Before any hiring system can be designed, validated, or
defended in court, a defensible job analysis must establish what the job
actually requires. This module walks you through performing one for the
Meridian Security Operations Analyst role using six methods.
How to read this module. Work the tabs left to right (the
Suggested order below mirrors them). Three tabs ask for your
judgments — Tasks, KSAOs, and CIT — and everything
downstream (Results, Legal, the alignment scores, the Word report) is built from
those inputs. The other tabs (O*NET, CTA, PAQ, JCM) are analysis lenses that
compare your role against expert and external benchmarks. Your work
saves automatically as you go; you can close the tab and return.
Hover any dashed termDashed-underline words like this reveal a definition or an instructional note on hover. They appear throughout the module on terms worth knowing.
for a definition. Press ⌘K / Ctrl-K to jump to any section.
Saving & resuming. Your work saves automatically in this browser, but only on
this computer. To continue on a different machine — or to be safe before closing —
click 💾 Save (top-right) to download a small progress file, then 📂 Load it on the
other computer to pick up exactly where you left off.
🔒 How scoring works (two-phase). This module scores your first pass, the way a
real job analyst commits an analysis before comparing notes with the SME panel. While you work,
no SME answers are shown anywhere. When you have rated the tasks, sorted the incidents, mapped
O*NET, and set the JCM sliders, go to the Handoff tab and click
🔒 Lock my analysis. Locking freezes your first pass for scoring and reveals the panel's
answers everywhere — after that you can keep exploring and changing responses freely,
but the locked pass is what is scored and exported.
Why this module exists
The Meridian hiring audit (the next app in this package) concludes
that the selection system is "fundamentally sound but has two acute
issues." Every one of those conclusions presupposes a job analysis.
The audit references it once, in passing — but the audit's claims
about validity, fairness, and legal defensibility all stand on
whatever was in that report.
In this module you will perform the job analysis. Then in the
handoff at the end, you will see how your work maps onto what
Meridian's selection system actually does.
Six methods you will use
Task Inventory + criticality / frequency ratings
When to use: structured, defensible, quantitative analysis
Quantitative; aggregates across SMEs; supports content-validity claims under UGESP §1607.14(C)(4)
Time-intensive; can miss tacit knowledge; static snapshot
Critical Incident Technique (Flanagan, 1954)
When to use: deriving behavioral standards, training, performance criteria
Generates rich behavioral exemplars; foundation for behavioral interview anchors
Handoff — see your JA alongside Meridian's, and proceed to the audit
Task Inventory
Rate each of the 18 SecOps Analyst tasks on two dimensions:
frequencyHow often the task is performed (1 = rarely, 5 = daily). Frequency alone does not make a task important — a rare task can be the most critical one in the job. That is why frequency and criticality are rated separately. (how often it is performed, 1=rarely / 5=daily) and
criticalityThe consequences of failing to perform the task well (1 = minor, 5 = severe). Under UGESP, tasks high in criticality are the "critical work behaviors" your selection system must be built to predict — so this rating, more than frequency, drives the job description and KSAO links. (consequences of failure, 1=minor / 5=severe).
Both are judged by a SME panelSubject-Matter Expert panel — experienced incumbents, supervisors, and specialists who know the job firsthand. In a real job analysis their pooled judgments are the benchmark; here the panel was 8 SMEs plus 3 incumbents, and your ratings are compared against their consensus. and yours are scored against theirs. These ratings drive the
auto-generated job description and the KSAO-task linkage matrix.
Instructions
For each task below, click a frequency rating (blue) and a criticality
rating (red). Tasks with criticality ≥ 4 will appear as "essential duties"
in the job description. The task summary updates as you rate.
How this is scored. Each rating is compared to the SME panel's after you lock your
analysis (Handoff tab). Criticality misses are weighted double relative to frequency
misses, because criticality — not frequency — determines which tasks count as
critical work behaviors under UGESP and drives everything downstream. Unrated tasks count as
zero alignment in your combined score, so rate all 18.
