Security and Online Screening: What You Need to Know

Over the past few years we have dedicated a lot of time to understanding some of the major issues that are presenting obstacles to the adoption of online screening and assessment tools. Unfortunately for those of us who believe strongly in the value of these tools, there seem to be a heck of a lot of potential obstacles out there. Our continued belief that the benefits of online screening and assessment far outweigh the potential consequences has led us to address these obstacles head on by helping to promote an understanding of the reality behind them. So, in keeping with our mission of continuing education, this article provides an overview on the topic of security, which we feel represents one of the major areas of concern around the use of online screening and assessment. While security issues surrounding the use of online assessment tools are not usually in the top two or three reasons why organizations don’t use them, they do represent a real and legitimate concern. There are several types of security concerns that you need to be aware of. Although each concern is related, we feel they break down into four major areas:

1. Security of assessment content. This includes ensuring that the contents of the test themselves are secure and that test items are not available to people who will be taking the assessment. Addressing these types of concern require several different types of security measures, including the use of technology to secure test content and the use of advance test development techniques to ensure that each person taking the test sees a different set of test questions. Any breech of this type of security can be a major problem, because it will severely limit the predictive value of assessment results.
2. Security of assessment results. This type of security involves ensuring that only authorized individuals are able to gain access to the results of the assessment process. Test results are highly sensitive information and access to them must be controlled. Another issue with this type of security is security that ensures that unauthorized individuals cannot gain access to the test system in order to make changes to the test scores stored within.
3. Misrepresentation of candidate identity. Most of the concerns we usually hear about are related to this type of security. Remote access to assessments has created very real concerns about the ability to ensure that the test taker is who they say they are. At the present time there is no way to offer full remote access to assessments while also providing absolute verification of test-taker identity. This can create real problems for organizations that make important staffing decisions based even partially on test results.
4. Security against candidate faking. This is another type of concern that we hear about rather often. It applies mostly to assessments such as personality tests or work values tests that do not contain objective questions with a clear right or wrong answer. Another facet of this dimension is embellishment (or outright lying) on resumes or other material designed to provide organizations with general background information about a candidate’s qualifications for a specific job. Each of these security problems are a legitimate concern for organizations that plan to use some form of web-based screening or assessment tool. Each can have a major impact on the ability of the assessment to do its job by systematically identifying individuals who have what it takes to succeed at the job they are applying for. Unfortunately, the ramifications of this on the organization using assessments can be disastrous in many ways.

Major outcomes associated with breeches of security can include:

• Mistakes (false positives or false negatives). This means failing to hire an applicant that is actually a good match or hiring one that is actually a bad match. Compromises to security can mean that your organization makes hiring decisions based on inaccurate test results. This situation can be a problem because, as we are all painfully aware, hiring people without the ability required to perform a job can cause problems that extend beyond that individual to others who rely on his or her work in order to do their own jobs.
• Attenuation of assessment ROI. Inaccurate test results can have a major confounding influence on the ability for organizations to measure the outcomes of their hiring processes. Test results that are not truly representative of an applicant’s ability can obscure the real value of an assessment, making it harder for those who believe in the value of assessment to build a business case for its use.
• Inaccurate aggregate data. Any data related to the efficiency or effectiveness of the hiring process can be compromised by security issues. This makes it very difficult for organizations to make effective decisions needed to manage their staffing process on a daily basis.
• Erosion of employment brand. Although we have not seen any examples of this yet, a major testing security breech would be very bad press for an organization. Such a situation could severely disrupt the organization’s ability to attract applicants.
• Potential legal issues. Although there have been no legal issues related to web-based assessment thus far, it is possible that problems with security could lead to any number of legal problems, including lawsuits related to discrimination or applicant privacy, and problems related to the actions of catastrophic hires who should have been weeded out during the hiring process.

