🔎 Scenario JA
Job Analysis — Student Edition
STUDENT
Overview⌘1
Tasks⌘2
KSAOs⌘3
CIT⌘4
O*NET⌘5
CTA⌘6
PAQ⌘7
JCM⌘8
Results⌘9
Legal
vs Competency
Handoff →
Glossary

Job Analysis — SecOps Analyst

Before any hiring system can be designed, validated, or defended in court, a defensible job analysis must establish what the job actually requires. This module walks you through performing one for the Meridian Security Operations Analyst role using six methods.

How to read this module. Work the tabs left to right (the Suggested order below mirrors them). Three tabs ask for your judgments — Tasks, KSAOs, and CIT — and everything downstream (Results, Legal, the alignment scores, the Word report) is built from those inputs. The other tabs (O*NET, CTA, PAQ, JCM) are analysis lenses that compare your role against expert and external benchmarks. Your work saves automatically as you go; you can close the tab and return. Hover any dashed termDashed-underline words like this reveal a definition or an instructional note on hover. They appear throughout the module on terms worth knowing. for a definition. Press ⌘K / Ctrl-K to jump to any section.
Saving & resuming. Your work saves automatically in this browser, but only on this computer. To continue on a different machine — or to be safe before closing — click 💾 Save (top-right) to download a small progress file, then 📂 Load it on the other computer to pick up exactly where you left off.
🔒 How scoring works (two-phase). This module scores your first pass, the way a real job analyst commits an analysis before comparing notes with the SME panel. While you work, no SME answers are shown anywhere. When you have rated the tasks, sorted the incidents, mapped O*NET, and set the JCM sliders, go to the Handoff tab and click 🔒 Lock my analysis. Locking freezes your first pass for scoring and reveals the panel's answers everywhere — after that you can keep exploring and changing responses freely, but the locked pass is what is scored and exported.

Why this module exists

The Meridian hiring audit (the next app in this package) concludes that the selection system is "fundamentally sound but has two acute issues." Every one of those conclusions presupposes a job analysis. The audit references it once, in passing — but the audit's claims about validity, fairness, and legal defensibility all stand on whatever was in that report.

In this module you will perform the job analysis. Then in the handoff at the end, you will see how your work maps onto what Meridian's selection system actually does.

Six methods you will use

Task Inventory + criticality / frequency ratings

When to use: structured, defensible, quantitative analysis

Quantitative; aggregates across SMEs; supports content-validity claims under UGESP §1607.14(C)(4)

Time-intensive; can miss tacit knowledge; static snapshot

Critical Incident Technique (Flanagan, 1954)

When to use: deriving behavioral standards, training, performance criteria

Generates rich behavioral exemplars; foundation for behavioral interview anchors

Memory-dependent; over-samples extremes; requires skilled interviewer

O*NET cross-walk

When to use: rapid orientation, generalizability claims, validation transport

Free, public, standardized; supports UGESP §1607.7 validity generalization arguments

Generic by design; misses organization-specific context

Cognitive Task Analysis

When to use: knowledge-intensive expert work; SJT and work-sample design

Captures tacit cognitive demands; reveals expert-novice differences

Labor-intensive; requires expert verbalization; expensive

Position Analysis Questionnaire (PAQ)

When to use: comparing jobs, compensation analysis, broad worker-oriented profile

Worker-oriented; comparable across jobs; commercial norms available

Generic; high reading level required; less useful for selection-instrument design

Job Characteristics Model (Hackman & Oldham, 1976)

When to use: job redesign, motivation analysis, work design

Direct link to motivation and satisfaction outcomes; supports work-design interventions

Self-report dependent; weak link to selection-system design

Suggested order

  1. Task Inventory — rate the 18 SecOps tasks (10 min)
  2. KSAOs — select which are required (10 min)
  3. Critical Incidents — sort 8 incidents and derive anchors (10 min)
  4. O*NET cross-walk — map O*NET descriptors to your KSAOs (5 min)
  5. Cognitive Task Analysis — observe and analyze (5 min)
  6. PAQ — review the worker-oriented profile (3 min)
  7. Job Characteristics Model — rate the role's motivating potential (5 min)
  8. Artifacts — review the auto-generated job description, KSAO matrix, selection blueprint
  9. Legal checklist — verify UGESP §1607.14 compliance
  10. Handoff — see your JA alongside Meridian's, and proceed to the audit

Task Inventory

Rate each of the 18 SecOps Analyst tasks on two dimensions: frequencyHow often the task is performed (1 = rarely, 5 = daily). Frequency alone does not make a task important — a rare task can be the most critical one in the job. That is why frequency and criticality are rated separately. (how often it is performed, 1=rarely / 5=daily) and criticalityThe consequences of failing to perform the task well (1 = minor, 5 = severe). Under UGESP, tasks high in criticality are the "critical work behaviors" your selection system must be built to predict — so this rating, more than frequency, drives the job description and KSAO links. (consequences of failure, 1=minor / 5=severe). Both are judged by a SME panelSubject-Matter Expert panel — experienced incumbents, supervisors, and specialists who know the job firsthand. In a real job analysis their pooled judgments are the benchmark; here the panel was 8 SMEs plus 3 incumbents, and your ratings are compared against their consensus. and yours are scored against theirs. These ratings drive the auto-generated job description and the KSAO-task linkage matrix.

Instructions

For each task below, click a frequency rating (blue) and a criticality rating (red). Tasks with criticality ≥ 4 will appear as "essential duties" in the job description. The task summary updates as you rate.

