IDEAS home Printed from https://ideas.repec.org/p/arx/papers/2604.21604.html

Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency

Author

Listed:
  • Jeffrey T. Gardiner

Abstract

Contemporary cybersecurity governance assumes that professionals apply risk reasoning. Yet major organisational failures persist despite investment in tools, staffing, and credentials. This study investigates the structural source of that paradox. Cybersecurity speaks the language of risk, but its training architecture has shaped the profession to think in terms of threats. A sequential mixed-methods design integrated four analyses; NLP of the NIST NICE Framework v2.0.0 (2,111 TKS statements), SEM (n = 126 cybersecurity professionals), a control-group comparison (n = 133 general professionals), and thematic coding of seven leadership interviews. Four convergent findings emerged. First, "likelihood" and "probability" appear zero times across all TKS statements. Risk management content accounts for 4.5% of high-confidence semantic classifications, ranking 18th of 29 competency domains. NICE codifies threat-management activity while invoking risk mainly at the category level. Second, SEM showed that training exposure significantly predicts risk management competence directly and indirectly through conceptual salience, for a total effect of Beta = .629. However, the theoretically four-dimensional competence construct collapsed into a single factor, indicating epistemic compression. Third, cybersecurity professionals showed no measurable advantage over the general professional population in foundational risk reasoning; only 11.9% showed high differentiation. Fourth, all seven leaders expected Likelihood x Impact reasoning, yet five did not articulate the formula themselves. These findings support a structural conclusion: cybersecurity has taken professional form as a threat-management discipline that has borrowed risk vocabulary. Remediation requires redesign of professional formation, not marginal curriculum reform.

Suggested Citation

  • Jeffrey T. Gardiner, 2026. "Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency," Papers 2604.21604, arXiv.org.
    • Handle: RePEc:arx:papers:2604.21604
    as

