Security Review: Final Examinations
Final exams are just around the corner (or in some cases may already have been taken if they’re in-class ones)! I figured I’d write a security review about the system of final exams.
Assets and Goals:
- Pre-knowledge of questions
- After the fact, knowledge of other people’s grades
- During the test, forbidden knowledge
- During the test, having unauthorized person take test
Adversaries:
- Students are primarily the only adversaries. Sabotage by rival professors seems rather unlikely ;).
- Others may be interested for whatever reason in learning the score of a particular student on an exam.
Weaknesses:
- Examinations may be handled by multiple locations prior to the test
- Professors may be lax about security
- Too-large class-sizes may overwhelm proctors from preventing cheating
- Lack of careful ID checking
Potential Defenses:
- Provide one centralized location for professors to print out / copy their exams in advance, so that they do not run the risk of someone listening to network traffic or grabbing a copy off the copier.
- Ensure professors are familiar with security procedures to prevent students from sneaking into their offices.
- Ensure professors are given an adequate number of proctors to prevent cheating (plainclothes proctors, i.e., proctors who pretend they are students also taking the exam, can also be particularly effective as, although they cannot patrol such a large area, other students may be less wary about them noticing cheating)
- Have proctors check IDs of all students taking exams (I think I’ve had my ID checked a single time in 4 years, and many of those classes have been large lecture classes like Chem 142 where it’s doubtful the instructor recognized me)
Discussion and Conclusion:
There are many different types of cheating which students can do during an exam. First of all, we need to consider what allowance the exam has for outside notes.
Particularly vulnerable to this is a class which is book only–I think I’ve only ever had one of those, but it’s extremely weak by default, as students can easily write in the margins of specific pages and as long as they are not stupidly blatant will not be caught. Solution: make everyone randomly swap books at the start of class. Weakness: time-consuming and difficult to ensure everyone gets their book back. Conclusion: book only exams are annoying to make work properly, better to allow book + notes or neither.
Book + notes only is much easier to patrol. Essentially the only sources disallowed are electronic sources or other people. In this case, a sufficient number of proctors need to be around in order to ensure that students do not use cellphones (laptops are a little blatant for this). Solution: proctor numbers. Conclusion: relatively easy
Book + notes + internet is quite difficult, as the laptop use must be monitored to prevent people from simply feeding the questions to a friend sitting at a computer at home who has already taken the class. As security people, of course, we know that you could monitor network traffic, but this is not very easy and requires specialist knowledge that most professors and proctors are going to lack. Easier is to just patrol the laptops, and require them all to sit in one location, at the front of the room. A few plainclothes proctors sitting near / behind them can be a great help here, as alt-tabbing when an obvious proctor is coming is quite easy, but they won’t know the person behind them “taking the exam” is watching their screen. Solution: plainclothes proctors. Conclusion: riskier, but doable
No books/notes/internet is also pretty easy–visibility is key here. As long as a proctor can see people without too much effort, large areas can be patrolled, as looking at notes will often cause quite a bit of noise. Additionally, fellow students can easily identify and report the student who is cheating (emphasize the fact that the test is curved so they have a motive to do so 🙂 )
Overall conclusion: exams are rife with weaknesses. Some professors post grades online using the last digits of student ID #s as the index. Although these are not going to be unique, with knowledge of which classes a specific student is taking, accessing just a few of these classes will give an extremely high probability of figuring out which student it is. People glancing quickly at another students paper are another large risk (which can be minimized by ensuring spacious seating/different versions of exams + non-multiple choice).
The lack of security knowledge of many professors means it would be relatively simple to steal into their office during lunch (for example) and grab the graded finals. Doing this would also cause great chaos if the exams hadn’t been entered into the system yet, obviously, but even apart from that would violate the privacy of students to not have their grades plastered all over the internet.