 Mitigate or Fail: How Risk Management Shapes Cybersecurity CompetencyJeffrey T. Gardiner No rf8xj_v1, Thesis Commons from Center for Open Science Abstract: Contemporary cybersecurity governance assumes that professionals apply formal risk-exposure reasoning. Yet organizational failures persist despite substantial technical investment in tools, staff and credentialing. This study investigates the structural origin of that paradox. The findings suggest that cybersecurity speaks the language of risk, but its structural training has shaped it to think in terms of threats. The two are not the same. A sequential mixed-methods design integrated four independent analyses: semantic similarity-based Natural Language Processing (NLP) applied to the NIST NICE Framework v2.0.0 (2,111 TKS statements); Structural Equation Modelling (SEM; n = 126 cybersecurity professionals); a control group comparison (n = 133 general professionals); and thematic coding of seven senior cybersecurity leadership interviews. Four convergent findings emerged. First, NLP analysis found that "likelihood" and "probability" (necessary ingredients for gauging risk) each appear zero times across 2,111 TKS statements; risk management content accounts for only 4.5% of high-confidence semantic classifications, ranking 18th of 29 competency domains. NICE codifies threat-management operations while primarily invoking risk vocabulary at the category level, indicating a framework oriented toward threat management rather than formal risk analysis. Second, SEM confirmed that training exposure significantly predicts risk management competence both directly (β = .406, p < .001) and indirectly through conceptual salience (β = .223, p < .001), yielding a total effect of β = .629. However, the theoretically four-dimensional risk competency construct collapsed into a single undifferentiated factor (a phenomenon this study terms epistemic compression), demonstrating that practitioners internalize the framework's cognitive architecture. Third, cybersecurity professionals demonstrated no measurable advantage over the general professional population in foundational risk reasoning (Cohen's d = 0.16, p = .205); only 11.9% achieved high differentiation. Fourth, all seven senior leaders expect their teams to apply Likelihood × Impact risk calculus, yet five did not articulate the formula they require of others. These findings converge on a single structural conclusion: cybersecurity has taken on a professional form as a threat management discipline, adopting borrowed risk vocabulary. The study advances a three-level structural explanation (Training Architecture → Cognitive Internalization → Organizational Consequence) and concludes that effective remediation requires fundamental redesign of professional formation, not curriculum reform at the margins. Date: 2026-03-20 Downloads: (external link) Related works: Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text Persistent link: https://EconPapers.repec.org/RePEc:osf:thesis:rf8xj_v1 Access Statistics for this paper More papers in Thesis Commons from Center for Open Science |
Is your work missing from RePEc? Here is how to contribute.
Questions or problems? Check the EconPapers FAQ or send mail to .
EconPapers is hosted by the
School of Business at Örebro University.