Contemporary cybersecurity governance assumes that professionals apply risk reasoning. Yet major organisational failures persist despite investment in tools, staffing, and credentials. This study investigates the structural source of that paradox. Cybersecurity speaks the language of risk, but its training architecture has shaped the profession to think in terms of threats. A sequential mixed-methods design integrated four analyses; NLP of the NIST NICE Framework v2.0.0 (2,111 TKS statements), SEM (n = 126 cybersecurity professionals), a control-group comparison (n = 133 general professionals), and thematic coding of seven leadership interviews. Four convergent findings emerged. First, "likelihood" and "probability" appear zero times across all TKS statements. Risk management content accounts for 4.5% of high-confidence semantic classifications, ranking 18th of 29 competency domains. NICE codifies threat-management activity while invoking risk mainly at the category level. Second, SEM showed that training exposure significantly predicts risk management competence directly and indirectly through conceptual salience, for a total effect of Beta = .629. However, the theoretically four-dimensional competence construct collapsed into a single factor, indicating epistemic compression. Third, cybersecurity professionals showed no measurable advantage over the general professional population in foundational risk reasoning; only 11.9% showed high differentiation. Fourth, all seven leaders expected Likelihood x Impact reasoning, yet five did not articulate the formula themselves. These findings support a structural conclusion: cybersecurity has taken professional form as a threat-management discipline that has borrowed risk vocabulary. Remediation requires redesign of professional formation, not marginal curriculum reform.

翻译：当代网络安全治理假设专业人员运用风险推理。然而，尽管在工具、人员和资质认证方面投入巨大，重大组织失败仍持续发生。本研究揭示了这一悖论的结构性根源。网络安全领域虽使用风险语言，但其培训架构已将该专业塑造成以威胁为中心的思维方式。通过顺序混合方法设计，本研究整合了四项分析：对NIST NICE框架v2.0.0（2,111个TKS陈述）的自然语言处理、结构方程模型（n=126名网络安全专业人员）、对照组比较（n=133名普通专业人员）以及七位领导访谈的主题编码。研究得出四个收敛性发现。第一，"可能性"和"概率"在所有TKS陈述中出现次数为零。风险管理内容占高置信度语义分类的4.5%，在29个能力领域中排名第18位。NICE框架在主要依赖类别层面提及风险的同时，对威胁管理活动进行了系统化编码。第二，结构方程模型显示，培训经历直接且通过概念显著性间接显著预测风险管理能力，总效应为Beta=0.629。然而，理论上四维度的能力结构压缩为单一因子，表明存在认知压缩。第三，网络安全专业人员与普通人群在基础风险推理方面未显示出可衡量的优势；仅11.9%表现出高区分度。第四，所有七位领导者预期使用"可能性×影响"推理模式，但其中五位未能明确表述该公式。这些发现支持一个结构性结论：网络安全已以威胁管理学科的形式形成专业形态，并借用了风险词汇。补救措施需要重构专业培养体系，而非边缘性课程改革。