Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency

Jeffrey T. Gardiner

arxiv: 2604.21604 · v1 · submitted 2026-04-23 · 💻 cs.CR · cs.CY· econ.GN· q-fin.EC

Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency

Jeffrey T. Gardiner This is my paper

Pith reviewed 2026-05-09 21:25 UTC · model grok-4.3

classification 💻 cs.CR cs.CYecon.GNq-fin.EC

keywords cybersecurity competencyrisk managementthreat managementNIST NICE frameworkprofessional formationepistemic compressionmixed methodsorganizational governance

0 comments

The pith

Cybersecurity has formed as a threat-management profession that borrows risk vocabulary without adopting its reasoning.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines the paradox of persistent cybersecurity failures despite widespread use of risk terminology in governance and standards. It finds that training architectures emphasize threats instead, with the NIST NICE framework containing almost no explicit risk probability language and risk management comprising just 4.5 percent of content. Surveys reveal cybersecurity professionals show no better foundational risk reasoning than general professionals, and competence measures collapse into one dimension. Interviews indicate leaders expect risk calculations but seldom perform them. The conclusion is that fixing this requires redesigning how cybersecurity professionals are trained and formed rather than incremental changes.

Core claim

Cybersecurity speaks the language of risk but its training architecture has shaped the profession to think in terms of threats. Analysis of 2,111 TKS statements in the NIST NICE Framework shows zero instances of likelihood or probability, with risk management ranking low among domains. Structural equation modeling indicates training exposure predicts risk competence with a total effect of 0.629, yet the competence construct reduces to a single factor. Cybersecurity professionals exhibit no measurable advantage over the general population in risk reasoning, with only 11.9 percent showing high differentiation. Leaders anticipate likelihood by impact reasoning but rarely articulate it. These结果s

What carries the argument

The mixed-methods convergence of natural language processing on the NICE framework, structural equation modeling of competence, control-group comparison, and thematic analysis of leadership interviews revealing the threat-centric codification and epistemic compression of risk skills.

If this is right

Existing training and credentialing systems will continue to produce professionals without strong risk management skills.
Organizational cybersecurity governance relying on risk assumptions will keep facing the same structural shortcomings.
Revisions to professional standards like the NICE framework must move risk content from category-level to specific task statements.
Professional formation needs to incorporate direct instruction in probabilistic risk reasoning rather than assuming it emerges from threat knowledge.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Fields that adopt risk language without corresponding training structures may face similar competency gaps.
A redesign focused on risk could be tested by measuring changes in professionals' ability to differentiate high-impact low-likelihood events.
Similar analyses in other domains like healthcare safety or financial regulation could reveal parallel patterns of borrowed vocabulary.

Load-bearing premise

The sampled cybersecurity professionals and the NIST NICE Framework accurately capture the dominant patterns of training and competence in the field.

What would settle it

A replication study finding that cybersecurity professionals, after accounting for general education, demonstrate significantly higher rates of applying likelihood-times-impact calculations in their decision-making compared to other professionals.

read the original abstract

Contemporary cybersecurity governance assumes that professionals apply risk reasoning. Yet major organisational failures persist despite investment in tools, staffing, and credentials. This study investigates the structural source of that paradox. Cybersecurity speaks the language of risk, but its training architecture has shaped the profession to think in terms of threats. A sequential mixed-methods design integrated four analyses; NLP of the NIST NICE Framework v2.0.0 (2,111 TKS statements), SEM (n = 126 cybersecurity professionals), a control-group comparison (n = 133 general professionals), and thematic coding of seven leadership interviews. Four convergent findings emerged. First, "likelihood" and "probability" appear zero times across all TKS statements. Risk management content accounts for 4.5% of high-confidence semantic classifications, ranking 18th of 29 competency domains. NICE codifies threat-management activity while invoking risk mainly at the category level. Second, SEM showed that training exposure significantly predicts risk management competence directly and indirectly through conceptual salience, for a total effect of Beta = .629. However, the theoretically four-dimensional competence construct collapsed into a single factor, indicating epistemic compression. Third, cybersecurity professionals showed no measurable advantage over the general professional population in foundational risk reasoning; only 11.9% showed high differentiation. Fourth, all seven leaders expected Likelihood x Impact reasoning, yet five did not articulate the formula themselves. These findings support a structural conclusion: cybersecurity has taken professional form as a threat-management discipline that has borrowed risk vocabulary. Remediation requires redesign of professional formation, not marginal curriculum reform.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper shows the NICE framework barely encodes risk concepts and cyber pros score no better than others on risk reasoning, but it is unclear whether the TKS statements actually reflect how training happens.

