AP Cybersecurity Unit 1 Lesson 5 Quiz

AP Cybersecurity — Unit 1, Topic 1.5

Topic 1.5 Quiz: Leveraging AI in Cyber Defense

5 questions. Timed. AP exam difficulty. Predict before you pick.

5 Questions • 8 Minutes AP Difficulty • Timed
Time Remaining 8:00
Exam Overview: 5 questions covering anomaly vs. signature detection, AI defense applications, human oversight, false positives/negatives, and the AI-vs-AI arms race. Format matches AP Cybersecurity exam style.
Q1 • Predict why legitimate activity might generate many false positives

An AI-powered anomaly detection system at a hospital has been operational for 45 days. In the last 3 days, it has generated 2,400 alerts — 10x the rate of the previous 6 weeks. Investigation reveals the hospital just completed a major EHR system migration that required all staff to access systems outside their normal patterns. What does this situation BEST illustrate about anomaly-based detection?

A The anomaly detection system malfunctioned during the migration and should be replaced
B Legitimate unusual business activity (system migration) can trigger excessive false positives because the behavioral deviation from the established baseline is real, even though the activity is authorized
C Anomaly-based detection is not suitable for healthcare environments
D The 2,400 alerts indicate a real attack that coincided with the migration
Q2 • Identify what human oversight step is violated by automatic deployment

A security team deploys an AI code vulnerability scanner on all web applications before deployment. The scanner flags a function as a SQL injection vulnerability at 0.93 confidence. The development team lead says: “The confidence is high enough — deploy the fix automatically without review.” Why is this approach problematic?

A AI confidence scores above 0.90 are always reliable and should be acted on automatically
B Even at high confidence, AI code findings require human review because: (1) false positives exist where AI misidentifies legitimate code patterns, (2) the proposed fix may break existing functionality, and (3) fixes must be tested in a staging environment before production — automated deployment bypasses all three safeguards
C The scanner should not be used because it cannot reliably identify SQL injection
D The fix should be deployed immediately to production to minimize vulnerability exposure time
Q3 • Define both terms before reading options

The difference between a true positive and a false negative in an intrusion detection context is best described as:

A True positive: the IDS correctly detected a real attack. False negative: the IDS missed a real attack and generated no alert.
B True positive: the IDS generated an alert. False negative: the IDS did not generate an alert.
C True positive: the attack was stopped. False negative: the attack was not stopped.
D True positive: a human confirmed the alert. False negative: no human reviewed the alert.
Q4 • Evaluate each statement independently before choosing

Which of the following accurately describes the relationship between AI security tools and human oversight?

I. AI security tools should be used to automate routine high-volume detection tasks (reviewing millions of log entries, scanning code, scoring emails), while human analysts handle contextual judgment and response decisions.
II. Once AI security tools are properly configured, human oversight is no longer required because AI accuracy exceeds human accuracy at scale.
III. Human oversight is most critical when AI makes consequential recommendations such as blocking traffic, isolating systems, or deploying code fixes — errors in these actions have direct operational impact.

A I and III only
B II and III only
C I and II only
D I, II, and III
Q5 • Classify each event independently before choosing

A company’s AI-powered SOAR platform is configured to automatically isolate any workstation that triggers three simultaneous anomaly conditions. The platform correctly isolated a workstation last Tuesday, preventing a ransomware spread. Today, it isolated the IT director’s workstation during a legitimate after-hours maintenance window she had not registered with the SOAR exception system. Which statement BEST describes both events?

A Both events represent failures — the SOAR platform should not be allowed to automatically isolate workstations
B Tuesday was a true positive (real attack correctly contained); today was a false positive (legitimate activity incorrectly isolated). Both demonstrate why SOAR platforms require exception management and human review processes for known authorized activities
C Today’s isolation was a true positive because any after-hours activity should be treated as an attack
D Tuesday was a false positive because the SOAR should have waited for human confirmation before isolating
AP Cybersecurity · Unit 1 · Lesson 1.5 · Quiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]