pith. sign in

arxiv: 2605.23130 · v2 · pith:2H5BSJDVnew · submitted 2026-05-22 · 💻 cs.HC · cs.CR

From Preventive to Reactive: How AI Coding Assistants Transform Developers' Security Awareness

Faisal Haque Bappy , Tahrim Hossain , Sidratul Muntaher Meheraj , Annoor Sharara Akhand , Tasfia Tabassum , Tarannum Shaila Zaman , Raiful Hasan , Tariqul Islam This is my paper

Pith reviewed 2026-05-25 04:04 UTC · model grok-4.3

classification 💻 cs.HC cs.CR
keywords AI coding assistantssecurity awarenesssoftware developmentpreventive securityreactive securitydeveloper practicesAI-assisted coding
0
0 comments X

The pith

AI coding assistants reorganize security thinking by shifting it from writing code to reviewing code rather than removing it.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that AI coding assistants do not eliminate developers' attention to security but relocate it from the initial act of generating code to the later act of inspecting it. This move from preventive to reactive security arises because the tools present code generation primarily as a functional task. None of the 15 participants in the coding sessions included security requirements in their first prompts, even when they knew the relevant details, showing a gap between awareness and action. The pattern held across different levels of experience with AI tools. These observations matter because they explain how everyday use of AI assistants changes the human side of writing secure software.

Core claim

AI coding assistants reorganize rather than eliminate security thinking, shifting it from the act of writing code to the act of reviewing it. This transition from preventive to reactive security is structurally encouraged by interaction models that frame code generation as a functional task, leaving security as an afterthought. Notably, none of the coding session participants specified security requirements in their initial prompts, even when they possessed the relevant knowledge, revealing a decoupling of security awareness from security behavior. Developers had independently invented informal coping strategies to manage AI security risk, none of which are supported by current tools or by,

What carries the argument

The shift from preventive to reactive security, driven by interaction models that treat code generation as a mainly functional task.

If this is right

  • Security awareness becomes decoupled from security behavior when developers use AI coding assistants.
  • Developers rely on self-created informal strategies to address security risks from AI-generated code.
  • Experience level with AI tools does not reliably determine how well security is handled.
  • Current AI tools and organizations provide no support for the coping strategies developers have created.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Design changes to AI assistants could insert security prompts at the start of code generation sessions.
  • Training for secure coding may need to emphasize review skills more than initial prompting skills.
  • Organizations could update policies to require explicit security checks early when AI tools are in use.

Load-bearing premise

Semi-structured interviews and observed coding sessions with 15 participants accurately capture how security awareness changes in authentic ongoing development work outside the study.

What would settle it

A field study that logs actual developer prompts and code reviews over multiple months in normal work settings and checks whether security requirements appear in initial prompts or only during later review.

read the original abstract

AI coding assistants are now central to professional software development, yet their impact on how developers think about and practice security remains poorly understood. While prior work has documented vulnerability rates in AI-generated code, a more fundamental question persists: how do these tools transform security awareness in authentic, ongoing development practice? We conducted semi-structured interviews with 15 professional software engineers and observed them completing security-relevant coding tasks with AI assistance, spanning 3 experience cohorts defined by their relationship to AI tools during professional formation. We find that AI coding assistants reorganize rather than eliminate security thinking, shifting it from the act of writing code to the act of reviewing it. This transition from preventive to reactive security is structurally encouraged by interaction models that frame code generation as a functional task, leaving security as an afterthought. Notably, none of our coding session participants specified security requirements in their initial prompts, even when they possessed the relevant knowledge, revealing a decoupling of security awareness from security behavior. We further document informal coping strategies developers had independently invented to manage AI security risk, none of which are supported by current tools or organizations, and find that the experience cohort did not reliably predict security performance. This paper contributes a practice-grounded account of how AI-assisted development reshapes the human side of secure coding, offering empirical foundations for the design of more security-aware tools, training programs, and organizational policies.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper claims that AI coding assistants reorganize rather than eliminate developers' security awareness, shifting it from preventive thinking during code writing to reactive review of generated code. This transition is structurally encouraged by interaction models that treat code generation as a functional task. Evidence comes from semi-structured interviews and observed security-relevant coding sessions with 15 professional software engineers across three experience cohorts defined by their relationship to AI tools; none of the participants specified security requirements in initial prompts despite possessing relevant knowledge, and the study documents informal coping strategies while finding that cohort membership did not reliably predict security performance.