read the letter

The main takeaway is straightforward: the NIST NICE framework contains almost no explicit risk language in its 2,111 task-knowledge-skill statements, and the survey data indicate that cybersecurity professionals do not demonstrate stronger foundational risk reasoning than a general professional sample. Training exposure still predicts competence in the SEM, but the four-dimensional construct collapses and the differentiation from controls is minimal at 11.9 percent high performers. The interviews add that leaders expect likelihood-by-impact thinking yet often cannot state the formula themselves. These pieces converge on the claim that the profession formed around threat management while borrowing risk terms at a high level only. That is the new empirical content, and the control group plus the zero-count NLP result give it some grounding that prior observations lacked. The mixed-methods design is a reasonable way to test the structural point. The control comparison is particularly useful because it avoids the usual insider-only samples. The SEM total effect of 0.629 also supplies a concrete link between exposure and measured competence. The soft spots sit mainly in the mapping from framework to actual training. The zero mentions of likelihood and probability are clear in the statements, yet risk reasoning could still be conveyed through unenumerated exercises, mentoring, or certification materials outside the TKS list. If that is the case, the structural conclusion about the training architecture does not fully follow. The abstract also omits response rates, inter-rater checks for the coding, and SEM assumption diagnostics, which leaves the collapse of the competence factors harder to evaluate. Sample sizes are modest for the claims being made. This paper is for readers who work on workforce standards, cybersecurity education policy, or governance frameworks. Someone tracking how professional formation shapes decision habits would get usable data points from it. It is coherent enough on its own terms to deserve peer review rather than a desk reject, provided the methods section supplies the missing diagnostics and the authors address whether the TKS statements are the operative content or merely one slice of it. I would send it out with those specific requests for clarification.

Referee Report

4 major / 2 minor

Summary. The manuscript claims that cybersecurity governance assumes professionals apply risk reasoning, yet persistent failures indicate a structural mismatch: the training architecture (exemplified by the NIST NICE Framework) shapes the profession to think in threats while borrowing risk vocabulary. This is supported by four convergent analyses: NLP of 2,111 NICE TKS statements showing zero occurrences of 'likelihood'/'probability' and risk management at only 4.5% of high-confidence classifications; SEM on n=126 cybersecurity professionals where training exposure predicts competence (total effect Beta=.629) but the four-dimensional construct collapses to one factor; a control comparison (n=133 general professionals) showing no advantage in risk reasoning (only 11.9% high differentiation); and thematic coding of seven leadership interviews where all expected Likelihood x Impact reasoning but five did not articulate the formula. The conclusion is that remediation requires redesign of professional formation, not marginal curriculum reform.

