A Causal-Comparative Study of Security Vulnerabilities in AI-Generated versus Human-Generated Source Code from GitHub
No Thumbnail Available
Authors
Palmer, Brenda
Issue Date
2026-02
Type
Dissertation
Language
en
Keywords
GenAI Cybersecurity , Business, Engineering, Science, & Technological Innovation
Alternative Title
Abstract
In this causal-comparative quantitative study, security vulnerabilities of AI-generated code versus human-generated code were analyzed in publicly available software projects. With this growing usage of large language models to create source code, there is still uncertainty on whether AI-generated code presents a higher security risk compared to human-written code. This is a problem that affects software developers, security practitioners, and organizational leaders charged with the responsibility of secure software engineering and technology governing. The theory that informed the study was the Intellectual Capital theory and informed by structured security risk management principles. A code analysis tool tested source code of over 134 publicly available GitHub repositories based on three programming languages. Three research questions were answered by using descriptive statistics, t-tests of independent samples, and chi-square to determine the severity and distribution of security vulnerabilities depending on their code of origin (AI or Human). The outcomes showed that there is a statistically significant difference in the average severity scores, as the human-generated code had a higher average severity score than the AI-generated code. The results indicate that AI-generated code is not more severe than human-generated code yet both need thorough security verification. The research conducted adds new empirical data to the growing body of literature on AI-assisted software development and highlights the necessity of disciplined risk management, secure software engineering practices, and governance irrespective of the source of the code’s origin. Future studies need to increase repository samples, consider other programming languages and include complementary security analysis methods.