How this is scored. Each rating is compared to the SME panel's after you lock your analysis (Handoff tab). Criticality misses are weighted double relative to frequency misses, because criticality — not frequency — determines which tasks count as critical work behaviors under UGESP and drives everything downstream. Unrated tasks count as zero alignment in your combined score, so rate all 18.
Tasks rated
0/18
Avg frequency
Avg criticality
Critical tasks (4+)
0

The 18 tasks

ID
Task
Frequency (1-5)
Criticality (1-5)
T01
Monitor SIEM dashboards for real-time security alerts and anomalies
T02
Investigate suspicious user authentication patterns (e.g., impossible travel, brute force)
T03
Triage and categorize security alerts by severity and false-positive likelihood
T04
Author and tune detection rules in the SIEM (Sigma, KQL, Splunk SPL)
T05
Conduct forensic analysis of compromised endpoints using EDR tooling
T06
Document incident timelines and produce post-incident reports for leadership
T07
Coordinate incident response across IT, engineering, and legal teams
T08
Hunt proactively for threats not flagged by automated detections
T09
Maintain and update incident response runbooks and playbooks
T10
Brief executives on active incidents and security posture
T11
Review threat intelligence feeds for relevant indicators of compromise
T12
Validate security alerts against business context to reduce false positives
T13
Train junior analysts on detection methodology and triage workflows
T14
Participate in tabletop exercises and red-team engagements
T15
Maintain on-call rotation and respond to off-hours pages
T16
Manage relationships with external security vendors and service providers
T17
Conduct phishing analysis on user-reported suspicious emails
T18
Configure and tune endpoint detection and response (EDR) policies

KSAOs — Knowledge, Skills, Abilities, Other characteristics

A defensible job analysis must identify the KSAOs required to perform the critical work behaviors identified in the task inventory. Below are 12 candidate KSAOs derived from the task inventory.

Decide which are REQUIRED

For each KSAO, decide whether it is required for entry-level performance (vs. preferred or developable on the job). Set the minimum proficiency level needed. Note the two "Other" items at the bottom — credentials and degrees — which by default are NOT required. Think about whether they should be.

Mark a KSAO required only if you can tie it to a critical task you rated highly. That task-linkage is what makes a requirement defensible under UGESP. For a technical role like this, most of the knowledge, skills, and abilities will qualify, because each maps to a critical SOC task — so a strong analysis here marks most of them required. The discipline isn't to require fewer things; it's to require only job-related things. That is why the two "Other" items — a certification and a degree — default to not required: a credential is defensible only if the job truly demands it, and reflexively requiring a degree is the classic adverse-impact trap. Over-requiring creates legal risk when the extra requirements aren't job-related — not simply because the list is long.
UGESP §1607.14(C)(4) test: for any KSAO marked required, you must be able to defend (a) that it is necessary for performing critical work behaviors and (b) that the proficiency level you've set is not higher than what an entry-level performer would need.

The 12 candidate KSAOs

KNOWLEDGE
K01: Knowledge of network protocols (TCP/IP, DNS, HTTP/S, TLS)
Foundational — every detection and forensic task requires it
KNOWLEDGE
K02: Knowledge of common attack patterns (MITRE ATT&CK framework)
MITRE ATT&CK is the lingua franca; analysts can't communicate without it
KNOWLEDGE
K03: Knowledge of operating-system internals (Windows + Linux event logs)
Endpoint forensics impossible without OS-level knowledge
KNOWLEDGE
K04: Knowledge of cloud service provider security models (AWS, Azure, GCP)
Modern SecOps is cloud-first; on-prem-only candidates lose half the role
SKILL
S01: Skill in querying log data with SQL-like languages (SPL, KQL)
If they can't query SIEM data, they can't do the core monitoring job
SKILL
S02: Skill in scripting for automation (Python, PowerShell)
Required for detection-engineering tasks and runbook automation
SKILL
S03: Skill in technical writing for non-technical audiences
Briefing executives requires clear non-technical communication
ABILITY
A01: Ability to reason about ambiguous, partial evidence under time pressure
The defining cognitive demand of SOC work
ABILITY
A02: Ability to maintain attention to detail over extended monitoring shifts
Monitoring fatigue is the leading cause of missed alerts
ABILITY
A03: Ability to communicate clearly across functional boundaries (IT, legal, eng)
Incident response requires coordination across silos
OTHER
O01: Other: Holds or willing to obtain Security+, GCIH, or equivalent certification
Certifications correlate with knowledge but are not themselves the knowledge — Meridian's JA explicitly excluded these as requirements
OTHER
O02: Other: Bachelor's degree in CS, IS, or related field
Degree requirements have known adverse-impact patterns and weaker job-relatedness than direct KSAO measurement — Meridian's JA explicitly excluded

A question about the "Other" KSAOs

Notice that the SME panel did NOT mark "Bachelor's degree in CS" or "Security+ certification" as required. Why might that be? Consider:

  • Job-relatedness: Does the degree itself enable the task, or do the underlying KSAOs (which we ARE measuring) enable it?
  • Adverse impact: Degree requirements have well-documented disparate-impact patterns (Holzer, 2007; Fuller et al., 2017).
  • Less-discriminatory alternative doctrine: If degree-as-proxy and direct KSAO measurement are equally valid, the employer must use the less-discriminatory one.

If you mark them required anyway, the legal checklist will not flag you — but you should be able to defend the decision.

Critical Incident Technique

Flanagan (1954) introduced CIT as a method for deriving behavioral standards from observed incidents of effective and ineffective job performance. The output: behavioral exemplars at different effectiveness levels, used as anchors in rating scales (BARS) and structured interviews.

Sort 8 critical incidents

For each incident, rate the observed behavior on the 5-point anchor levelA point on a Behaviorally Anchored Rating Scale (BARS): a specific observed behavior tied to a number (here 1–5) that defines what that score "looks like" on the job. Anchors turn vague ratings ("good judgment") into concrete, defensible behavioral standards used in structured interviews. scale: 1–2 = ineffective, 3 = borderline, 4–5 = effective. This is the same judgment an SME panel makes when building BARS. Your rating is recorded immediately; the panel's anchor is revealed once you lock your analysis (Handoff tab), and you are scored on how close your anchor is to theirs — not just which side of effective/ineffective you landed on.

