Module 2 — Quiz¶
Type: Quiz · Duration: ~10 min · Status: Mandatory · Pass mark: 70% (9 of 12) Module: Module 2 — AI Security Foundations
Question 1 (multiple choice)¶
What does the "MA" in STRIDE-MA add to classical STRIDE?
a) Mediation and Authorization b) Model manipulation and Agency abuse c) Mitigation and Audit d) Memory and Access
Answer: b Explanation: Model manipulation covers attacks that change model behavior without changing weights (prompt injection, jailbreaks, adversarial examples). Agency abuse covers coercing an agent into using its existing authority for the attacker.
Question 2 (multiple choice)¶
Which of the following is not one of the five AI attack-surface planes?
a) Application b) Data c) Model d) Privacy
Answer: d Explanation: The five planes are Application, Model, Data, Infrastructure, Supply chain. Privacy is a property of the system, not a plane.
Question 3 (multiple choice)¶
You see the citation AML.T0051.001 in a finding. Which framework is this from, and what does it identify?
a) NIST AI RMF subcategory for adversarial example detection b) MITRE ATLAS technique ID for Indirect Prompt Injection c) OWASP LLM Top 10 entry 5.1 d) EU AI Act Article 51, Section 1
Answer: b
Explanation: AML.T#### is the MITRE ATLAS technique ID format; .001 denotes a sub-technique. AML.T0051 is Prompt Injection; .001 is the Indirect Prompt Injection sub-technique.
Question 4 (short)¶
Name the four NIST AI RMF functions in any order.
Answer: Govern, Map, Measure, Manage.
Question 5 (multiple choice)¶
A defender notes that a RAG corpus is editable by 200 engineers via their internal Confluence space. Which attack-surface plane is the primary concern this raises?
a) Model plane b) Data plane c) Infrastructure plane d) Application plane
Answer: b Explanation: The corpus is a data-plane artifact, and the population of writers to the corpus determines the indirect-prompt-injection surface.
Question 6 (multiple choice)¶
True or false: the OWASP LLM Top 10 can serve as a complete threat model for any LLM-powered application.
a) True b) False
Answer: b (False) Explanation: OWASP LLM Top 10 is a checklist of vulnerability classes; it doesn't replace the per-system threat modeling exercise (DFD, STRIDE-MA, ATLAS) and doesn't address chains across entries.
Question 7 (scenario — short)¶
You are red-teaming a customer-service chatbot. The chatbot retrieves from a public-facing FAQ. You discover that a competitor has injected a long block of instructions into one of the FAQ documents, causing the chatbot to recommend the competitor's product. Identify (a) the ATLAS technique ID and (b) the OWASP LLM Top 10 entry that best fit this finding.
Answer: - (a) AML.T0051.001 (Indirect Prompt Injection) — possibly also AML.T0070 (RAG Poisoning). - (b) LLM01 (Prompt Injection). Bonus credit for noting LLM03 (Training Data Poisoning) if the FAQ is also used as fine-tune data.
Question 8 (multiple choice)¶
A European fintech uses an LLM to make credit-score determinations for retail customers. Under the EU AI Act, what risk tier does this product fall under?
a) Prohibited b) High-risk c) Limited-risk d) Minimal-risk
Answer: b (High-risk) Explanation: Creditworthiness assessment for natural persons is listed in Annex III as a high-risk use case. The underlying technology (LLM vs traditional ML) doesn't change the tier.
Question 9 (multiple choice)¶
Which OWASP LLM Top 10 entry would best describe an attacker submitting deeply nested, recursive prompts that consume disproportionate compute and rack up a target organization's API bill?
a) LLM01 Prompt Injection b) LLM04 Model DoS c) LLM06 Sensitive Information Disclosure d) LLM10 Model Theft
Answer: b (LLM04) Explanation: Token-bomb attacks designed to exhaust compute or budget are the canonical Model DoS pattern in 2026.
Question 10 (multiple choice)¶
Which NIST AI RMF subcategory is the natural citation for a finding that "the system lacks documented post-deployment monitoring"?
a) Govern 1.1 b) Map 1.1 c) Measure 2.7 d) Manage 4.1
Answer: d (Manage 4.1) Explanation: Manage 4.1 covers post-deployment monitoring planning and implementation.
Question 11 (scenario — short)¶
You're producing a finding for a vulnerability in which a user-facing chatbot can be coerced into rendering attacker-controlled HTML that executes JavaScript in the user's browser. Provide multi-framework citations for this finding: ATLAS, OWASP LLM, NIST AI RMF, EU AI Act.
Sample answer: - ATLAS: AML.T0051 (Prompt Injection — likely direct, AML.T0051.000) plus AML.T0048 (Erode ML Model Integrity). - OWASP LLM: LLM02 (Insecure Output Handling) primarily; LLM01 (Prompt Injection) as the upstream cause. - NIST AI RMF: Measure 2.7 (AI system security and resilience evaluated and documented). - EU AI Act: Article 15 (accuracy, robustness, cybersecurity for high-risk systems).
Grading: Full credit for any reasonable multi-framework set with at least three of the four frameworks correctly cited.
Question 12 (scenario — short)¶
A startup ships a SaaS product where users upload PDFs and ask questions; the product uses RAG (the user's PDFs + a vector DB) and an LLM via API. The startup serves customers globally including the EU. Identify one EU AI Act obligation and one NIST AI RMF subcategory that you would prioritize as the AI security engineer for this product, with a one-line justification each.
Sample answer: - EU AI Act: Article 12 (record-keeping) — the system processes user-uploaded content and must log events relevant to identifying risks (e.g., injection attempts, sensitive-information disclosures). - NIST AI RMF: Measure 2.7 (security and resilience) — concrete adversarial testing of the RAG pipeline, especially indirect prompt injection through uploaded PDFs.
Grading: Full credit for any defensible pairing with a justification that ties the obligation/subcategory to the product's actual risk profile (RAG + user-supplied content).
Scoring¶
- 12 questions, 1 point each.
- 70% to pass (9 of 12).
- LMS auto-grades Q1–Q3, Q5, Q6, Q8–Q10 (multiple choice).
- Q4, Q7, Q11, Q12 graded against the acceptable answers above; LMS short-answer grader can handle Q4 (exact match); Q7, Q11, Q12 may require rubric-based grading.
- Two attempts; after two failures, re-review L2.3.3 (ATLAS techniques) and L2.5 (NIST + EU AI Act) before retaking.