Back to Assessment

11 Risk Management Skills Assessment

Philosophy & Design Document

Version 1.0 December 2024 Cyber Point Advisory

Executive Summary

The 11 Risk Management Skills Assessment is a self-reflection tool designed to help aspiring cybersecurity professionals identify their soft skill strengths and growth areas. Unlike technical assessments that measure knowledge, this tool measures behavioral tendencies and self-perception across 11 critical interpersonal competencies.

"Technical skills get you hired. Soft skills get you promoted."

In cybersecurity, professionals spend 60-70% of their time communicating, collaborating, and influencing—not writing code or configuring firewalls. Yet most career preparation focuses almost exclusively on technical certifications. This assessment addresses that gap.

Why These 11 Skills?

These skills were identified through:

  • Analysis of CISO and security leadership job descriptions
  • Interviews with hiring managers at Fortune 500 companies
  • Research on why security professionals plateau at mid-career
  • The NICE Cybersecurity Workforce Framework competency areas

The Philosophy Behind Soft Skills in Cybersecurity

The Technical Trap

Many cybersecurity career-changers fall into what we call the "Technical Trap"—believing that more certifications, more lab time, and more technical knowledge will guarantee success. While technical competency is necessary, it is not sufficient.

Consider this reality:

  • A SOC analyst who can't explain a threat to business stakeholders will be ignored
  • A GRC professional who lacks courage won't escalate critical risks
  • A penetration tester who can't build rapport won't get client buy-in for remediation
  • A security architect who can't negotiate will have their designs rejected

The Human Element of Security

Cybersecurity is fundamentally a human problem, not just a technical one:

  1. Attackers are human – They exploit human psychology through social engineering
  2. Defenders are human – They must communicate, collaborate, and make judgment calls
  3. Stakeholders are human – They need to be persuaded, educated, and supported
  4. Decisions are human – Risk acceptance is a business judgment, not a mathematical equation

Growth Mindset Foundation

The assessment is built on Carol Dweck's growth mindset research. Every skill measured can be developed with deliberate practice. The tool is designed to:

  • Raise awareness of skills that matter
  • Identify starting points for development
  • Celebrate existing strengths that transfer from other careers
  • Normalize the journey of continuous improvement

The 11 Skills Framework

The 11 skills are organized into three functional categories:

Category 1: Communication & Connection (4 skills)

These skills enable you to effectively share information and build relationships.

Communication
Clearly conveying information and ideas. Translating technical risks into business impact.
Active Listening
Fully concentrating on and understanding others. Gathering requirements, understanding user concerns.
Building Rapport
Creating trust and mutual understanding. Getting cooperation from reluctant stakeholders.
Stakeholder Relations
Managing relationships with interested parties. Navigating organizational politics around security.

Category 2: Self & Courage (3 skills)

These skills enable you to act with integrity and confidence.

Self-Awareness
Understanding your own emotions and biases. Recognizing when fear or ego affects decisions.
Courage
Speaking up despite fear or uncertainty. Escalating risks, delivering bad news to leadership.
Negotiation
Reaching agreements through discussion. Getting budget, resources, and policy adoption.

Category 3: Thinking & Problem-Solving (4 skills)

These skills enable you to analyze situations and develop solutions.

Critical Thinking
Analyzing information objectively. Evaluating vendor claims, assessing threat intelligence.
Analytical Skills
Collecting and analyzing data. Risk quantification, incident investigation.
Creative Problem Solving
Finding innovative solutions. Designing controls within constraints.
Team Building
Creating effective working groups. Building security culture, leading incident response.

Assessment Design Methodology

Why Self-Assessment?

We chose self-assessment over 360-degree feedback or behavioral testing for several reasons:

  • Accessibility – Can be taken individually without workplace involvement
  • Privacy – Career changers may not want employers to know they're exploring security
  • Reflection value – The act of self-reflection itself builds self-awareness
  • Non-threatening – Reduces anxiety that could skew results
  • Repeatability – Can be retaken as skills develop

Likert Scale Selection

We use a 5-point Likert scale:

Value Label Intent
1 Strongly Disagree Clear deficiency – rarely demonstrates this behavior
2 Disagree Below average – inconsistent demonstration
3 Neutral Average – sometimes demonstrates, sometimes doesn't
4 Agree Above average – usually demonstrates this behavior
5 Strongly Agree Clear strength – consistently demonstrates

Question Count Rationale

4 questions per skill × 11 skills = 44 questions total

  • Minimum for reliability – Fewer than 3 questions per construct is statistically unreliable
  • Maximum for engagement – More than 5 per skill causes fatigue
  • Covers key dimensions – Each question addresses a different facet
  • Allows inconsistency detection – Varied responses suggest uncertainty

Question Structure & Intent

Question Design Principles

Each question was crafted following these principles:

  1. Behavioral, not hypothetical – "I do X" rather than "I would do X"
  2. Specific, not vague – Observable behaviors rather than general traits
  3. First-person statements – Self-reflection rather than third-party observation
  4. Positive framing – What you DO rather than what you DON'T do
  5. Workplace-applicable – Scenarios relevant to professional settings

Example: Communication Questions

Q# Question Dimension Measured
1 "I can explain complex technical concepts in terms non-technical stakeholders understand." Translation – Technical to business
2 "I tailor my communication style based on my audience." Adaptability – Audience awareness
3 "I effectively communicate risks in terms of business impact." Business Alignment – Risk framing
4 "I am comfortable presenting to groups of any size." Delivery – Confidence and presence

Scoring Logic

Individual Skill Scores

Each skill score is calculated as the average of its 4 questions, producing a score between 1.0 and 5.0.

Score Interpretation Bands

1.0 - 2.0 Developing Significant opportunity for growth
2.01 - 3.5 Emerging Building foundation, inconsistent application
3.51 - 4.25 Proficient Solid capability, room for refinement
4.26 - 5.0 Strong Key strength, potential to mentor others

Radar Chart Visualization

The radar (spider) chart provides visual pattern recognition:

  • Balanced profile – Roughly circular shape, well-rounded
  • Spiked profile – Clear strengths and weaknesses
  • Skewed profile – Strength in one category, weakness in another

Results Interpretation

What Results Mean

High scores (4.0+) suggest:

  • Existing strength that transfers to cybersecurity
  • Potential area for mentoring others
  • Foundation to build technical skills upon

Low scores (below 2.5) suggest:

  • Priority development area
  • May need deliberate practice
  • Consider seeking feedback from others to validate self-perception

What Results Don't Mean

Results do NOT indicate:

  • Fitness for cybersecurity (soft skills can be developed)
  • Current job performance (different context)
  • Intelligence or potential (only current self-perception)
  • Permanent traits (all skills are developable)

Psychological Foundations

Self-Assessment Limitations

This tool has inherent limitations that users should understand:

  • Dunning-Kruger Effect – Low performers tend to overestimate; high performers underestimate
  • Social Desirability Bias – People answer how they want to be seen
  • Recency Bias – Recent events disproportionately influence responses
  • Mood Effects – Current emotional state affects self-perception

Mitigation Strategies

The tool incorporates several design features to mitigate these biases:

  • Behavioral framing – "I do X" rather than "I am X" reduces identity threat
  • 4 questions per skill – Reduces impact of single biased response
  • No "right answer" obvious – Questions don't telegraph desired responses
  • Growth framing in results – Results presented as development opportunities, not judgments