Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency

Contemporary cybersecurity governance assumes that professionals apply formal risk-exposurereasoning. Yet organizational failures persist despite substantial technical investment in tools, staff andcredentialing. This study investigates the structural origin of that paradox. The findings suggest thatcybersecurity speaks the language of risk, but its structural training has shaped it to think in terms ofthreats. The two are not the same. A sequential mixed-methods design integrated four independentanalyses: semantic similarity-based Natural Language Processing (NLP) applied to the NIST NICEFramework v2.0.0 (2,111 TKS statements); Structural Equation Modelling (SEM; n = 126 cybersecurityprofessionals); a control group comparison (n = 133 general professionals); and thematic coding ofseven senior cybersecurity leadership interviews. Four convergent findings emerged. First, NLP analysisfound that "likelihood" and "probability" (necessary ingredients for gauging risk) each appear zero timesacross 2,111 TKS statements; risk management content accounts for only 4.5% of high-confidencesemantic classifications, ranking 18th of 29 competency domains. NICE codifies threat-managementoperations while primarily invoking risk vocabulary at the category level, indicating a frameworkoriented toward threat management rather than formal risk analysis. Second, SEM confirmed thattraining exposure significantly predicts risk management competence both directly (β = .406, p < .001)and indirectly through conceptual salience (β = .223, p < .001), yielding a total effect of β = .629.However, the theoretically four-dimensional risk competency construct collapsed into a singleundifferentiated factor (a phenomenon this study terms epistemic compression), demonstrating thatpractitioners internalize the framework's cognitive architecture. Third, cybersecurity professionalsdemonstrated no measurable advantage over the general professional population in foundational riskreasoning (Cohen's d = 0.16, p = .205); only 11.9% achieved high differentiation. Fourth, all seven seniorleaders expect their teams to apply Likelihood × Impact risk calculus, yet five did not articulate theformula they require of others. These findings converge on a single structural conclusion: cybersecurityhas taken on a professional form as a threat management discipline, adopting borrowed risk vocabulary.The study advances a three-level structural explanation (Training Architecture → CognitiveInternalization → Organizational Consequence) and concludes that effective remediation requiresfundamental redesign of professional formation, not curriculum reform at the margins.