IDEAS home Printed from https://ideas.repec.org/p/osf/thesis/rf8xj_v1.html

Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency

Author

Listed:
  • Gardiner, Jeffrey T.

Abstract

Contemporary cybersecurity governance assumes that professionals apply formal risk-exposure reasoning. Yet organizational failures persist despite substantial technical investment in tools, staff and credentialing. This study investigates the structural origin of that paradox. The findings suggest that cybersecurity speaks the language of risk, but its structural training has shaped it to think in terms of threats. The two are not the same. A sequential mixed-methods design integrated four independent analyses: semantic similarity-based Natural Language Processing (NLP) applied to the NIST NICE Framework v2.0.0 (2,111 TKS statements); Structural Equation Modelling (SEM; n = 126 cybersecurity professionals); a control group comparison (n = 133 general professionals); and thematic coding of seven senior cybersecurity leadership interviews. Four convergent findings emerged. First, NLP analysis found that "likelihood" and "probability" (necessary ingredients for gauging risk) each appear zero times across 2,111 TKS statements; risk management content accounts for only 4.5% of high-confidence semantic classifications, ranking 18th of 29 competency domains. NICE codifies threat-management operations while primarily invoking risk vocabulary at the category level, indicating a framework oriented toward threat management rather than formal risk analysis. Second, SEM confirmed that training exposure significantly predicts risk management competence both directly (β = .406, p < .001) and indirectly through conceptual salience (β = .223, p < .001), yielding a total effect of β = .629. However, the theoretically four-dimensional risk competency construct collapsed into a single undifferentiated factor (a phenomenon this study terms epistemic compression), demonstrating that practitioners internalize the framework's cognitive architecture. Third, cybersecurity professionals demonstrated no measurable advantage over the general professional population in foundational risk reasoning (Cohen's d = 0.16, p = .205); only 11.9% achieved high differentiation. Fourth, all seven senior leaders expect their teams to apply Likelihood × Impact risk calculus, yet five did not articulate the formula they require of others. These findings converge on a single structural conclusion: cybersecurity has taken on a professional form as a threat management discipline, adopting borrowed risk vocabulary. The study advances a three-level structural explanation (Training Architecture → Cognitive Internalization → Organizational Consequence) and concludes that effective remediation requires fundamental redesign of professional formation, not curriculum reform at the margins.

Suggested Citation

  • Gardiner, Jeffrey T., 2026. "Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency," Thesis Commons rf8xj_v1, Center for Open Science.
    • Handle: RePEc:osf:thesis:rf8xj_v1
    DOI: 10.31219/osf.io/rf8xj_v1
    as