What these anchors become. The structured interview in Meridian's hiring system uses behavioral anchors (BARS)Behaviorally Anchored Rating Scale — an interview/appraisal scale where each numbered point is tied to a concrete, observed behavior (e.g., "5 = pages IR team and contains the threat within 15 min"). BARS replace vague impressions ("seemed competent") with job-sampled standards, which is what makes the resulting ratings defensible. derived from a CIT exactly like this one. The interview rubric asks candidates to describe similar situations, and raters score against the anchor levels (1=anchor of ineffective behavior, 5=anchor of effective behavior).

The incidents

CI01 scenario: At 2:47 AM, SIEMSecurity Information and Event Management — the central platform that aggregates logs and alerts from across the network (servers, firewalls, endpoints) so analysts can monitor, correlate, and investigate security events in one place. It is the SOC analyst’s primary console. fires an alert: 1,400 failed login attempts to a service account from a single IP in 6 minutes.
Observed behavior: Analyst pages the on-call IR team, blocks the source IP at the WAFWeb Application Firewall — a security control that filters and blocks malicious HTTP/S traffic to web applications. Blocking an attacking IP "at the WAF" stops the traffic before it reaches the protected application., pulls 30-day login history for the service account, and notifies the account owner — all within 12 minutes of the alert firing.
Ineffective Effective
CI02 scenario: Same scenario: 2:47 AM, 1,400 failed logins in 6 minutes.
Observed behavior: Analyst marks the alert as 'investigating' in the ticketing system and goes to make coffee, planning to look at it when they return.
Ineffective Effective
CI03 scenario: A new EDR alert pattern fires 47 times in one day — never seen before. Other analysts dismiss as noise.
Observed behavior: Analyst pulls a sample of 5 alerts, examines the underlying process trees, identifies that all 47 share a parent process spawned by a recently-deployed legitimate IT tool. Documents the false-positive pattern and updates the detection rule to suppress it, then notifies the team.
Ineffective Effective
CI04 scenario: User reports a suspicious email with a PDF attachment that 'just felt wrong'.
Observed behavior: Analyst forwards the email to the security team mailbox without analysis and tells the user 'we'll look at it later'. No follow-up occurs.
Ineffective Effective
CI05 scenario: Major incident in progress; CISOChief Information Security Officer — the senior executive accountable for the organization’s information-security strategy and risk. Briefing the CISO well under pressure is exactly why "communicate to non-technical leadership" (S03) is a required KSAO. asks for a 2-minute briefing in 5 minutes.
Observed behavior: Analyst opens their incident timeline, identifies the three facts the CISO needs (what was compromised, what's contained, what's still unknown), drafts a 4-sentence summary, and rehearses delivery once before the call.
Ineffective Effective
CI06 scenario: Threat intel report mentions a new IOC — a specific PowerShell command line pattern.
Observed behavior: Analyst reads the report, copies the exact string into a SIEM search, finds zero hits in the past 90 days, marks 'no exposure' in the threat intel ticket. Doesn't consider variant matches.
Ineffective Effective
CI07 scenario: Junior analyst escalates an alert that the senior analyst recognizes as a false positive.
Observed behavior: Senior analyst walks the junior through the indicators that distinguish this pattern from the real attack, documents the reasoning in the team wiki, and sets up a 30-min weekly office hour for similar questions.
Ineffective Effective
CI08 scenario: Incident response handoff at end-of-shift; complex investigation ongoing.
Observed behavior: Analyst writes a 1-paragraph status: 'still looking, will update in AM.' No timeline, no current hypotheses, no list of evidence collected so far.
Ineffective Effective

O*NET Cross-Walk

O*NET (occupationalinfo.org) is the U.S. Department of Labor's standardized occupational database. The closest match for Meridian's SecOps Analyst role is 15-1212.00 Information Security Analysts. Below are the actual O*NET descriptors. Your job: map them to the KSAOs you've identified.

Why this matters

O*NET cross-walks support two important arguments under UGESP:

  • §1607.7 validity generalization — if your role is substantially the O*NET occupation, you can argue that meta-analytic validity coefficients for the occupation apply locally.
  • §1607.14(B)(3) job-similarity — for content-validity claims, O*NET task lists provide an external benchmark for what "the job" typically includes.

O*NET tasks for 15-1212.00

Compare these against your task inventory. Are there tasks O*NET includes that your inventory missed? Tasks in your inventory that O*NET doesn't list (i.e., organization-specific)?

  1. Encrypt data transmissions and erect firewalls to conceal confidential information
  2. Develop plans to safeguard computer files against accidental or unauthorized modification, destruction, or disclosure
  3. Monitor current reports of computer viruses to determine when to update virus protection systems
  4. Confer with users to discuss issues such as computer data access needs, security violations, and programming changes
  5. Modify computer security files to incorporate new software, correct errors, or change individual access status
  6. Perform risk assessments and execute tests of data processing system to ensure functioning of data processing activities and security measures
  7. Coordinate implementation of computer system plan with establishment personnel and outside vendors
  8. Train users and promote security awareness to ensure system security
  9. Maintain permanent fleet cryptologic and tactical/strategic intelligence support systems
  10. Document computer security and emergency measures policies, procedures, and tests

Map O*NET descriptors to your KSAOs

Click the KSAO chips that each O*NET descriptor corresponds to. Hover any chip to see what it stands for, and hover any importance numberO*NET’s national 0–100 rating of how important that descriptor is for this occupation across the whole U.S. labor market. It comes from O*NET’s survey data — it is NOT your rating and does not change with what you entered on the Tasks tab. to see what it means.

