A Threat to Your Career: Combating Certification Fraud
BackBy Bill Horzempa — September 2008
There is a problem in the IT certification business. It affects all of us in the industry: hardware and software companies that sponsor certification programs, IT professionals who seek certification to validate their skills and employers who use certifications to identify qualified workers.
Yet this problem is the elephant in the room that everyone knows is there, but no one wants to acknowledge. What is it?
It’s certification fraud.
When people cheat to obtain IT credentials, the value of certification is diminished for everyone. Fraud destroys the trust employers and individuals have in brand-name certifications that are the foundation of the IT profession. Rumors of cheating lead to doubt about the qualifications of all people who hold credentials.
Employers no longer can assume that candidates can do a job, even if their certifications indicate they should have the requisite knowledge and skills. And when employers don’t value certification as a hiring, promotion or compensation criterion, IT professionals don’t see the value in attaining certification.
But certifications are important baseline measures of competency, since the IT industry doesn’t offer objective license programs to measure qualifications like in the pharmaceutical industry.
Therefore, some of the major players in the IT industry are banding together to attack this issue head-on. For the first time, companies such as Microsoft, IBM, HP, Sun Microsystems, Prometric and many others collaborated for the same end goal, resulting in the creation of the new IT Certification Council (ITCC).
Fraud is not a new problem; it has been around for years. What is new is the concerted, collaborative effort to eradicate it.
What Is Certification Fraud?
Certification fraud is a fancy phrase for cheating to provide or obtain a credential. Why do people cheat? Because companies want assurance that the people they’ve hired to design, build and manage the infrastructure and develop and deploy the applications are highly qualified IT professionals, and IT certifications help to offer this assurance.
In the IT certification market, fraud is manifested mainly in two ways: providing illicit information or materials that help a person pass (or appear to pass) a qualifying exam, and using such materials or other improper means to pass an exam.
The people who provide the materials do so largely for financial gain. For example, you can visit any number of “brain dump” sites to purchase an actual certification exam. Of course, these materials are marketed as “study aides,” but in reality they are stolen intellectual property.
Certifying agencies never provide test materials to third-party vendors to sell or distribute. So how do brain dump sites obtain the test materials? Oftentimes, people take a certification test for the explicit reason of memorizing or otherwise capturing questions and answers and then reconstructing the exam for later sale.
The other side of cheating involves an individual who uses illegal materials or means to pass an exam or obtain a certificate. Examples of this type of cheating include purchasing exam materials from a brain dump site prior to sitting for the exam; allowing another person to take a certification exam on your behalf; using forbidden materials or information during an exam; colluding with an exam proctor to obtain a passing score; and buying a fake certificate.
It’s worth noting that some candidates cheat without knowing it and certainly without intending to do so. The student who purchases a “study aid” from a brain dump site might think he or she is buying information authorized by the exam developer. It’s only after sitting for the exam that test-takers learn they inadvertently bought the actual exam items. Intentionally or not, these students have benefited from illicit materials.
The Ramifications of Cheating
When certification fraud occurs, everyone loses: individuals, employers, certification agencies — even the general public.
At the individual level, a person who cheats risks not only certification status, but also his or her career and reputation. Most certifying agencies state in their security policies that a person who is suspected or found guilty of cheating can be subject to consequences such as nullification of exam results, loss of existing credentials, expulsion from the certification program and even notification of the employer. It’s possible for a person to ruin a career over certification fraud.
The company that employs a cheater can be affected in numerous ways, as well. For example, an unqualified employee might be placed in a position of great responsibility. And IT projects staffed with unqualified personnel have a greater rate of failure and can result in huge financial losses for the company. Also, if the employer happens to be a value-added reseller of IT solutions from a specific manufacturer, it could lose authorization to sell the manufacturer’s products.
Certification fraud also robs IT solution manufacturers of their intellectual property. A single certification examination costs hundreds of thousands of dollars to develop. When elements from the exam are for sale, that investment is diminished.
