Using Large Language Models to Generate Security Policies: Quality, Compliance, and Expert Evaluation

AI & Machine Learning in Security2024Journal of Computer Security

ByJulian Calvo, Ed.D., MBA, M.S.2024

APA Citation

Harper, N. & Krishnan, V. (2024). Using Large Language Models to Generate Security Policies: Quality, Compliance, and Expert Evaluation. *Journal of Computer Security*. https://doi.org/10.3233/JCS-240012

View original paper →

Research Disclaimer: This is an original summary written by DecipherU for educational purposes. We do not host or reproduce the original paper. Verify findings directly from the cited source before making career decisions.

What Did This Cybersecurity Research Find?

This cybersecurity GRC study tested whether LLMs could generate security policies (access control, incident response, acceptable use) that met compliance requirements. Cybersecurity policy drafts generated by GPT-4 class models covered 79% of required control areas for SOC 2 and ISO 27001, but expert reviewers identified critical omissions in 34% of generated policies, primarily around jurisdiction-specific requirements and industry-specific regulations.

Key Findings

1LLM-generated policies covered 79% of SOC 2 and ISO 27001 required control areas
2Expert reviewers found critical omissions in 34% of generated policies
3Jurisdiction-specific requirements were the most commonly missed area
4AI-assisted policy drafting reduced total authoring time by 55% when expert-reviewed
5Iterative prompting (providing framework checklists) improved coverage to 89%

How Does This Apply to Cybersecurity Careers?

GRC professionals can use AI as a starting point for policy development while understanding its limitations. Security policy writers can focus their expertise on the areas where AI falls short.

Who Should Read This?

mid careersenior

Frequently Asked Questions

What did this cybersecurity research find?

How is this research relevant to cybersecurity careers?

GRC professionals can use AI as a starting point for policy development while understanding its limitations. Security policy writers can focus their expertise on the areas where AI falls short.

Where was this cybersecurity research published?

This study was published in Journal of Computer Security in 2024. The DOI is 10.3233/JCS-240012. Access the original paper through the publisher link above.

Sources

Last verified: 2026-04-01Report an inaccuracy

Explore Related Cybersecurity Resources

Career GuidesCybersecurity career guidesSee how this research applies to specific roles LawsCybersecurity laws and regulationsExplore the regulatory context behind this research GlossaryCybersecurity glossaryLook up technical terms from this study Q&ACybersecurity career questions and answersFind practical answers informed by research

Was this page helpful?

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

Get Cybersecurity Career Intelligence

Weekly insights on threats, job trends, and career growth.

Unsubscribe anytime. More options

Using Large Language Models to Generate Security Policies: Quality, Compliance, and Expert Evaluation

APA Citation

View original paper →

What Did This Cybersecurity Research Find?

Key Findings

1LLM-generated policies covered 79% of SOC 2 and ISO 27001 required control areas
2Expert reviewers found critical omissions in 34% of generated policies
3Jurisdiction-specific requirements were the most commonly missed area
4AI-assisted policy drafting reduced total authoring time by 55% when expert-reviewed
5Iterative prompting (providing framework checklists) improved coverage to 89%

How Does This Apply to Cybersecurity Careers?

GRC professionals can use AI as a starting point for policy development while understanding its limitations. Security policy writers can focus their expertise on the areas where AI falls short.

Who Should Read This?

mid careersenior

Frequently Asked Questions

What did this cybersecurity research find?

How is this research relevant to cybersecurity careers?

GRC professionals can use AI as a starting point for policy development while understanding its limitations. Security policy writers can focus their expertise on the areas where AI falls short.

Where was this cybersecurity research published?

This study was published in Journal of Computer Security in 2024. The DOI is 10.3233/JCS-240012. Access the original paper through the publisher link above.

Was this page helpful?

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

Get Cybersecurity Career Intelligence

Weekly insights on threats, job trends, and career growth.

Unsubscribe anytime. More options