    Download full text from publisher

    File URL: https://arxiv.org/pdf/2604.21604
    File Function: Latest version
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Stephen Gates & Jean-Louis Nicolas & Paul L. Walker, 2012. "Enterprise risk management: A process for enhanced management and improved performance," Post-Print hal-00857435, HAL.
    2. Paul Klumpes, 2023. "Coordination of cybersecurity risk management in the U.K. insurance sector," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 332-371, April.
    3. Gordon, Lawrence A. & Loeb, Martin P. & Tseng, Chih-Yang, 2009. "Enterprise risk management and firm performance: A contingency perspective," Journal of Accounting and Public Policy, Elsevier, vol. 28(4), pages 301-327, July.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Gardiner, Jeffrey T., 2026. "Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency," Thesis Commons rf8xj_v1, Center for Open Science.
    2. Therese R. Viscelli & Mark S. Beasley & Dana R. Hermanson, 2016. "Research Insights About Risk Governance," SAGE Open, , vol. 6(4), pages 21582440166, November.
    3. Rami Shaheen & Mehmet Ağa & Husam Rjoub & Ahmad Abualrub, 2020. "Investigation of the Pillars of Sustainability Risk Management as an Extension of Enterprise Risk Management on Palestinian Insurance Firms’ Profitability," Sustainability, MDPI, vol. 12(11), pages 1-20, June.
    4. Lee, Chia-Ling & Wang, Wen-Ying, 2020. "Strategy, accountants’ activities and new product development performance," Advances in accounting, Elsevier, vol. 50(C).
    5. Adam, Mukhtar & Soliman, Alaa. M. & Mahtab, Nehal, 2023. "Measuring enterprise risk management implementation: A multifaceted approach for the banking sector," The Quarterly Review of Economics and Finance, Elsevier, vol. 87(C), pages 244-256.
    6. Ishaya John Dabari & Siti Zabedah Saidin, 2015. "Determinants Influencing the Implementation of Enterprise Risk Management in the Nigerian Banking Sector," International Journal of Asian Social Science, Asian Economic and Social Society, vol. 5(12), pages 740-754, December.
    7. repec:jaf:journl:v:14:y:2023:i:2:n:529 is not listed on IDEAS
    8. Kingsley Alawattegama, 2017. "The Impact of Enterprise Risk Management on Firm Performance: Evidence from Sri Lankan Banking and Finance Industry," International Journal of Business and Management, Canadian Center of Science and Education, vol. 13(1), pages 225-225, December.
    9. Yao, Shouyu & Pan, Yuying & Sensoy, Ahmet & Uddin, Gazi Salah & Cheng, Feiyang, 2021. "Green credit policy and firm performance: What we learn from China," Energy Economics, Elsevier, vol. 101(C).
    10. José Ruiz-Canela López, 2021. "How Can Enterprise Risk Management Help in Evaluating the Operational Risks for a Telecommunications Company?," JRFM, MDPI, vol. 14(3), pages 1-26, March.
    11. Jae-Woong Jeong & Heon-Hwi Lee & Hun Park, 2022. "A Study on the Effect of Knowledge Services on Organizational Performances Based on the Concept of Balanced Scorecards for the Sustainable Growth of Firms: Evidence from South Korea," Sustainability, MDPI, vol. 14(19), pages 1-19, October.
    12. Elisabetta Mafrolla & Felice Matozza, 2014. "Risk management and firm size: a survey of Italian private companies," MANAGEMENT CONTROL, FrancoAngeli Editore, vol. 2014(3), pages 87-108.
    13. Slapničar, Sergeja & Axelsen, Micheal & Bongiovanni, Ivano & Stockdale, David, 2023. "A pathway model to five lines of accountability in cybersecurity governance," International Journal of Accounting Information Systems, Elsevier, vol. 51(C).
    14. Yingyu Zhang & Hui Luan & Wei Shao & Yingjun Xu, 2016. "Managerial risk preference and its influencing factors: analysis of large state-owned enterprises management personnel in China," Risk Management, Palgrave Macmillan, vol. 18(2), pages 135-158, August.
    15. Stanley Chege & Gregory Wanyembi & Constantine Nyamboga, 2023. "Enterprise Risk Management Practices in Kenya," Journal of International Business Research and Marketing, Inovatus Services Ltd., vol. 8(1), pages 15-26, April.
    16. Li, Yulin & Liu, Xiaohui & Canil, Jean & Cheong, Chee Seng, 2025. "Biodiversity risk and firm efficiency," Finance Research Letters, Elsevier, vol. 71(C).
    17. Yongrok Choi & Xiaoxia Ye & Lu Zhao & Amanda Luo, 2016. "Optimizing enterprise risk management: a literature review and critical analysis of the work of Wu and Olson," Annals of Operations Research, Springer, vol. 237(1), pages 281-300, February.
    18. Rita Lamboglia & Francesco Paolone & Daniela Mancini, 2019. "Determinants of the implementation of environmental risk indicators: Empirical evidence from the Italian manufacturing context," Corporate Social Responsibility and Environmental Management, John Wiley & Sons, vol. 26(2), pages 307-316, March.
    19. Andrew F. Whitman, 2015. "Is ERM Legally Required? Yes for Financial and Governmental Institutions, No for Private Enterprises," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 18(2), pages 161-197, September.
    20. Jan Kopia, & Vanessa Just, & Wiebke Geldmacher,, 2017. "Organization Performance And Enterprise Risk Management," EcoForum, "Stefan cel Mare" University of Suceava, Romania, Faculty of Economics and Public Administration - Economy, Business Administration and Tourism Department., vol. 6(1), pages 1-37, January.
    21. Malik, Muhammad Farhan & Zaman, Mahbub & Buckby, Sherrena, 2020. "Enterprise risk management and firm performance: Role of the risk committee," Journal of Contemporary Accounting and Economics, Elsevier, vol. 16(1).

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:arx:papers:2604.21604. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: arXiv administrators (email available below). General contact details of provider: https://arxiv.org/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.