This cross-walk is scored. After you lock your analysis, your mappings are compared to the SME panel's key (10 of the descriptors carry a key; the rest are exploratory context). Two rules: (1) if a descriptor genuinely corresponds to none of the KSAOs, click None — an explicit "no defensible mapping" is a scorable professional judgment, while a row you never touch counts as unanswered; (2) attempt every row, since unanswered keyed rows count as zero alignment.
What the numbers do (and don’t) mean. The chips K01, K02, S01, A01… are your Meridian KSAO identifiers — the same ones from the KSAOs tab. The number beside each descriptor (e.g., Computers and Electronics 91, Engineering and Technology 72) is O*NET’s national importance score, 0–100 — not your task ratings and unaffected by them. A high score means O*NET’s nationwide data says that area is highly important for this occupation. How it relates: when the KSAOs you map onto the high-importance descriptors match O*NET’s national picture, you have a validity generalizationThe argument that evidence gathered for an occupation nationally (here, O*NET’s importance data) supports the requirements you identified locally — strengthening your case without a separate local validation study. argument that your local analysis is consistent with the broader evidence base.
KSAO quick reference — the IDs not already listed above

Knowledge areas

Computers and Electronics 91
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Engineering and Technology 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Mathematics 65
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
English Language 81
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Customer and Personal Service 62
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03

Skills

Critical Thinking 78
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Complex Problem Solving 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Reading Comprehension 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Active Listening 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Judgment and Decision Making 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Systems Analysis 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Writing 69
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03

Abilities

Information Ordering 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Deductive Reasoning 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Inductive Reasoning 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Oral Comprehension 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Problem Sensitivity 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Written Comprehension 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03

Diagnostic questions

After mapping:

  • Do any O*NET items have no matching Meridian KSAO? That's a gap in your job analysis.
  • Do any Meridian KSAOs have no matching O*NET item? That's an organization-specific requirement that O*NET doesn't capture.
  • Does "Mathematics" (O*NET importance 65) really apply to Meridian's SecOps role? If not, you've identified that O*NET's generic profile diverges from local reality.

Explore any occupation (live O*NET)

Exploration only — not scored. The cross-walk above is the scored exercise and stays anchored to Meridian's SecOps Analyst role (15-1212.00). This section lets you pull the same job-analysis data — tasks with importance, knowledge, skills, abilities, and work activities — for any of the ~1,000 U.S. occupations, live from the Department of Labor's O*NET database. Use it to see how a real job-analysis evidence base differs across occupations (compare a nurse's ability profile to this analyst's), or to ground your Unit paper in an occupation you know. Requires an internet connection; everything else in this module works offline.

Your instructor issues your access code. It allows a limited number of new occupation loads during the 8-week course window. Searches and cached occupations remain available without consuming a load.

Cognitive Task Analysis

Klein, Calderwood, & MacGregor (1989) and Crandall, Klein, & Hoffman (2006) developed CTA to decompose expert performance in knowledge-intensive work. CTA produces think-aloud protocols, decision ladders, and concept maps — particularly useful for designing SJTs and work samples.

Scenario

Task: Triage a SIEMSecurity Information and Event Management — the platform that aggregates and alerts on security events from across the network. This is the alert queue an analyst triages. alert: 'Unusual PowerShell execution detectedPowerShell is a legitimate Windows administration tool, but attackers heavily abuse it for "living off the land" / fileless attacks — running malicious code without dropping a detectable file. An "unusual execution" flag (odd parent process, encoded command, or off-baseline host like HOST-4471) is a medium-to-high severity signal that warrants immediate triage: it may be a routine admin script, or the first stage of an intrusion. The analyst’s job is to decide which, fast. on HOST-4471, 14:32 UTC'
A senior analyst is asked to think aloud while triaging this alert. Below is the protocol.

The think-aloud protocol

This is a worked example, not an exercise. The protocol below is a transcript of one senior analyst thinking aloud; the cognitive-demand labels and KSAO tags (A01, K02…) were coded by the SME panel. Nothing here is scored or calculated — read it to see how expert reasoning decomposes into the KSAOs you selected, then note how those decision points become SJTSituational Judgment Test — a selection method that presents candidates with realistic on-the-job scenarios and asks how they would respond. Well-built SJTs sample the actual reasoning the job requires rather than abstract ability. (Situational Judgment Test) and work-sample items in the selection blueprint.
1
"First thing I'm looking at: is this host normally noisy? Let me pull its last 7 days of PS activity."
Establishing baseline / contextual reasoning
A01
2
"OK, this host averages 3 PS events per day. Today there are 47. That's a flag."
Statistical anomaly detection (informal)
A01
3
"What's the command line? ... Encoded base64. That's another flag — legitimate admin scripts rarely encode."
Pattern matching against threat indicators
K02
4
"Decoding the base64... it's calling out to an IP I don't recognize. Let me check threat intel."
Hypothesis generation + verification
A01
5
"IP is in the threat intel feed, flagged as a known C2Command and Control — the infrastructure (servers, domains) an attacker uses to remotely control compromised machines and exfiltrate data. Traffic to a known C2 address is strong evidence a host is actively compromised, not just probing. server. This is a real attack."
Evidence integration
K02
6
"Escalating to IRIncident Response — the formal team and process that takes over a confirmed security incident: containing it, eradicating the threat, recovering systems, and documenting lessons learned. "Escalating to IR" means handing a verified attack to that dedicated function.. Notifying the host owner. Pulling network logs for lateral movement evidence."
Procedural execution under time pressure
A03
Observation: This took the senior analyst 8 minutes. A junior analyst working the same alert typically takes 35-45 minutes and may miss step 3 (the base64 pattern). The cognitive demand differential here is what distinguishes early-career from experienced SOC work.

