Securing BYOD exams with Inspera SEB

Hans Fredrik Unelsrød
March 5, 2019

Online assessment brought us a myriad of benefits. E-assessment solutions allow users to better manage their exam processes, support new question types, to better safeguard consistency in grading, and to benefit from high-quality learning analytics. However, e-assessment also brings some additional challenges. In the days of old, the security of exams basically consisted of having a set of stern-looking invigilators patrolling the exam hall, keeping a watchful eye on a battery of students scribbling frantically away at their papers. Yet as time moves forward and the nature of assessment becomes more digitised, so too must the means by which we ensure their integrity. In this article, we discuss the technology behind Inspera SEB, and how it helps secure exams, and specifically how it secures Bring-Your-Own-Device (BYOD) exams.

Trust in the exam environment

Although it may differ in appearance, the computer lab is in fact no unfamiliar setting for the seasoned invigilator: just as with the traditional pen-and-paper exam, the conditions of the exam can be tightly controlled. The institution owns and configures the hardware, software and physical layout of the environment in which the tests are taken.

In security, the components of a system are often thought of in terms of trust. Such a methodology applies equally to the aforementioned situations. Owing to that they control them, it is the “instinct” of institutions to implicitly trust the environment, the means and the content of an exam. The only untrusted element in the system is the student.

Still, there are many aspects that have to be considered when locking down a computer lab for high-stakes testing. A wide range of operating system features need to be disabled, and keyboard commands that would otherwise serve as shortcuts to features like Apple’s voice assistant Siri need to be blocked.

A BYOD setting is even more challenging: lost is the home field advantage of having tight control (and thus implicit trust) of the means of exam delivery. In other words: the exam is being taken in (potential) enemy territory. Given this loss of control, the prospect of running BYOD exams has been daunting for some institutions, who feel that the benefits of BYOD are outweighed by the risk to the integrity of their examinations.

Inspera SEB

Enhanced security with Inspera SEB

Although it might now seem to the reader that BYOD is entirely impractical, there is (as with most technical problems) a technical solution. Enter Inspera SEB. Tailored to BYOD and hardened against attack, we are proud to have developed a solution that, through a combination of an open source core and proprietary anti-cheat measures, hands back control to the institution.

To understand how our approach works, it is important to understand the implications of the inability to fully trust the environment your code executes in. Because any program (open source or otherwise) is potentially subject to modification, any technical protection measures based on restricting user activity can, with enough effort, be bypassed.

History has shown that focusing purely on hardening and obfuscating how an application works results in an “arms race” between the application developer and attackers trying to crack the application open [SCHRITTWIESER, Sebastian, et al. Protecting software through obfuscation: Can it keep pace with progress in code analysis?. ACM Computing Surveys (CSUR), 2016, 49.1: 4.]. Although this doesn’t mean we are entirely abandoning such functionality, we saw the need to explore another approach towards exam security.


A data-driven approach

If we are to accept that manipulating the program will always be possible, we must instead focus our efforts on detecting when this occurs. We collect a wide range of metrics during the course of the exam, including:

  • Data on other programs running
  • Information about the hardware the application is running on
  • The integrity of the application

This data is not just utilised during the exam itself, but is retained in the long term and subject to analysis after-the-fact. This approach has a double purpose: to allow us to build a large data set to better detect outliers, and to detect cheating long after the fact. The effect of this is to sow seeds of doubt amongst those who seek to gain an unfair advantage - while their attempts may have initially appeared to succeed, our tooling can ingest the information required to indicate foul play.

Additional Verification

For customers that want even further security, Inspera has developed software that can be run from a USB thumb-drive that provides additional validation of the software running on the computers of test takers. By not distributing this software directly to test takers, but rather running it from a USB thumb-drive, ahead-of-time access to the validation software is prevented. This prevents test takers from knowing how validation is done, and it prevents tampering of both the lockdown browser, as well as the validation software.

However, security is not solved with a silver bullet. Rather, it’s a continuous process of iterating and making improvements. We will continue to dedicate ourselves to providing a solution that gives exam administrators peace of mind, for both computer lab and BYOD settings.

Learn more?

Do you want to learn more about how BYOD is secured by Inspera Assessment? Read about what the concept Bring Your Own Device (BYOD) is about and which are the principal benefits and drawbacks of using this exam delivery strategy in our blog post on BYOD.

Did you like this post? Sign up and we’ll send you more awesome posts like this once a month