Tasks rated
0/18
Avg frequency
—
Avg criticality
—
Critical tasks (4+)
0
The 18 tasks
ID
Task
Frequency (1-5)
Criticality (1-5)
T01
Monitor SIEM dashboards for real-time security alerts and anomalies
T02
Investigate suspicious user authentication patterns (e.g., impossible travel, brute force)
T03
Triage and categorize security alerts by severity and false-positive likelihood
T04
Author and tune detection rules in the SIEM (Sigma, KQL, Splunk SPL)
T05
Conduct forensic analysis of compromised endpoints using EDR tooling
T06
Document incident timelines and produce post-incident reports for leadership
T07
Coordinate incident response across IT, engineering, and legal teams
T08
Hunt proactively for threats not flagged by automated detections
T09
Maintain and update incident response runbooks and playbooks
T10
Brief executives on active incidents and security posture
T11
Review threat intelligence feeds for relevant indicators of compromise
T12
Validate security alerts against business context to reduce false positives
T13
Train junior analysts on detection methodology and triage workflows
T14
Participate in tabletop exercises and red-team engagements
T15
Maintain on-call rotation and respond to off-hours pages
T16
Manage relationships with external security vendors and service providers
T17
Conduct phishing analysis on user-reported suspicious emails
T18
Configure and tune endpoint detection and response (EDR) policies
KSAOs — Knowledge, Skills, Abilities, Other characteristics
A defensible job analysis must identify the KSAOs required to
perform the critical work behaviors identified in the task inventory.
Below are 12 candidate KSAOs derived from the task inventory.
Decide which are REQUIRED
For each KSAO, decide whether it is required for entry-level
performance (vs. preferred or developable on the job). Set the
minimum proficiency level needed. Note the two "Other" items at the
bottom — credentials and degrees — which by default are NOT required.
Think about whether they should be.
Mark a KSAO required only if you can tie it to a critical task you rated highly.
That task-linkage is what makes a requirement defensible under UGESP. For a technical role
like this, most of the knowledge, skills, and abilities will qualify, because each maps to
a critical SOC task — so a strong analysis here marks most of them required. The
discipline isn't to require fewer things; it's to require only job-related things.
That is why the two "Other" items — a certification and a degree — default to
not required: a credential is defensible only if the job truly demands it, and reflexively
requiring a degree is the classic adverse-impact trap. Over-requiring creates legal risk when the
extra requirements aren't job-related — not simply because the list is long.
UGESP §1607.14(C)(4) test: for any KSAO marked required,
you must be able to defend (a) that it is necessary for performing
critical work behaviors and (b) that the proficiency level you've
set is not higher than what an entry-level performer would need.
The 12 candidate KSAOs
KNOWLEDGE
K01: Knowledge of network protocols (TCP/IP, DNS, HTTP/S, TLS)
Foundational — every detection and forensic task requires it
KNOWLEDGE
K02: Knowledge of common attack patterns (MITRE ATT&CK framework)
MITRE ATT&CK is the lingua franca; analysts can't communicate without it
KNOWLEDGE
K03: Knowledge of operating-system internals (Windows + Linux event logs)
Endpoint forensics impossible without OS-level knowledge
KNOWLEDGE
K04: Knowledge of cloud service provider security models (AWS, Azure, GCP)
Modern SecOps is cloud-first; on-prem-only candidates lose half the role
SKILL
S01: Skill in querying log data with SQL-like languages (SPL, KQL)
If they can't query SIEM data, they can't do the core monitoring job
SKILL
S02: Skill in scripting for automation (Python, PowerShell)
Required for detection-engineering tasks and runbook automation
SKILL
S03: Skill in technical writing for non-technical audiences
Briefing executives requires clear non-technical communication
ABILITY
A01: Ability to reason about ambiguous, partial evidence under time pressure
The defining cognitive demand of SOC work
ABILITY
A02: Ability to maintain attention to detail over extended monitoring shifts
Monitoring fatigue is the leading cause of missed alerts
ABILITY
A03: Ability to communicate clearly across functional boundaries (IT, legal, eng)
Incident response requires coordination across silos
OTHER
O01: Other: Holds or willing to obtain Security+, GCIH, or equivalent certification
Certifications correlate with knowledge but are not themselves the knowledge — Meridian's JA explicitly excluded these as requirements
OTHER
O02: Other: Bachelor's degree in CS, IS, or related field
Degree requirements have known adverse-impact patterns and weaker job-relatedness than direct KSAO measurement — Meridian's JA explicitly excluded
A question about the "Other" KSAOs
Notice that the SME panel did NOT mark "Bachelor's degree in CS"
or "Security+ certification" as required. Why might that be? Consider:
Job-relatedness: Does the degree itself enable the task,
or do the underlying KSAOs (which we ARE measuring) enable it?