Implications for selection

Each cognitive demand identified in the protocol corresponds to a KSAO requirement. The SJT scenarios in Meridian's hiring system are designed by extracting decision points like steps 3 and 5 (pattern matching, evidence integration) and asking candidates how they would respond. This is what makes a well-designed SJT measure job-sampled reasoning rather than abstract reasoning.

StepCognitive demandKSAO it tapsSelection methodIn your analysis
1-2Baseline establishmentA02A02 — Attention to detail sustained over long monitoring shifts. One of the ability (A-type) KSAOs from your KSAO list. (attention to detail)SJT scenario
3Pattern matching against threat indicatorsK02K02 — Knowledge of the MITRE ATT&CK framework of adversary tactics and techniques. A knowledge (K-type) KSAO from your list. (MITRE ATT&CK)SJT + cognitive test
4-5Hypothesis generation + verificationA01A01 — Ability to reason about ambiguous, partial evidence under time pressure. An ability (A-type) KSAO from your list. (ambiguous reasoning)Work sample
6Procedural execution under pressureA03A03 — Ability to communicate across IT, engineering, and legal functions. An ability (A-type) KSAO from your list. (cross-functional communication)Structured interview

Position Analysis Questionnaire (PAQ)

McCormick, Jeanneret, & Mecham (1972) developed the PAQ as a worker-oriented job analysis instrument. Unlike task-based methods, PAQ characterizes jobs by the worker behaviors required, making jobs comparable across very different domains.

When PAQ is useful

  • Job comparison and classification — comparing SecOps Analyst to Financial Analyst to Lab Technician on the same metric
  • Compensation analysis — PAQ scores predict wage levels well (validity ~0.85 against compensation surveys)
  • Broad-bandwidth selection systems — when designing a selection system intended to generalize across multiple roles
  • Less useful for designing specific selection instruments for a single role — too generic

SecOps Analyst PAQ profile (SME panel ratings, 1-5 scale)

This profile is a read-only reference, not an exercise — the bars show the SME panel's fixed ratings of the SecOps Analyst on each PAQ dimensionThe PAQ groups all jobs into six worker-oriented divisions (information input, mental processes, work output, relationships, job context, other). Rating a job on these makes it comparable to very different jobs on the same scale. . The PAQ's value here is comparative: it lets you place SecOps Analyst against other job families on a common scale, which is what supports a validity generalizationThe argument that a selection method validated for one job (or job family) can be applied to a sufficiently similar job without a full local validation study. The more your role resembles an established family, the stronger the claim. argument.
P1
Information Input
Where and how does the worker get the information they use?
Almost entirely visual/textual from screens; very high information density
5/5
P2
Mental Processes
Reasoning, decision making, planning, and information processing
Core of the job — high-demand, real-time analytical reasoning
5/5
P3
Work Output
Physical activities and use of tools/devices
Sedentary, keyboard-based; minimal physical demands
2/5
P4
Relationships with Others
Interpersonal contact required for job performance
Frequent cross-functional coordination; lower direct face-time
4/5
P5
Job Context
Physical and social context in which work is performed
Office or remote; on-call rotation introduces context volatilityUnpredictable shifts in the conditions under which the work is performed — here, an on-call analyst may go from a quiet evening to a high-severity incident at 3 a.m. with no warning. High context volatility raises stress and turnover risk and matters for both job design (JCM) and realistic-preview hiring.
3/5
P6
Other Characteristics
Schedule, responsibility, methodology, dress
24x7 coverage model; high responsibility for organizational risk
4/5

Interpretation

The SecOps Analyst PAQ profile is heavy on information input and mental processes, moderate on relationships and other characteristics, light on work output (physical demands). This profile resembles other knowledge-work roles such as software engineer or data analyst — supporting validity generalization arguments from those job families.
Think it through: Which two dimensions dominate this profile, and what does that pairing imply for which selection methods will have the highest content validityThe degree to which a selection method samples the actual content (tasks, knowledge, behaviors) of the job. A work sample of real SOC triage has high content validity; a generic personality test has low content validity for this role.? (Hint: a job dominated by information input and mental processes is best assessed by methods that sample reasoning, not physical or interpersonal performance.)

Job Characteristics Model (Hackman & Oldham, 1976)

The JCM connects job analysis to work design. Five core job dimensions combine into a Motivating Potential ScoreMPS = ((Skill variety + Task identity + Task significance) / 3) × Autonomy × Feedback. Because Autonomy and Feedback multiply, a job scores low on motivating potential if either is near zero — even when the other three dimensions are high. (MPS) that predicts intrinsic motivation, satisfaction, and turnover. While not directly a selection tool, MPS informs whether the job, as currently designed, will retain hires.

Rate the SecOps Analyst role on each dimension

All five sliders start at the scale midpoint. Rate each dimension yourself — your MPS appears once all five are rated (no defaults are filled in for you). The SME panel's ratings, rationale, and MPS unlock when you lock your analysis on the Handoff tab.

Degree to which the job requires a variety of different activities and skills
SME note: Detection, forensics, communication, scripting, briefing — wide skill range
Degree to which the job requires completion of a whole, identifiable piece of work
SME note: Investigations have clear start/end; shift work fragments some tasks
Degree to which the job has a substantial impact on lives of others
SME note: Failures expose customer data, threaten business continuity
Degree of freedom and independence in scheduling and methods
SME note: Tight runbooks for routine; high autonomy in investigation phase
Degree to which carrying out the work activities provides direct information about performance
SME note: Detections confirmed/refuted within hours; longer-cycle feedback for tuning
Your Motivating Potential Score

Interpretation

Your current MPS is adjust the sliders above.