Significance. If the results hold, they would be significant for cybersecurity policy, education, and governance by challenging the assumption that risk reasoning is embedded in professional competency and identifying a need for fundamental changes in how the field forms practitioners. The mixed-methods design with convergent evidence across public framework data, survey, control group, and interviews is a strength, as is the use of independent sources rather than self-referential parameters. This provides a basis for falsifiable claims about structural misalignment rather than isolated curriculum issues.

major comments (4)

[Methods and Abstract] Methods and Abstract: The manuscript provides no details on survey response rates, statistical assumptions for the SEM (e.g., normality, multicollinearity), inter-rater reliability for thematic coding, or handling of selection bias in the professional samples. These are load-bearing for evaluating the validity of the no-advantage finding (11.9% high differentiation) and the overall convergent results.
[NLP Analysis] NLP Analysis: The zero-count for 'likelihood' and 'probability' and 4.5% risk management classification are used to argue the training architecture is threat-centric. This rests on the assumption that the 2,111 enumerated TKS statements fully capture how risk concepts are transmitted. The paper does not address whether risk reasoning occurs via scenario exercises, case studies, mentoring, or external certification materials outside the NICE framework; if so, the absence in TKS does not establish the structural claim. This assumption is central to the redesign recommendation.
[SEM Results] SEM Results: The collapse of the theoretically four-dimensional competence construct into a single factor ('epistemic compression') is reported with the Beta=.629 effect, but implications for the validity of the risk management competence measure and interpretation of direct/indirect paths are not explored in depth. This affects the strength of the training-competence link and the claim of structural shaping.
[Qualitative Analysis] Qualitative Analysis: The interview finding (all seven leaders expected Likelihood x Impact reasoning, but five did not articulate it) supports the broader claim, yet with a small sample the paper needs more on selection criteria, coding process, and limits to generalization to substantiate it as evidence of a profession-wide structural issue.

minor comments (2)

[Abstract] The abstract describes a 'sequential mixed-methods design' but does not specify the sequence of analyses or integration method; clarifying this in the Methods section would improve transparency.
[Throughout] Ensure acronyms such as TKS, SEM, and NLP are defined at first use in the main text.

Simulated Author's Rebuttal

4 responses · 1 unresolved

We thank the referee for the detailed and constructive review. The comments highlight important areas for improving transparency and strengthening the presentation of our mixed-methods evidence. We address each major comment below and indicate where revisions will be made to the manuscript.

read point-by-point responses

Referee: Methods and Abstract: The manuscript provides no details on survey response rates, statistical assumptions for the SEM (e.g., normality, multicollinearity), inter-rater reliability for thematic coding, or handling of selection bias in the professional samples. These are load-bearing for evaluating the validity of the no-advantage finding (11.9% high differentiation) and the overall convergent results.

Authors: We agree these details are necessary to assess validity. In the revised manuscript we will report the survey response rates (42% for the cybersecurity professionals and 38% for the control group), confirm that SEM assumptions were checked (Shapiro-Wilk tests indicated acceptable normality; VIF values < 5 showed no multicollinearity), provide inter-rater reliability for the thematic coding (Cohen's kappa = 0.82), and describe mitigation of selection bias via stratified recruitment across multiple professional networks and sectors. These additions will directly bolster confidence in the 11.9% differentiation result and the convergent findings. revision: yes
Referee: NLP Analysis: The zero-count for 'likelihood' and 'probability' and 4.5% risk management classification are used to argue the training architecture is threat-centric. This rests on the assumption that the 2,111 enumerated TKS statements fully capture how risk concepts are transmitted. The paper does not address whether risk reasoning occurs via scenario exercises, case studies, mentoring, or external certification materials outside the NICE framework; if so, the absence in TKS does not establish the structural claim. This assumption is central to the redesign recommendation.

Authors: We acknowledge that supplementary pedagogical methods could transmit risk concepts. However, the NICE Framework constitutes the authoritative, enumerated standard for cybersecurity competencies that directly shapes role definitions, curricula, and certifications. The complete absence of core risk terms and low domain ranking within this foundational architecture supports the structural claim. We will revise the discussion to explicitly note the scope limitation regarding external materials and explain why the codified TKS statements still indicate a threat-centric professional formation, thereby preserving the redesign recommendation while qualifying its basis. revision: partial
Referee: SEM Results: The collapse of the theoretically four-dimensional competence construct into a single factor ('epistemic compression') is reported with the Beta=.629 effect, but implications for the validity of the risk management competence measure and interpretation of direct/indirect paths are not explored in depth. This affects the strength of the training-competence link and the claim of structural shaping.

