From Preventive to Reactive: How AI Coding Assistants Transform Developers' Security Awareness

Computer Science > Human-Computer Interaction [Submitted on 22 May 2026] From Preventive to Reactive: How AI Coding Assistants Transform Developers' Security Awareness Faisal Haque Bappy, Tahrim Hossain, Sidratul Muntaher Meheraj, Annoor Sharara Akhand, Tasfia Tabassum, Tarannum Shaila Zaman, Raiful Hasan, Tariqul Islam AI coding assistants are now central to professional software development, yet their impact on how developers think about and practice security remains poorly understood. While prior work has documented vulnerability rates in AI-generated code, a more fundamental question persists: how do these tools transform security awareness in authentic, ongoing development practice? We conducted semi-structured interviews with 15 professional software engineers and observed them completing security-relevant coding tasks with AI assistance, spanning 3 experience cohorts defined by their relationship to AI tools during professional formation. We find that AI coding assistants reorganize rather than eliminate security thinking, shifting it from the act of writing code to the act of reviewing it. This transition from preventive to reactive security is structurally encouraged by interaction models that frame code generation as a functional task, leaving security as an afterthought. Notably, none of our coding session participants specified security requirements in their initial prompts, even when they possessed the relevant knowledge, revealing a decoupling of security awareness from security behavior. We further document informal coping strategies developers had independently invented to manage AI security risk, none of which are supported by current tools or organizations, and find that the experience cohort did not reliably predict security performance. This paper contributes a practice-grounded account of how AI-assisted development reshapes the human side of secure coding, offering empirical foundations for the design of more security-aware tools, training programs, and organizational policies. Comments: This paper has been accepted at the 2026 Symposium on Usable Privacy and Security (SOUPS) Subjects: Human-Computer Interaction (cs.HC); Cryptography and Security (cs.CR) Cite as: arXiv:2605.23130 [cs.HC]   (or arXiv:2605.23130v1 [cs.HC] for this version)   https://doi.org/10.48550/arXiv.2605.23130 Focus to learn more Submission history From: Faisal Haque Bappy [view email] [v1] Fri, 22 May 2026 01:07:15 UTC (42 KB) Access Paper: HTML (experimental) view license Current browse context: cs.HC < prev   |   next > new | recent | 2026-05 Change to browse by: cs cs.CR References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)