  • 0-50: low motivating potential; redesign indicated
  • 50-150: moderate; some redesign opportunity
  • 150-250: high; well-designed job
  • 250+: very high; rare in practice

Notice that MPS is highly sensitive to autonomy and feedback because they enter multiplicatively. A job with high skill variety, task identity, and task significance still scores low if autonomy or feedback is near zero. This is why micromanaged SOC roles often have high turnover despite intrinsically interesting work.

Results & Report

How to read this page. Everything below is generated from your inputs — the tasks you rated, the KSAOs you marked required, and the incidents you sorted. Hover the dashed termsLike this! Dashed-underline terms reveal a definition or a note about why the item appears, on hover. for definitions. When you're satisfied, use the buttons in the top-right of the title bar to download the full report (Word), export to Excel, or print.
Saving and submitting your work (buttons are in the top-right of the title bar): 📄 Full Report (Word) downloads the complete analysis — job description, task ratings, required KSAOs, incident calls, alignment scores, the UGESP legal checklist, and the competency analysis — as a real .docx with no browser header or footer. 📊 Excel (CSV) exports the same data as labeled tables that open directly in Excel/Sheets, best for grading. 🖨 Print sends Results + Legal + Competency to your browser’s print dialog (PDF). Note: the date/filename/page line on a printout is added by the browser, not this page — to remove it, uncheck “Headers and footers” in the print dialog, or just use the Word report, which has none. Your work also saves automatically in this browser as you go.

As you completed the previous modules, the job analysis automatically generated three artifacts. These are the practical outputs of the analysis — the documents an HR department would file and use.

Job Description

Auto-generated from your task inventory. Tasks with criticality ≥ 4 appear as "essential duties"; others as "additional responsibilities".

Complete the Task Inventory to generate the job description.

Job Specification (KSAO Matrix)

Auto-generated from your KSAO selections. Shows which KSAOs are required, at what proficiency level, and which critical tasks each supports.

Mark KSAOs as required in the KSAOs tab.

Selection-System Blueprint

Auto-generated from your KSAO profile. Recommends the selection stages and methods that would best assess the required KSAOs.

Select required KSAOs first.

Legal Defensibility Checklist

The UGESPUniform Guidelines on Employee Selection Procedures (29 CFR Part 1607), issued 1978 by the EEOC, DOL, DOJ, and OPM. They define what evidence an employer must have to defend a selection procedure that produces adverse impact. (Uniform Guidelines on Employee Selection Procedures, 29 CFR §1607) require specific elements of job-analysis evidence to support validation claims. Below is a 10-point checklist mapped to UGESP sections. As you complete the job-analysis modules, items shift from "in progress" to "compliant".

Why this module uses UGESP as the standard

We score against UGESP because it is the enforceable federal benchmark courts and agencies actually apply when a hiring practice is challenged for adverse impactA substantially different selection rate for a protected group (often assessed by the "four-fifths rule"). Adverse impact is not automatically illegal — but once shown, the employer must demonstrate the procedure is job-related and consistent with business necessity, which is exactly what a defensible job analysis supports.. Even employers technically outside its scope are measured against it in litigation, so it is the most demanding and transferable yardstick to learn on.

For your awareness — other frameworks (not used for scoring here): professional and international practice often references, alongside UGESP:
  • the SIOP Principles for the Validation and Use of Personnel Selection Procedures (the I/O profession's own technical standard);
  • the AERA/APA/NCME Standards for Educational and Psychological Testing (the authoritative measurement standard);
  • EEOC enforcement guidance interpreting Title VII, the ADA, and the ADEA; and
  • ISO 10667, an international standard for assessment-service delivery used by multinational employers.
These generally reinforce the same job-analysis logic; UGESP is simply the one with regulatory teeth in U.S. hiring litigation.

Current status

Document the analysis — required for L07 & L08 (Source & Date)

The 10-point checklist

A note on UGESP scope

UGESP applies to federal-contractor employers with ≥15 employees and to public-sector employers. Many private employers without federal contracts are not directly bound by UGESP, but UGESP is the de facto standard in employment-discrimination litigation under Title VIITitle VII of the Civil Rights Act of 1964 — prohibits employment discrimination based on race, color, religion, sex, or national origin. It is the statute most adverse-impact hiring cases are brought under., ADEAAge Discrimination in Employment Act (1967) — protects workers age 40 and older from age-based employment discrimination., and ADAAmericans with Disabilities Act (1990) — prohibits disability discrimination and requires that selection criteria reflect the job’s essential functions, with reasonable accommodation. This is why documenting "essential duties" in the job analysis matters.. Courts routinely apply UGESP-style scrutiny even outside its strict regulatory scope.

Job Analysis vs. Competency Modeling

Competency modeling emerged in the 1970s-80s from management consulting (McClelland, 1973; Boyatzis, 1982) as a flexible alternative to traditional job analysis. The two methods differ in their unit of analysis, methodology, and legal defensibility.

Side-by-side comparison

DimensionJob analysisCompetency modeling
Unit of analysisTasks, KSAOsBehavioral repertoires of high performers
OriginI/O psychology (1920s+)Management consulting (1970s+)
MethodsTask ratings, SME panels, structured instrumentsLeadership interviews, focus groups, "high-performer" identification
Linkage to performanceEmpirical (criticality/frequency/link ratings)Inferential ("this is what our high performers do")
Legal defensibilityStrong under UGESPVariable; often vague
Time horizonCurrent job as performedOften future-oriented; strategic
Best usesSelection, classification, compensation, legal defenseStrategic talent management, leadership development, organizational alignment

A competency model for the same role

Below is a consultant-style competency model for the SecOps Analyst role. Compare it to the KSAO-based specification you built. Each competency card includes a job-analysis diagnosis of what the competency misses, conflates, or risks legally, plus a check against the KSAOs you marked required.