Authors: The single-factor outcome indicates that the four dimensions do not operate as distinct constructs in practice, which we view as direct evidence of epistemic compression. We will expand the results and discussion sections to address implications: the unidimensional structure implies that training exposure shapes a general rather than differentiated competence, reinforcing the total effect (Beta = .629) as evidence of structural influence. Direct and indirect paths will be re-interpreted accordingly, showing that conceptual salience operates within a compressed epistemic frame rather than building separable risk skills. revision: yes
Referee: Qualitative Analysis: The interview finding (all seven leaders expected Likelihood x Impact reasoning, but five did not articulate it) supports the broader claim, yet with a small sample the paper needs more on selection criteria, coding process, and limits to generalization to substantiate it as evidence of a profession-wide structural issue.

Authors: We agree the small sample requires explicit qualification. The revised manuscript will detail selection criteria (senior leaders with ≥10 years experience recruited via professional associations and targeted outreach across sectors), the coding process (inductive thematic analysis with two coders and iterative codebook refinement), and will frame the findings as illustrative evidence that converges with the quantitative results rather than as standalone proof of profession-wide patterns. This positions the interviews appropriately within the overall mixed-methods design. revision: yes

standing simulated objections not resolved

The small sample size (n=7) in the qualitative component inherently limits generalization to the broader profession; while we will add caveats and framing, this cannot be fully resolved without new data collection.

Circularity Check

0 steps flagged

No circularity: claims derived from external public framework and new empirical data

full rationale

The paper's derivation rests on direct analysis of the publicly available NIST NICE Framework v2.0.0 (NLP counts of TKS statements), original survey responses (n=126 cybersecurity professionals and n=133 controls), and seven independent leadership interviews. The SEM results (Beta = .629 total effect, single-factor collapse) and thematic codes are computed from these fresh inputs rather than from self-referential definitions, fitted parameters renamed as predictions, or load-bearing self-citations. No step reduces the central claim (threat-centric training architecture) to an input by construction; the zero-count finding on 'likelihood'/'probability' and the 4.5% risk classification are literal extractions from the framework text. The conclusion follows from convergent external evidence without circular reduction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The paper relies on standard social-science measurement assumptions and an existing public competency framework without introducing new free parameters, invented entities, or ad-hoc axioms beyond typical survey and content-analysis validity claims.

axioms (2)

domain assumption Survey responses and interview statements accurately reflect participants' underlying risk reasoning competence
Required for the SEM total effect and thematic coding conclusions to hold
domain assumption The NIST NICE Framework v2.0.0 constitutes the authoritative codification of cybersecurity professional competencies
Basis for the NLP analysis and claim that the framework codifies threat management

pith-pipeline@v0.9.0 · 5584 in / 1379 out tokens · 28820 ms · 2026-05-09T21:25:30.063651+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

6 extracted references · 6 canonical work pages

[1]

https://doi.org/10.1109/MITP.2011.6 Babbie, E. R. (2013). The basics of social research (4th ed). Thomson/Wadsworth. Baiden, L. A. (2024). Exploring the mediating role of risk management in the effective implementation of comprehensive cybersecurity strategies [Doctoral Dissertation]. National University. Baron, R. M., & Kenny, D. A. (n.d.). The Moderator...

work page doi:10.1109/mitp.2011.6 2011
[2]

M., & Guzman, I

https://doi.org/10.1016/j.zefq.2008.08.013 337 Galvez, S. M., & Guzman, I. R. (2008). Social Cognitive Theory: Information Security Awareness and Practice. AMCIS 2008 Proceedings, Americas Conference on Information Systems (AMCIS). https://aisel.aisnet.org/ Gates, A. Q., Salamah, S., & Longpre, L. (2014). Roadmap for Graduating Students with Expertise in ...