The severity of the above outcomes should make it clear that security is an important issue that must be addressed whenever web-based screening and assessment tools are to be used. Still, it is important that one does read too much doom and gloom into our mention of these potential problems. The good news is that there are very solid defense measures available for each of the major types of security problems we have been discussing. In fact, with a little bit of effort, most organizations should be able to create a very effective security plan that ensures the integrity of their online testing and assessment efforts. Some such strategies include:

• Security of assessment content. There are a variety of ways in which test content can be secured against attempts to steal or share questions or answers. Most of the strategies in this area involve mixing up test content so that no two test takers ever get the same exact test. This makes it very hard for those who are using stolen test questions to have an advantage on the test. One way to ensure the rotation of test content is through advanced test construction techniques based on a science called Item Response Theory (or IRT). IRT can be an important part of the creation of tests that use the benefits of technology to adjust the level of difficulty of items to the ability level of the test taker. This means that no two test takers are likely to get the same questions. Although not as complex as computer adaptive testing, the simple randomization of test items also represents an effective way to help secure test content.
• Security of test results. The strategies in this category all deal with technology-based security measures designed to ensure that access to secure information is limited. The same types of tools designed to help provide security for sensitive financial information is available to those wishing to secure the contents of assessment-related databases. These include things such as firewalls, data encryption, and server security. Another good security measure involves the ongoing monitoring of those accessing sensitive databases.
• Misrepresentation of identity. As we noted earlier, this is the security breach that is most commonly associated with online testing. The most common way to guard against this problem involves the administration of assessments in a proctored environment where identity can be verified by a third party. While not foolproof, proctoring is a very good way to ensure that the person taking an assessment is who they say they are. The downside of proctoring is that it does not allow for the full benefits of remote testing. In many online screening and assessment models, organizations wish to collect data remotely before deciding to expend more resources on evaluating a candidate. Organizations wishing to take full advantage of the ability of remote assessment to screen out unqualified individuals do have some options. The most common of these is to build redundancy into their selection process such that the results of initial screening efforts can be verified during later, more intensive testing. This model has been shown to work quite well. Still, organizations wishing to ensure security should consider proctoring. Proctoring is a very effective strategy and research has even shown that it can make a positive difference in how candidates perceive an organization’s hiring process. The logistics of proctoring have been made even easier in the past few years by the willingness of third party organizations, such as Kinko’s or Kaplan Testing Centers, to provide identity verification and proctoring for vendors of online assessments.
• Candidate faking. While it may never be possible to completely eliminate this security problem, there are many things organizations can do to eliminate problems in this area. First of all, the way in which the organization presents the assessment process to the candidate can have a big difference in this area. Organizations should take the time to explain to candidates the value of the assessment for both parties involved and that faking could result in a mismatch that may make an unqualified applicant unhappy when they find they are not able to do their job or that they don’t fit into their work environment. A second type of defense against faking is the use of so called “lie” scales that are built into some assessments. These scales are most commonly included in subjective tests that have no right or wrong answer. They work by presenting questions that are able to detect if a candidate is trying to make themselves look favorable and provide a red flag for hiring personnel.

In our opinion, the best plan for managing security issues is to deploy a layered approach that involves using different security measures that have been designed to address different threats. Because the threats you may face will differ based on the type of assessment you are using and where this assessment fits into your overall hiring process it is important to make sure that your process and the security measures you use to protect it are in sync. Much of the burden for supplying security and security related advice falls on the vendor who is supplying the assessment content. A good vendor should have plans in place to address each of the concerns mentioned in this article and should be able to clearly address each type of concern. In order to help provide a better understanding of how to approach the issue of test security and web based testing, we offer the following tips:

• Identify your security concerns and use them to create a set of security requirements before you begin searching for vendors. It is important to have a good baseline understanding of what security means to your organization and what constraints or requirements your specific environment will place on the use of web based testing. This should not be an afterthought but rather a central part of the development of your hiring process.
• Use security as a part of the vendor selection process. It is important to investigate vendors’ ability to provide you with the security you feel you need. If a vendor is not able to give you peace of mind about the security of their product, move on.
• Ensure security measures are being used appropriately and in sync with your hiring process. For instance, many companies use unproctored testing for more subjective tests (i.e., personality tests) that do not have clear right or wrong answers, and then use proctoring to administer cognitive or knowledge based tests.
• Ensure ongoing monitoring of security. In the age of the Internet, security is an ongoing battle. You can’t rest on your laurels once you have put a system in place. It is critical to provide ongoing monitoring of your security measures to ensure they are up to date and functioning effectively.
• Conduct research help understand how well your investment in security is working. Why not gather some data about how applicants or internal hiring personnel are reacting to your security measures> This type of information may be quite valuable for future security efforts.

While security is a concern, it is not a reason to avoid using online assessments. Rather, a full understanding of security issues that is carefully used to build a layered approach to providing security over both test data and test content is the best approach. Security is also something any good vendor should be able to assist you with. It would be wise to think twice about using any vendor that cannot provide the level of security you feel is required for the piece of mind you need to feel comfortable with web-based testing.