Strategic Thinker

Sees the big picture; connects security work to business outcomes
Behavioral indicators:
  • Frames security investments in business language
  • Anticipates threats before they materialize
  • Builds long-term security roadmaps
Job-analysis diagnosis. No task in the SecOps Analyst job analysis requires 'building long-term roadmaps' — this is a Director-level expectation imported into an analyst role.

Results Orientation

Drives to outcomes; doesn't get distracted by process
Behavioral indicators:
  • Closes tickets efficiently
  • Meets SLAs consistently
  • Takes ownership of incidents end-to-end
Job-analysis diagnosis. 'Closes tickets efficiently' may inadvertently penalize careful investigation. Conflates speed with quality.

Customer Focus

Treats internal stakeholders as customers; service mindset
Behavioral indicators:
  • Communicates security decisions empathetically
  • Balances user productivity with risk
  • Builds trust across the organization
Job-analysis diagnosis. 'Treats stakeholders as customers' is a service-org framing inappropriate to high-stakes investigative work where saying NO is sometimes the right answer.

Innovation

Brings creative approaches to security challenges
Behavioral indicators:
  • Proposes new detection ideas
  • Adopts emerging tools and techniques
  • Challenges status quo when warranted
Job-analysis diagnosis. Not anchored to any specific work behavior. Likely produces interview ratings based on candidate confidence, not job-relevant capability.

Cultural Fit

Aligns with Meridian values: curiosity, integrity, ownership
Behavioral indicators:
  • Demonstrates curiosity about new threats
  • Acts with integrity in ambiguous situations
  • Takes ownership without being asked
Job-analysis diagnosis. 'Curiosity, integrity, ownership' — three abstract traits with no behavioral definition. Known disparate-impactAnother name for adverse impact: a neutral-looking requirement that screens out a protected group at a higher rate. Vague "culture fit" constructs are a classic source because they invite subjective, unstandardized judgments. risk; classic 'culture fit' construct.

When to use which

Use job analysis when designing selection systems, defending decisions in litigation, classifying jobs for compensation, or making validity claims. JA is the foundation of psychometric defensibility.
Use competency modeling for leadership development, succession planning, organizational culture alignment, and strategic talent management. Competency models are powerful for these purposes precisely because they're broader and less constrained.
Do not confuse the two. A competency model is not a substitute for a job analysis when the use case is selection or termination. Many adverse-impact cases hinge on this confusion: an employer relies on a competency model that is too vague to defend operationally, and discovers in litigation that competency-based decisions cannot pass the UGESP §1607.14The section of the Uniform Guidelines that spells out the technical evidence required to validate a selection procedure — including that a job analysis identify critical work behaviors and the KSAOs needed to perform them. evidence standard.

Handoff to the Hiring System Audit

You have completed (or partially completed) a job analysis for the SecOps Analyst role. The same analysis was performed by Meridian's SME panel. Below: alignment between your work and theirs, then a guided handoff to the hiring system audit.

Alignment with the SME panel

What this job analysis enables in the hiring system

Every dimension of the Meridian hiring system audit depends, directly or indirectly, on the job analysis you just performed. Here's the map:

Audit dimensionJA dependency
#1 Job relevanceDirect. Tasks define what "relevant" means.
#2 ValidityDirect. Content validity = match between assessment and job tasks.
#4 FairnessDirect. Differential prediction is judged against JA-derived criteria.
#5 Adverse impactIndirect but pivotal. JA defines job-relatedness defense under §703(k).
#6 Legal complianceDirect. UGESP §1607.14 requires JA-grounded evidence.
#13 Decision rulesDirect. Cutoff standard-setting (Angoff, contrasting-groups) requires JA-derived performance anchors.
#22 Performance criteriaDirect. Criteria must be JA-derived to be uncontaminated.
#23 GeneralizabilityDirect. Validity transport requires JA-based job-similarity demonstration.

You've completed the job analysis — here's what comes next

A job analysis like the one you just built is the foundation for evaluating an organization's selection system — the set of methods used to hire for the role. Part 2 of this series audits how Meridian's real selection system measures up against the tasks and KSAOs you just defined — whether its methods are fair, valid, and worth their cost — and then follows the chain one link further: building the BARS that rates the people who were hired, and linking those ratings to pay. It ends with a guided hand-off into your applied assignment, From Ratings to Raises.

▶ Continue to Part 2 — Scenario — Evidence to Offer

Open Part 2 from this same folder, in this same browser, and it will greet you by name — your locked analysis carries over as the evidence base for everything that follows.

Glossary

Reference glossary. Every term shown as a hover-tooltip elsewhere in this module is collected here — click any dotted term in the app to jump straight to its entry.

frequency

How often the task is performed (1 = rarely, 5 = daily). Frequency alone does not make a task important — a rare task can be the most critical one in the job. That is why frequency and criticality are rated separately.

criticality

The consequences of failing to perform the task well (1 = minor, 5 = severe). Under UGESP, tasks high in criticality are the "critical work behaviors" your selection system must be built to predict — so this rating, more than frequency, drives the job description and KSAO links.

SME panel

Subject-Matter Expert panel — experienced incumbents, supervisors, and specialists who know the job firsthand. In a real job analysis their pooled judgments are the benchmark; here the panel was 8 SMEs plus 3 incumbents, and your ratings are compared against their consensus.

anchor level

A point on a Behaviorally Anchored Rating Scale (BARS): a specific observed behavior tied to a number (here 1–5) that defines what that score "looks like" on the job. Anchors turn vague ratings ("good judgment") into concrete, defensible behavioral standards used in structured interviews.

behavioral anchors (BARS)

Behaviorally Anchored Rating Scale — an interview/appraisal scale where each numbered point is tied to a concrete, observed behavior (e.g., "5 = pages IR team and contains the threat within 15 min"). BARS replace vague impressions ("seemed competent") with job-sampled standards, which is what makes the resulting ratings defensible.

