Free Practice Questions for CompTIA CY0-001 Exam

Basic Concept: Cybersecurity threats evolve continuously, with new attack variants emerging regularly. The choice between traditional statistical models and ML models for attack classification depends on which better handles the complexity and dynamism of the threat landscape. CompTIA SecAI+ covers ML model advantages for cybersecurity under basic AI concepts.

Why A is Correct: ML models can learn arbitrarily complex, non-linear relationships from training data and adapt to new patterns when retrained with updated data. For attack classification, this means ML can recognize sophisticated, multi-feature attack patterns that exceed the capabilities of simple statistical models and can be updated to detect new attack variants as the threat landscape evolves. This adaptability to complex and changing problems is the primary reason analysts prefer ML over static statistical approaches.

Why B is Wrong: ML model development pipelines are generally more complex than statistical models, requiring data preparation, feature engineering, model selection, training, validation, and deployment steps. Simplicity of development is not a characteristic advantage of ML over statistical models.

Why C is Wrong: ML models typically require large amounts of training data to perform well. Statistical models often perform better than ML with small datasets. Performance with small datasets is actually an advantage of statistical models over ML, not ML over statistical.

Why D is Wrong: Community support and expert availability are ecosystem considerations rather than technical reasons to prefer ML for cybersecurity classification tasks. These factors might influence tool selection but do not explain the fundamental technical preference for ML ' s superior handling of complex attack patterns.

Basic Concept: Operating AI systems within a budget requires direct control over the primary cost driver of LLM usage. For research environments where users may run extensive queries, token consumption management is the most effective budget control mechanism. CompTIA SecAI+ Study Guide covers token limits as the key cost management control for AI environments.

Why D is Correct: Token limits set hard caps on the maximum tokens consumed per request and per session, directly controlling the per-interaction cost of LLM API usage. In a research environment where users may submit complex, multi-part queries generating long responses, token limits prevent any single interaction from consuming disproportionate budget and enable the administrator to enforce aggregate budget constraints across all users and research activities.

Why A is Wrong: Prompt firewalls inspect and filter prompt content for security and policy compliance. They are security controls designed to prevent malicious or policy-violating prompts, not financial controls for managing token consumption or enforcing budget limits.

Why B is Wrong: API access controls manage authentication and authorization for API interactions, governing who can connect to the AI API. While restricting API access could limit who uses the system, it does not control how much budget individual authorized users consume through their research queries.

Why C is Wrong: Model guardrails enforce content policy and behavioral constraints on model inputs and outputs. They ensure safe and appropriate responses but do not limit the computational resources or tokens consumed by interactions, making them unsuitable as budget enforcement controls.

Basic Concept: Class imbalance in training data — where some categories have significantly more examples than others — causes ML models to be biased toward the majority class, producing poor detection of minority class threats. Addressing this imbalance before training is critical for threat classification accuracy. CompTIA SecAI+ covers data preparation techniques under basic AI concepts.

Why B is Correct: Data augmentation addresses class imbalance by artificially increasing the number of training samples in under-represented classes. Techniques include oversampling minority classes by creating synthetic examples using methods like SMOTE (Synthetic Minority Over-sampling Technique), or undersampling majority classes. This balances label distribution and enables the model to learn decision boundaries that accurately classify all threat categories, not just the dominant ones.

Why A is Wrong: Data lineage documents the origin, movement, and transformation of data throughout its lifecycle. It provides traceability and auditability but does not address class imbalance in training data distribution.

Why C is Wrong: Data provenance records the history and context of data origins. Like lineage, it is a governance and tracking concept that does not alter data distribution for model training balance.

Why D is Wrong: Data verification confirms that data is correct and consistent with expected formats and values. It checks data quality and integrity but does not address the statistical distribution imbalance between threat classes in training datasets.

Basic Concept: When employees interact with public-facing LLMs, any data they input may be processed, logged, or used for model training by the third-party provider. This creates serious regulatory and compliance risks, particularly when sensitive corporate or customer data is involved. CompTIA SecAI+ flags data governance and regulatory compliance as primary concerns in enterprise AI adoption.

Why C is Correct: Submitting sensitive business data, PII, financial records, or proprietary information to public LLMs may violate data protection regulations such as GDPR, HIPAA, or CCPA. These violations can result in substantial fines, legal liability, and significant reputational damage. This represents the most severe and impactful organizational risk from corporate use of public LLMs.

Why A is Wrong: Hallucinations where LLMs generate plausible but incorrect information are a reliability concern. However, they do not expose the company to the level of legal and financial penalties that data regulatory violations create.

Why B is Wrong: Out-of-date acceptable use policies represent an internal governance gap. This is a policy management issue rather than a direct risk with immediate legal or financial consequences.

Why D is Wrong: While LLMs can potentially generate malicious code if deliberately prompted, this requires adversarial intent. For typical corporate users, accidental data disclosure to a public LLM represents a far more common and immediate organizational risk.

Basic Concept: Data integrity ensures that data has not been tampered with, corrupted, or modified during storage or transmission. For AI training data that is procured from external sources, cryptographic integrity verification is essential to confirm the data arrived unmodified. CompTIA SecAI+ Study Guide covers data integrity controls for AI data pipelines.

Why A is Correct: Implementing checksums provides cryptographic verification of data integrity. A checksum or hash value such as SHA-256 is computed from the dataset at the source. The receiver computes the same hash and compares it to the provided value. Any modification to the data during transit or storage will produce a different hash, immediately detecting tampering or corruption. This is the most reliable, automated, and scalable strategy for ensuring the integrity of procured training data.