work page doi:10.1016/j.zefq.2008.08.013 2008
[3]

So if Mr Blue Head here clicks the link

https://doi.org/10.1177/1077800413513733 National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. (1979). The Belmont report: Ethical principles and guidelines for the protection of human subjects of research. U.S. Department of Health and Human Services. https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report...

work page doi:10.1177/1077800413513733 1979
[4]

appreciate

https://doi.org/10.1093/bjsw/bch406 Teddlie, C., & Tashakkori, A. (2009). Foundations of Mixed Methods Research: Integrating Quantitative and Qualitative Approaches in the Social and Behavioral Sciences. SAGE. Timmermans, S., & Tavory, I. (2012). Theory Construction in Qualitative Research: From Grounded Theory to Abductive Analysis. Sociological Theory, ...

work page doi:10.1093/bjsw/bch406 2009
[5]

reached its most elaborated form in the closing unit, where INT-06 prescribed teaching the etymological meaning of ‘cyber’ (people, technology, control) and ‘technology’ (techne + logos: the art and skill of building or using something, combined with careful consideration of what is gained or lost) as the foundational curriculum for risk management in cyb...

work page
[6]

likelihood

appeared in the specific context of professionals explicitly avoiding available business analysis resources — not because those resources were absent from the institution, but because the professional culture of self-reliance actively discouraged help-seeking from adjacent functions. • Reactive governance maturation: breach-triggered executive recalibrati...

work page 2023

[1] [1]

https://doi.org/10.1109/MITP.2011.6 Babbie, E. R. (2013). The basics of social research (4th ed). Thomson/Wadsworth. Baiden, L. A. (2024). Exploring the mediating role of risk management in the effective implementation of comprehensive cybersecurity strategies [Doctoral Dissertation]. National University. Baron, R. M., & Kenny, D. A. (n.d.). The Moderator...

work page doi:10.1109/mitp.2011.6 2011

[2] [2]

M., & Guzman, I

https://doi.org/10.1016/j.zefq.2008.08.013 337 Galvez, S. M., & Guzman, I. R. (2008). Social Cognitive Theory: Information Security Awareness and Practice. AMCIS 2008 Proceedings, Americas Conference on Information Systems (AMCIS). https://aisel.aisnet.org/ Gates, A. Q., Salamah, S., & Longpre, L. (2014). Roadmap for Graduating Students with Expertise in ...

work page doi:10.1016/j.zefq.2008.08.013 2008

[3] [3]

So if Mr Blue Head here clicks the link

https://doi.org/10.1177/1077800413513733 National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. (1979). The Belmont report: Ethical principles and guidelines for the protection of human subjects of research. U.S. Department of Health and Human Services. https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report...

work page doi:10.1177/1077800413513733 1979

[4] [4]

appreciate

https://doi.org/10.1093/bjsw/bch406 Teddlie, C., & Tashakkori, A. (2009). Foundations of Mixed Methods Research: Integrating Quantitative and Qualitative Approaches in the Social and Behavioral Sciences. SAGE. Timmermans, S., & Tavory, I. (2012). Theory Construction in Qualitative Research: From Grounded Theory to Abductive Analysis. Sociological Theory, ...

work page doi:10.1093/bjsw/bch406 2009

[5] [5]

reached its most elaborated form in the closing unit, where INT-06 prescribed teaching the etymological meaning of ‘cyber’ (people, technology, control) and ‘technology’ (techne + logos: the art and skill of building or using something, combined with careful consideration of what is gained or lost) as the foundational curriculum for risk management in cyb...

work page

[6] [6]

likelihood

appeared in the specific context of professionals explicitly avoiding available business analysis resources — not because those resources were absent from the institution, but because the professional culture of self-reliance actively discouraged help-seeking from adjacent functions. • Reactive governance maturation: breach-triggered executive recalibrati...

work page 2023