Finally, the general public can be put at risk by certification fraud. Suppose, for example, that a credit card validation system is compromised because an unqualified individual designed it. This can put credit information for thousands or millions of people at risk and can cause millions of dollars in damages.
ITCC is working to combat certification fraud in a number of ways.
First, the member companies are working with test centers such as Prometric and Pearson VUE to analyze the test results from every exam to understand how people take the exams. This data can help establish a baseline of behavior, such as how long a person typically spends on each item and the overall test. ITCC then can identify anomalous scores and results and probe further to determine if cheating was the root cause.
Though the IT vendors are not sharing the data forensics from individual exams, when one company discovers a rash of anomalous behavior or test scores in one testing center, it will let peers know so the center can be monitored or investigated.
Another initiative by ITCC to eliminate cheating is the clearinghouse project, which could be ready for implementation in 2009. The project involves the creation of a universal student ID that will allow an individual to tie all of his or her vendor certifications to a single number.
Another ITCC project involves identifying organizations that illegally obtain exams and sharing ideas on how to combat this activity. However, eliminating these Web sites is like playing a game of Whac-a-Mole: If you strike one down, another pops up quickly to take its place. Many of the operators are outside the United States, making it difficult to pursue legal action to shut the sites down. ITCC is focusing on how to put controls in place that will make it more difficult for these organizations to obtain tests and sell them on the black market.
Another way ITCC i- working to eliminate cheating is by encouraging companies to tweak the layout of their exams. Currently, many exams are constructed in such a way that test-takers simply need to recall and repeat information. It’s easy to memorize the content of such exams, and therefore it’s easy for test-takers to post the items on brain dump sites or help forums.
Exam developers now understand this and are constructing them differently. For instance, they now routinely use multiple versions of a specific exam, where the test items are similar in content but different in style. Some tests are in a dynamic form, where a computer generates a unique test for each candidate. A few vendors embed stealth questions in their exams to determine if people have used brain dumps to prepare.
Additionally, performance-based exams are becoming more common as the time and expense to develop them are coming down. In a performance-based exam, the student has to perform specific actions in a simulated or virtual environment. A test-taker enters a virtual lab, where he or she might be asked to diagnose and fix a software configuration problem. The student switches between the virtual lab, where activities are performed, and the Internet-based test, where responses are given to the test questions that relate to the activities.
Performance-based exams are favored by companies such as Cisco, Microsoft, Citrix and HP because the results are more accurate in testing a candidate’s ability to perform job-related tasks and because the exams make it more difficult for cheaters to get answers.
Some IT companies also are including a “why” component in their training course content. This ensures students not only learn how to perform required tasks, but that they understand why it’s important. Citrix uses this methodology in its Citrix Certified Integration Architect (CCIA) track.
Test centers also are helping to address the problem of fraud. Candidates who appear in person to take a proctored exam might be photographed or fingerprinted. They must provide a signature that is stored as part of their profiles. These processes help to identify people who take tests on behalf of others.
Finally, many IT vendor exam developers are joining the security initiative started by the Association of Test Publishers (ATP). ATP is another group that is sharing resources and information with a common goal of combating certification fraud and increasing the value of testing and certification.
Protect Your Investment in Certification
It’s in your best interest to help ensure certifications maintain their value.
When you visit technical forums where members discuss certification, add your comments to discourage use of brain dump sites. Some certification candidates may not know that using materials from brain dump sites is illegal and can harm them.
Also, report instances of known or suspected fraud to the certifying agencies. If you find certification tests or questions posted to Web sites or forums, tell ITCC where it can find the materials so the matter can be addressed.
As you prepare for additional certification exams, use the study aids provided by the certifying agencies. Do not shop the Internet for test questions or “study materials,” as they are likely to be stolen intellectual property.
IT certification still is important. If we work together to uncover and eradicate fraud, we’ll increase the value of these credentials.
Bill Horzempa is chairman of the IT Certification Council and director of global certification and partner education development for Hewlett-Packard. He can be reached at firstname.lastname@example.org.