Severitas: Secure and Verifiable Test and Assessment Systems

Only a few years ago, testing and assessment systems were exclusively executed in pencil-and-paper and graded by hand; the grades were also notified or published in written reports. Today, due to the embracement of Information and Communication Technologies (ICT), the situation is changing considerably.  

Electronic testing and assessment systems (e-T&AS) are general protocols and digital tools originally proposed in educational testing to assess the skills, knowledge and performance of single individuals or organizations. Well-known examples are the TOEFL, TOEIC and GRE tests, administered by the Educational Testing Service (ETS), which had a revenue of more that 1,2 billion dollars in 2014. 

Under the term e-T&AS (electronic exams, digital assessment, online-assessment, or computer-based assessment systems) we find a plethora of applications and platforms: computer-assisted, partially using technology and partially pencil-and-paper; computer-based, fully relying of different digital instruments but executed by humans in human-controlled environments like university classes and offices; or fully automatized, operated remotely and offered as on-line services.  

This project intends to establish an information security foundation for e-T&AS, thereby enabling the development of secure and private by-design and by-default applications in the domain of computer-based assessment that in addition could comply with the principles of the GDPR.  In the long run this project seeks to actively contribute to have fairer and more equal assessments, which are among the most fundamental properties that assessments and exams are supposed to safeguard.

Goals:  

• Define threat models and security properties for e-T&AS, characterizing for instance the security requirements in terms of privacy, verifiability, auditability, accountability, and usability 
• Extend existing tools for formal analysis, to overcome current limitations for the analysis of the newly defined security properties 
• Design and Implement run-time monitoring solutions to detect cheating and attacks of socio-technical nature from all the parties involved
• Develop new usable secure e-T&AS protocols and implement them in a few significant use cases that this project has in use (e.g. OASYS) 

Impact: 

The project addresses security demands from players in the business of assessment systems and within education. 

• SEVERITAS’ outcomes will lead the development of secure usable e-T&AS, opening a new potential market in the sector.
• The collaboration of SnT, COSA and LUCET sets a precedent for further scientific collaboration between the University of Luxembourg and companies in reliable on-line services and education. 
• Our results will be applied to secure e-T&AS in France that have place at a national level: the “Épreuves Classantes Nationales Informatisées” for the medical community, and TELECOM Nancy for the Concours Mines-Télécom. 
• An international expert panel will be drawn from the research and business communities involved in e-T&AS; the mission will be to foster information exchange among the key stakeholders represented on the panel and to coordinate the advances on research and policies establishment. 
• Luxembourg and France will be among the first, if not the first, countries in Europe to develop a detailed framework for securing e-T&AS, thereby consolidating the Great Region’s strong reputation as promoters and providers of innovative and secure e-services in Europe.

Participating teams and institutions:

1. IRiSC, SnT, University of Luxembourg (https://irisc-lab.uni.lu)
2. LIG, University of Genoble Alpes (https://www.liglab.fr/en)
3. LIMOS, University Clermont Auvergne (https://limos.fr)
4. LORIA, University of Lorraine (http://www.univ-lorraine.fr)