Why B is Wrong: Human evaluation can verify data quality and relevance but is impractical for verifying integrity across large datasets of medical records. Human reviewers cannot detect subtle bit-level corruption or intentional small modifications, and the process is not scalable.

Why C is Wrong: Querying the model tests model performance rather than verifying the integrity of the underlying training data. The model cannot tell you whether its training data was modified after collection or during procurement.

Why D is Wrong: Log monitoring tracks system activities and events over time. While useful for auditing access to data, it cannot retroactively confirm that data content has not been modified and does not provide cryptographic integrity guarantees.

Basic Concept: Different regulatory and standards bodies address different aspects of technology governance. For AI-specific compliance guidance that addresses the unique characteristics of AI systems including transparency, fairness, accountability, and societal impact, a framework specifically designed for AI is required. CompTIA SecAI+ Study Guide identifies OECD as a key source of AI-specific compliance guidance.

Why A is Correct: The OECD AI Principles and Recommendation on AI provide internationally recognized, AI-specific guidance on compliance with responsible AI values including transparency, accountability, robustness, security, safety, and human-centric values. The OECD has developed a dedicated framework specifically addressing the compliance considerations unique to AI systems across sectors and national boundaries, making it the most AI-specific compliance guidance option listed.

Why B is Wrong: ISO 27001 is a general information security management standard addressing broad organizational security controls. It is not AI-specific and does not address the unique compliance considerations of AI transparency, fairness, or algorithmic accountability.

Why C is Wrong: PCI DSS is a payment card industry security standard focused on protecting payment card data. It has no AI-specific compliance provisions and is limited to financial transaction security requirements.

Why D is Wrong: GDPR is a European data protection regulation focused on personal data privacy rights and obligations. While relevant to AI systems that process personal data, GDPR is a privacy regulation rather than AI-specific compliance guidance addressing the full spectrum of AI governance considerations.

Basic Concept: Various regulatory frameworks govern AI use in different contexts. For auditing legal compliance in high-risk AI applications such as employment and HR, binding regulatory legislation takes precedence over voluntary standards. CompTIA SecAI+ Exam Objectives cover AI governance and compliance frameworks under Domain 4.

Why C is Correct: The EU AI Act is the world ' s first comprehensive, legally binding AI regulation. It explicitly classifies AI systems used in employment, worker management, and recruitment as high-risk AI systems, subjecting them to strict compliance requirements including conformity assessments, transparency obligations, and human oversight mandates. An auditor reviewing HR AI for legal non-compliance must reference this binding legislation.

Why A is Wrong: The OECD AI Principles are non-binding international guidelines promoting responsible AI. They offer policy guidance but carry no legal enforcement power for compliance auditing.

Why B is Wrong: The NIST AI RMF is a voluntary, risk management-focused framework. It is not a legal compliance standard and cannot be used to assess legal non-compliance.

Why D is Wrong: ISO standards such as ISO 42001 are voluntary international best practice standards. They are not legal compliance instruments with enforceable penalties for HR AI systems.

Basic Concept: Prompting techniques determine how effectively an LLM is guided to produce desired outputs. Providing a single example within a prompt is a well-established technique known as one-shot prompting, which leverages in-context learning. CompTIA SecAI+ Study Guide covers prompting strategies under basic AI concepts.

Why C is Correct: One-shot prompting involves providing exactly one example of the desired input-output format within the prompt to guide the model ' s responses. In this scenario, the HR officer includes one example resume matching a successful candidate to show the model what a qualifying candidate looks like. This single example instructs the model on the evaluation criteria through demonstration rather than explicit description.

Why A is Wrong: Distillation is a model training technique where a smaller student model is trained to replicate the behavior of a larger teacher model. It is a model compression methodology, not a prompting technique used at query time.

Why B is Wrong: A prompt template is a reusable, structured format for prompts with placeholders that can be filled in for different queries. While templates may incorporate examples, the term specifically describes the structural framework, not the act of providing a single example.

Why D is Wrong: A system role defines the AI model ' s persona, context, and behavioral guidelines at the system level before user interaction begins. It sets the model ' s overall behavior, not a specific technique of providing examples within queries.

Basic Concept: Generative AI chatbots interact with users in natural language and may access organizational knowledge bases, databases, or prior conversations. The conversational nature of these systems creates unique risks around sensitive information disclosure. CompTIA SecAI+ Study Guide ranks data leakage as the primary security concern for generative AI chatbots.

Why B is Correct: Data leakage occurs when a generative AI chatbot inadvertently reveals sensitive information including PII, confidential business data, intellectual property, training data, or system configurations in its responses. This can happen through prompt injection attacks, insufficient output filtering, or the model memorizing and reproducing sensitive training data. The impact is immediate, potentially irreversible, and can result in regulatory violations, competitive disadvantage, and reputational damage.

Why A is Wrong: Overly permissive access is a contributing factor that can exacerbate data leakage but is an access control design issue rather than the most directly impactful runtime risk of operating a generative AI chatbot.

Why C is Wrong: Weak encryption is a data protection concern for data in transit or at rest. While important, it is a configuration issue separate from the generative AI chatbot ' s core operational risks and is not specific to chatbot technology.

Why D is Wrong: Model validation ensures a model performs as expected before deployment. While important for quality assurance, it is a development lifecycle activity rather than an ongoing operational security risk associated with running a chatbot.