    Download full text from publisher

    File URL: https://osf.io/download/69c58a4d646af3a33b1fe678/
    Download Restriction: no
    File URL: https://libkey.io/10.31219/osf.io/rf8xj_v1?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Gordon, Lawrence A. & Loeb, Martin P. & Tseng, Chih-Yang, 2009. "Enterprise risk management and firm performance: A contingency perspective," Journal of Accounting and Public Policy, Elsevier, vol. 28(4), pages 301-327, July.
    2. Stephen Gates & Jean-Louis Nicolas & Paul L. Walker, 2012. "Enterprise risk management: A process for enhanced management and improved performance," Post-Print hal-00857435, HAL.
    3. Paul Klumpes, 2023. "Coordination of cybersecurity risk management in the U.K. insurance sector," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 332-371, April.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Therese R. Viscelli & Mark S. Beasley & Dana R. Hermanson, 2016. "Research Insights About Risk Governance," SAGE Open, , vol. 6(4), pages 21582440166, November.
    2. Rami Shaheen & Mehmet Ağa & Husam Rjoub & Ahmad Abualrub, 2020. "Investigation of the Pillars of Sustainability Risk Management as an Extension of Enterprise Risk Management on Palestinian Insurance Firms’ Profitability," Sustainability, MDPI, vol. 12(11), pages 1-20, June.
    3. Lee, Chia-Ling & Wang, Wen-Ying, 2020. "Strategy, accountants’ activities and new product development performance," Advances in accounting, Elsevier, vol. 50(C).
    4. Adam, Mukhtar & Soliman, Alaa. M. & Mahtab, Nehal, 2023. "Measuring enterprise risk management implementation: A multifaceted approach for the banking sector," The Quarterly Review of Economics and Finance, Elsevier, vol. 87(C), pages 244-256.
    5. Ishaya John Dabari & Siti Zabedah Saidin, 2015. "Determinants Influencing the Implementation of Enterprise Risk Management in the Nigerian Banking Sector," International Journal of Asian Social Science, Asian Economic and Social Society, vol. 5(12), pages 740-754, December.
    6. Mihaela Brindusa Tudose & Valentina Diana Rusu, 2018. "Analysis Of The Effects Of Financing And Risk Management On The Value Of Firms Listed On The Bucharest Stock Exchange," Annals - Economy Series, Constantin Brancusi University, Faculty of Economics, vol. 2, pages 44-58, April.
    7. repec:jaf:journl:v:14:y:2023:i:2:n:529 is not listed on IDEAS
    8. Christopher D. Ittner & Jeremy Michels, 2017. "Risk-based forecasting and planning and management earnings forecasts," Review of Accounting Studies, Springer, vol. 22(3), pages 1005-1047, September.
    9. Kingsley Alawattegama, 2017. "The Impact of Enterprise Risk Management on Firm Performance: Evidence from Sri Lankan Banking and Finance Industry," International Journal of Business and Management, Canadian Center of Science and Education, vol. 13(1), pages 225-225, December.
    10. Werner Gleißner & Thomas B. Berger, 2024. "Enterprise Risk Management: Improving Embedded Risk Management and Risk Governance," Risks, MDPI, vol. 12(12), pages 1-15, December.
    11. Müzeyyen Çiğdem Akbaş, 2024. "Measuring the impact of enterprise risk management on performance, value, and risk indicators of Borsa Istanbul XBANK companies with data mining prediction models," Humanities and Social Sciences Communications, Palgrave Macmillan, vol. 11(1), pages 1-19, December.
    12. Mazurina Mohd Ali & Nur Shazwani Ab Hamid & Erlane K Ghani, 2019. "Examining the Relationship Between Enterprise Risk Management and Firm Performance in Malaysia," International Journal of Financial Research, International Journal of Financial Research, Sciedu Press, vol. 10(3), pages 239-251, May.
    13. Patrick Dahmen, 2023. "Organizational resilience as a key property of enterprise risk management in response to novel and severe crisis events," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 26(2), pages 203-245, July.
    14. Yao, Shouyu & Pan, Yuying & Sensoy, Ahmet & Uddin, Gazi Salah & Cheng, Feiyang, 2021. "Green credit policy and firm performance: What we learn from China," Energy Economics, Elsevier, vol. 101(C).
    15. José Ruiz-Canela López, 2021. "How Can Enterprise Risk Management Help in Evaluating the Operational Risks for a Telecommunications Company?," JRFM, MDPI, vol. 14(3), pages 1-26, March.
    16. Sara Faedfar & Mustafa Özyeşil & Mustafa Çıkrıkçı & Esin Benhür Aktürk, 2022. "Effective Risk Management and Sustainable Corporate Performance Integrating Innovation and Intellectual Capital: An Application on Istanbul Exchange Market," Sustainability, MDPI, vol. 14(18), pages 1-13, September.
    17. Raffaela Casciello & Marco Maffei & David A. Ziebart, 2024. "Regulatory and contextual factors influencing earnings and capital management decisions: evidence from the European banking sector," Review of Quantitative Finance and Accounting, Springer, vol. 63(1), pages 87-146, July.
    18. Muhammed Altuntas & Thomas R. Berry-Stölzle & J. David Cummins, 2021. "Enterprise risk management and economies of scale and scope: evidence from the German insurance industry," Annals of Operations Research, Springer, vol. 299(1), pages 811-845, April.
    19. Jae-Woong Jeong & Heon-Hwi Lee & Hun Park, 2022. "A Study on the Effect of Knowledge Services on Organizational Performances Based on the Concept of Balanced Scorecards for the Sustainable Growth of Firms: Evidence from South Korea," Sustainability, MDPI, vol. 14(19), pages 1-19, October.
    20. Elisabetta Mafrolla & Felice Matozza, 2014. "Risk management and firm size: a survey of Italian private companies," MANAGEMENT CONTROL, FrancoAngeli Editore, vol. 2014(3), pages 87-108.
    21. Slapničar, Sergeja & Axelsen, Micheal & Bongiovanni, Ivano & Stockdale, David, 2023. "A pathway model to five lines of accountability in cybersecurity governance," International Journal of Accounting Information Systems, Elsevier, vol. 51(C).

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:osf:thesis:rf8xj_v1. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: OSF (email available below). General contact details of provider: https://thesiscommons.org .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.