Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency

TL;DR

This study reveals that cybersecurity training emphasizes threat management over risk reasoning, leading to a gap in professional competency and suggesting a need for fundamental redesign of education and training.

Contribution

It uncovers the structural disconnect between cybersecurity training and risk reasoning, highlighting the dominance of threat management in professional formation.

Findings

Risk vocabulary in cybersecurity is limited, with 'likelihood' and 'probability' absent from core statements.

Training exposure significantly predicts risk management competence, but the competence structure is collapsed into a single factor.

Cybersecurity professionals show no advantage over general professionals in foundational risk reasoning.

Abstract

Contemporary cybersecurity governance assumes that professionals apply risk reasoning. Yet major organisational failures persist despite investment in tools, staffing, and credentials. This study investigates the structural source of that paradox. Cybersecurity speaks the language of risk, but its training architecture has shaped the profession to think in terms of threats. A sequential mixed-methods design integrated four analyses; NLP of the NIST NICE Framework v2.0.0 (2,111 TKS statements), SEM (n = 126 cybersecurity professionals), a control-group comparison (n = 133 general professionals), and thematic coding of seven leadership interviews. Four convergent findings emerged. First, "likelihood" and "probability" appear zero times across all TKS statements. Risk management content accounts for 4.5% of high-confidence semantic classifications, ranking 18th of 29 competency domains. NICE codifies threat-management activity while invoking risk mainly at the category level. Second, SEM showed that training exposure significantly predicts risk management competence directly and indirectly through conceptual salience, for a total effect of Beta = .629. However, the theoretically four-dimensional competence construct collapsed into a single factor, indicating epistemic compression. Third, cybersecurity professionals showed no measurable advantage over the general professional population in foundational risk reasoning; only 11.9% showed high differentiation. Fourth, all seven leaders expected Likelihood x Impact reasoning, yet five did not articulate the formula themselves. These findings support a structural conclusion: cybersecurity has taken professional form as a threat-management discipline that has borrowed risk vocabulary. Remediation requires redesign of professional formation, not marginal curriculum reform.