Significance. If the central reorganization claim holds, the work supplies a practice-grounded qualitative account that extends vulnerability-rate studies by documenting how AI tools reshape the human side of secure coding. This could inform the design of security-aware AI assistants, training programs, and organizational policies in HCI and software security.

major comments (2)
  1. [Methods] Methods section: the description of the observed coding sessions does not establish that the security-relevant tasks were framed identically to real-world prompts or that the presence of observers did not alter participants' prompting behavior; this directly undercuts the claim that the absence of security requirements in initial prompts reflects a tool-induced decoupling rather than study demand characteristics.
  2. [Results] Results/Discussion: the single-session snapshot with 15 participants across three cohorts provides no evidence that the observed preventive-to-reactive shift captures cumulative effects over ongoing authentic development practice spanning weeks, leaving the structural claim about interaction models insufficiently secured for generalization.
minor comments (1)
  1. [Abstract/Methods] The abstract and methods refer to '3 experience cohorts defined by their relationship to AI tools during professional formation' without specifying the exact criteria or recruitment details used to assign participants; adding this would improve replicability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for these detailed and constructive comments, which highlight important considerations for methodological transparency and the scope of our claims. We address each point below and indicate planned revisions to the manuscript.

read point-by-point responses

  1. Referee: [Methods] Methods section: the description of the observed coding sessions does not establish that the security-relevant tasks were framed identically to real-world prompts or that the presence of observers did not alter participants' prompting behavior; this directly undercuts the claim that the absence of security requirements in initial prompts reflects a tool-induced decoupling rather than study demand characteristics.

    Authors: We agree that the Methods section would benefit from greater detail on task framing and potential observer effects to strengthen the interpretation of the prompting data. In the revised version, we will expand this section to describe how the security-relevant tasks were derived from scenarios reported in the interviews as representative of participants' professional work, including the exact wording used to instruct participants to proceed as they normally would with AI assistance. We will also add discussion of the observational setup, including efforts to conduct sessions in familiar environments and the use of think-aloud protocols to surface reasoning. While observational studies inherently carry some risk of demand characteristics, the consistency between observed behavior and participants' self-reported daily practices in the interviews provides triangulation supporting the decoupling claim. This revision will make the evidential basis more explicit without overstating the controls. revision: yes

  2. Referee: [Results] Results/Discussion: the single-session snapshot with 15 participants across three cohorts provides no evidence that the observed preventive-to-reactive shift captures cumulative effects over ongoing authentic development practice spanning weeks, leaving the structural claim about interaction models insufficiently secured for generalization.

    Authors: The referee accurately notes a key limitation of the study design. Our data consist of single-session observations supplemented by retrospective accounts from semi-structured interviews about ongoing use. In the revised manuscript, we will update the Discussion to more explicitly state that the preventive-to-reactive reorganization is evidenced in the immediate prompting and review behaviors observed, with interviews providing supporting context on how these patterns manifest in daily work, but that longitudinal tracking would be needed to confirm cumulative effects over weeks. We will temper the structural claim accordingly, framing it as grounded in the documented interaction patterns rather than asserting broad generalization, and suggest future research directions. This addresses the concern while preserving the contribution of the observed shift. revision: partial

Circularity Check

0 steps flagged

Empirical qualitative study with no equations, parameters, or derivations exhibits no circularity

full rationale

The paper reports findings from semi-structured interviews and observed coding sessions with 15 participants across experience cohorts. All central claims (reorganization of security thinking from preventive to reactive, decoupling of awareness from behavior, informal coping strategies) are presented as direct outputs of thematic analysis of the collected interview transcripts and session observations. No equations, fitted parameters, uniqueness theorems, or ansatzes appear. No self-citations are invoked as load-bearing justifications for the core results; prior work is referenced only for context on vulnerability rates. The derivation chain is therefore self-contained and does not reduce any result to its inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper is an empirical qualitative study and rests on standard domain assumptions of interview-based HCI research rather than mathematical axioms, free parameters, or new postulated entities.

axioms (1)
  • domain assumption Semi-structured interviews and observational studies can reliably surface changes in security awareness and behavior in professional developers.
    Invoked to support interpretation of findings from the 15 participants and task observations.

pith-pipeline@v0.9.0 · 5814 in / 1234 out tokens · 38438 ms · 2026-05-25T04:04:03.047275+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.