Cybersecurity professionals are no better at basic risk reasoning than a random person off the street.
April 24, 2026
Original Paper
Mitigate or Fail: How Risk Management Shapes Cybersecurity Competency
arXiv · 2604.21604
The Takeaway
Professionals hired to protect digital infrastructure show no measurable advantage over the general public in foundational risk logic. The industry relies heavily on the concept of risk management, yet formal training in the field does not seem to improve the actual reasoning skills of its practitioners. Most people assume that experts in a risk-heavy field would possess superior cognitive tools for evaluating threats and trade-offs. This study found a systemic gap between the requirements of the job and the actual competencies of the workforce. Security posture may depend more on following rigid protocols than on the expert judgment we assume is being applied.
From the abstract
Contemporary cybersecurity governance assumes that professionals apply risk reasoning. Yet major organisational failures persist despite investment in tools, staffing, and credentials. This study investigates the structural source of that paradox. Cybersecurity speaks the language of risk, but its training architecture has shaped the profession to think in terms of threats. A sequential mixed-methods design integrated four analyses; NLP of the NIST NICE Framework v2.0.0 (2,111 TKS statements), S