Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency

Computer Science > Cryptography and Security [Submitted on 23 Apr 2026] Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency Jeffrey T. Gardiner Contemporary cybersecurity governance assumes that professionals apply risk reasoning. Yet major organisational failures persist despite investment in tools, staffing, and credentials. This study investigates the structural source of that paradox. Cybersecurity speaks the language of risk, but its training architecture has shaped the profession to think in terms of threats. A sequential mixed-methods design integrated four analyses; NLP of the NIST NICE Framework v2.0.0 (2,111 TKS statements), SEM (n = 126 cybersecurity professionals), a control-group comparison (n = 133 general professionals), and thematic coding of seven leadership interviews. Four convergent findings emerged. First, "likelihood" and "probability" appear zero times across all TKS statements. Risk management content accounts for 4.5% of high-confidence semantic classifications, ranking 18th of 29 competency domains. NICE codifies threat-management activity while invoking risk mainly at the category level. Second, SEM showed that training exposure significantly predicts risk management competence directly and indirectly through conceptual salience, for a total effect of Beta = .629. However, the theoretically four-dimensional competence construct collapsed into a single factor, indicating epistemic compression. Third, cybersecurity professionals showed no measurable advantage over the general professional population in foundational risk reasoning; only 11.9% showed high differentiation. Fourth, all seven leaders expected Likelihood x Impact reasoning, yet five did not articulate the formula themselves. These findings support a structural conclusion: cybersecurity has taken professional form as a threat-management discipline that has borrowed risk vocabulary. Remediation requires redesign of professional formation, not marginal curriculum reform. Comments: Doctor of Business Administration (DBA) Dissertation Subjects: Cryptography and Security (cs.CR); Computers and Society (cs.CY); General Economics (econ.GN) ACM classes: K.3.2 Cite as: arXiv:2604.21604 [cs.CR]   (or arXiv:2604.21604v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2604.21604 Focus to learn more Related DOI: https://doi.org/10.31237/osf.io/rf8xj_v1 Focus to learn more Submission history From: Jeffrey Gardiner [view email] [v1] Thu, 23 Apr 2026 12:27:03 UTC (5,477 KB) Access Paper: view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-04 Change to browse by: cs cs.CY econ econ.GN q-fin q-fin.EC References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)