SIEM

Security Information and Event Management — the central platform that aggregates logs and alerts from across the network (servers, firewalls, endpoints) so analysts can monitor, correlate, and investigate security events in one place. It is the SOC analyst’s primary console.

WAF

Web Application Firewall — a security control that filters and blocks malicious HTTP/S traffic to web applications. Blocking an attacking IP "at the WAF" stops the traffic before it reaches the protected application.

CISO

Chief Information Security Officer — the senior executive accountable for the organization’s information-security strategy and risk. Briefing the CISO well under pressure is exactly why "communicate to non-technical leadership" (S03) is a required KSAO.

importance number

O*NET’s national 0–100 rating of how important that descriptor is for this occupation across the whole U.S. labor market. It comes from O*NET’s survey data — it is NOT your rating and does not change with what you entered on the Tasks tab.

validity generalization

The argument that a selection method validated for one job (or job family) can be applied to a sufficiently similar job without a full local validation study. The more your role resembles an established family, the stronger the claim.

Unusual PowerShell execution detected

PowerShell is a legitimate Windows administration tool, but attackers heavily abuse it for "living off the land" / fileless attacks — running malicious code without dropping a detectable file. An "unusual execution" flag (odd parent process, encoded command, or off-baseline host like HOST-4471) is a medium-to-high severity signal that warrants immediate triage: it may be a routine admin script, or the first stage of an intrusion. The analyst’s job is to decide which, fast.

SJT

Situational Judgment Test — a selection method that presents candidates with realistic on-the-job scenarios and asks how they would respond. Well-built SJTs sample the actual reasoning the job requires rather than abstract ability.

C2

Command and Control — the infrastructure (servers, domains) an attacker uses to remotely control compromised machines and exfiltrate data. Traffic to a known C2 address is strong evidence a host is actively compromised, not just probing.

IR

Incident Response — the formal team and process that takes over a confirmed security incident: containing it, eradicating the threat, recovering systems, and documenting lessons learned. "Escalating to IR" means handing a verified attack to that dedicated function.

A02

A02 — Attention to detail sustained over long monitoring shifts. One of the ability (A-type) KSAOs from your KSAO list.

K02

K02 — Knowledge of the MITRE ATT&CK framework of adversary tactics and techniques. A knowledge (K-type) KSAO from your list.

A01

A01 — Ability to reason about ambiguous, partial evidence under time pressure. An ability (A-type) KSAO from your list.

A03

A03 — Ability to communicate across IT, engineering, and legal functions. An ability (A-type) KSAO from your list.

PAQ dimension

The PAQ groups all jobs into six worker-oriented divisions (information input, mental processes, work output, relationships, job context, other). Rating a job on these makes it comparable to very different jobs on the same scale.

context volatility

Unpredictable shifts in the conditions under which the work is performed — here, an on-call analyst may go from a quiet evening to a high-severity incident at 3 a.m. with no warning. High context volatility raises stress and turnover risk and matters for both job design (JCM) and realistic-preview hiring.

content validity

The degree to which a selection method samples the actual content (tasks, knowledge, behaviors) of the job. A work sample of real SOC triage has high content validity; a generic personality test has low content validity for this role.

Motivating Potential Score

MPS = ((Skill variety + Task identity + Task significance) / 3) × Autonomy × Feedback. Because Autonomy and Feedback multiply, a job scores low on motivating potential if either is near zero — even when the other three dimensions are high.

UGESP

Uniform Guidelines on Employee Selection Procedures (29 CFR Part 1607), issued 1978 by the EEOC, DOL, DOJ, and OPM. They define what evidence an employer must have to defend a selection procedure that produces adverse impact.

adverse impact

A substantially different selection rate for a protected group (often assessed by the "four-fifths rule"). Adverse impact is not automatically illegal — but once shown, the employer must demonstrate the procedure is job-related and consistent with business necessity, which is exactly what a defensible job analysis supports.

Title VII

Title VII of the Civil Rights Act of 1964 — prohibits employment discrimination based on race, color, religion, sex, or national origin. It is the statute most adverse-impact hiring cases are brought under.

ADEA

Age Discrimination in Employment Act (1967) — protects workers age 40 and older from age-based employment discrimination.

ADA

Americans with Disabilities Act (1990) — prohibits disability discrimination and requires that selection criteria reflect the job’s essential functions, with reasonable accommodation. This is why documenting "essential duties" in the job analysis matters.

disparate-impact

Another name for adverse impact: a neutral-looking requirement that screens out a protected group at a higher rate. Vague "culture fit" constructs are a classic source because they invite subjective, unstandardized judgments.

UGESP §1607.14

The section of the Uniform Guidelines that spells out the technical evidence required to validate a selection procedure — including that a job analysis identify critical work behaviors and the KSAOs needed to perform them.

Security Operations Analyst

A specialist role within a Security Operations Center (SOC) responsible for monitoring, detecting, and responding to cyber threats — the central job this module analyzes.

Essential Duties

Tasks rated criticality ≥ 4 by the SME panel. Under the ADA, "essential functions" must be documented to support job-relatedness claims in hiring and accommodation decisions.

Additional Responsibilities

Tasks rated criticality < 4. These are part of the role but are not the primary basis for selection criteria under UGESP §1607.14.

Security Operations Analyst · O*NET 15-1212.00 All changes saved © 2026 Joel Widzer. All rights reserved. ⌘K / Ctrl-K to search · ⌘/Ctrl + 1–9 to switch tabs