to account for cheating. But in the Facebook case, the information was discovered by other students and brought to the attention of the test authorities. Why would the students do that? Likely because test takers are key stakeholders too! If cheating becomes commonplace, then the test will become worthless. So both the test publisher and the test taker have an interest in ensuring fair practice.

Coming back to the rogue tweet, what’s frustrating here is that there is no suggestion that the test taker was trying to cheat or to help someone else cheat. I haven’t seen the 140 characters in question, but it seems likely that the tweet was just a trivial extension of the type of verbal conversation that people frequently have after taking tests.

The mismatch in privacy expectations and the feeling that the student was being accused of malpractice were a toxic mix. Both of these can be avoided.

When monitoring people using CCTV or similar technologies, it is good practice to inform people that they are being monitored, and for what purpose. In many jurisdictions this may also be a legal requirement. Likewise, why not inform test takers of the type of monitoring that is taking place and why? This may have the added advantage of helping to inform them about the risks to their own privacy that over-sharing on social media can pose.

Also, when issues are flagged by monitoring services, test publishers should think carefully about any follow-up actions. Are these actions consistent with the stated purpose of the monitoring? Are they proportionate? Remember, the test taker and the test publisher should be on the same side!

What is the best way to reduce cheating?

John Kleeman HeadshotPosted by John Kleeman

There is a famous saying: “If you want to build a ship, don’t drum up the people to gather wood, divide the work, and give orders. Instead, teach them to yearn for the vast and endless sea.” This has a useful analogy in preventing cheating.

There are many useful technical and procedural ways of preventing cheating in tests and exams, and these are important to follow, but an additional, cost-effective way of reducing cheating is to encourage participants to choose not to cheat. If you can make your participants want to take the test fairly and honestly — by reducing their rationalization to cheat — this will reduce cheating.

Fraud triangle - Motivation, Opportunity and RationalizationAs shared by my colleague Eric Shepherd  in his excellent blog article Assessment Security and How To Reduce Fraud, cheating at a test is a variant of fraud.  Donald Cressey, a famed criminologist came up with the fraud triangle shown in the diagram to the right to explain why people commit fraud.

In order for someone to commit fraud (e.g. cheat at a test), he or she must have Motivation, Opportunity and Rationalization.  Motivation comes from the stakes of the test; for an important test, this is difficult to reduce. Opportunity arises out of technical and procedural weaknesses in the test-taking process, and you can obviously strengthen processes to reduce opportunity in many ways.

Rationalization is when someone reconciles their bad deeds as acceptable behavior. We all have values and like to think that what we are doing is right. When someone conducts fraud, they typically rationalize to themselves that what they are doing is right or at least acceptable. For example, they convince themselves that the organization they are robbing deserves it or can afford the loss. When cheating at a test, they say to themselves that the test is not fair or that they are just copying everyone else or they find some other excuse to rationalize and feel good about the cheating.

Here are some ways to make it less likely that people will rationalize about cheating on your test:

1. Formalize a code of conduct (e.g. honesty code) which sets out what you expect from test takers. Communicate this effectively well in advance and get people to sign up to it right before taking the test. For example, you can put it on the first screen after they log in. This will reduce rationalization from people who might claim to themselves they didn’t know it was wrong to cheat or that everyone cheats.

2. Provide fair and accessible learning environments where people can learn to pass the assessment honestly, and provide practice exams so people can check their learning. Rationalization is increased if people think there is no other way to pass the test than cheating.

3. Make sure that the test is trustable (reliable and valid) and fair. If the test is not seen as fair,  people will be less like to rationalize that it’s permissible to cheat.

3. Communicate details of why the tests are there, how the questions are constructed and what measures you take to make the Cheat sheet in a juice box test fair, valid and reliable. Again, if people know the test is there for good reason and fair, they will be less motivated to cheat.

4. Maintain a positive public image. This will reduce rationalization by people claiming that  the assessment provider is incompetent or has other faults.

5. Communicate your security measures and how people who cheat are caught.  This makes people less likely to think they will be able to get away with it.

For many organizations — in addition to other anti-cheating measures — it can be very productive to spend time reducing participants’ rationalization to cheat, thereby helping them choose to be honest. The picture on the right shows a “cheat sheet” or “crib sheet” hidden in a juice carton. Think of ways you can encourage participants to use their inventiveness to learn to pass the exam, not to believe it’s okay to defraud you and the testing system.

I hope you find this good practice tip helpful. I’ll be presenting at the Questionmark Users Conference March 10 – 13 on Twenty Testing Tips: Good practice in using assessments. Taking measures to reduce rationalization for cheating will be one of my tips. Register for the conference if you’re interested in hearing more.

9 Tips to Prevent Cheating and Ensure Test Security

Chloe MendoncaPosted by Chloe Mendonca

The security of test results is crucial to the validity of test scores. Check out 9 tips to prevent cheating and ensure test security in the  infographic below.

If you’d like more details about these and other tips on ensuring the security and defensibility of your assessments you can download our white paper: Delivering Assessments Safely and Securely. [Free after registration]

Prevent Cheating and Ensure Test Security from Questionmark‘s Slideshare page

Secure Testing in Remote Environments: A SlideShare Presentation

Headshot JuliePosted by Julie Delazyn

How can you be sure that someone taking an online exam away from a testing center or classroom is adhering to the guidelines put in place by your instructional staff?

This SlideShare presentation will demonstrate how instructors can prevent or catch cheating and ensure a secure environment for employees or students taking tests in their homes, offices and other locations.

The slides are from a Best Practices sessions at the 2013 Questionmark Users Conference: Don Kassner of ProctorU discussed strategies for reducing incidents of dishonesty online, and Maureen Woodruff of Thomas Edison State College explained how online proctoring enables the college to administer tests securely to thousands of online learners.

This presentation offers a glimpse into the kind of discussions and sessions you can find at our Users Conferences. Registration is already open for the 2014 Users Conference March 4 – 7 at the Grand Hyatt on the beautiful Riverwalk in San Antonio, Texas. Discounts are available for groups and early registrants. Sign up soon and plan to be there!