Adverse impact: Degree requirements have well-documented
disparate-impact patterns (Holzer, 2007; Fuller et al., 2017).
Less-discriminatory alternative doctrine: If degree-as-proxy
and direct KSAO measurement are equally valid, the employer must
use the less-discriminatory one.
If you mark them required anyway, the legal checklist will not flag
you — but you should be able to defend the decision.
Critical Incident Technique
Flanagan (1954) introduced CIT as a method for deriving
behavioral standards from observed incidents of effective and ineffective
job performance. The output: behavioral exemplars at different
effectiveness levels, used as anchors in rating scales (BARS) and
structured interviews.
Sort 8 critical incidents
For each incident, rate the observed behavior on the 5-point
anchor levelA point on a Behaviorally Anchored Rating Scale (BARS): a specific observed behavior tied to a number (here 1–5) that defines what that score "looks like" on the job. Anchors turn vague ratings ("good judgment") into concrete, defensible behavioral standards used in structured interviews. scale:
1–2 = ineffective, 3 = borderline, 4–5 = effective. This is the same
judgment an SME panel makes when building BARS. Your rating is recorded immediately; the panel's
anchor is revealed once you lock your analysis (Handoff tab), and you are scored on how
close your anchor is to theirs — not just which side of effective/ineffective you landed on.
What these anchors become. The structured interview in Meridian's
hiring system uses behavioral anchors (BARS)Behaviorally Anchored Rating Scale — an interview/appraisal scale where each numbered point is tied to a concrete, observed behavior (e.g., "5 = pages IR team and contains the threat within 15 min"). BARS replace vague impressions ("seemed competent") with job-sampled standards, which is what makes the resulting ratings defensible. derived from a CIT exactly like
this one. The interview rubric asks candidates to describe similar
situations, and raters score against the anchor levels (1=anchor of
ineffective behavior, 5=anchor of effective behavior).
The incidents
CI01 scenario: At 2:47 AM, SIEMSecurity Information and Event Management — the central platform that aggregates logs and alerts from across the network (servers, firewalls, endpoints) so analysts can monitor, correlate, and investigate security events in one place. It is the SOC analyst’s primary console. fires an alert: 1,400 failed login attempts to a service account from a single IP in 6 minutes.
Observed behavior: Analyst pages the on-call IR team, blocks the source IP at the WAFWeb Application Firewall — a security control that filters and blocks malicious HTTP/S traffic to web applications. Blocking an attacking IP "at the WAF" stops the traffic before it reaches the protected application., pulls 30-day login history for the service account, and notifies the account owner — all within 12 minutes of the alert firing.
IneffectiveEffective
CI02 scenario: Same scenario: 2:47 AM, 1,400 failed logins in 6 minutes.
Observed behavior: Analyst marks the alert as 'investigating' in the ticketing system and goes to make coffee, planning to look at it when they return.
IneffectiveEffective
CI03 scenario: A new EDR alert pattern fires 47 times in one day — never seen before. Other analysts dismiss as noise.
Observed behavior: Analyst pulls a sample of 5 alerts, examines the underlying process trees, identifies that all 47 share a parent process spawned by a recently-deployed legitimate IT tool. Documents the false-positive pattern and updates the detection rule to suppress it, then notifies the team.
IneffectiveEffective
CI04 scenario: User reports a suspicious email with a PDF attachment that 'just felt wrong'.
Observed behavior: Analyst forwards the email to the security team mailbox without analysis and tells the user 'we'll look at it later'. No follow-up occurs.
IneffectiveEffective
CI05 scenario: Major incident in progress; CISOChief Information Security Officer — the senior executive accountable for the organization’s information-security strategy and risk. Briefing the CISO well under pressure is exactly why "communicate to non-technical leadership" (S03) is a required KSAO. asks for a 2-minute briefing in 5 minutes.
Observed behavior: Analyst opens their incident timeline, identifies the three facts the CISO needs (what was compromised, what's contained, what's still unknown), drafts a 4-sentence summary, and rehearses delivery once before the call.
IneffectiveEffective
CI06 scenario: Threat intel report mentions a new IOC — a specific PowerShell command line pattern.
Observed behavior: Analyst reads the report, copies the exact string into a SIEM search, finds zero hits in the past 90 days, marks 'no exposure' in the threat intel ticket. Doesn't consider variant matches.
IneffectiveEffective
CI07 scenario: Junior analyst escalates an alert that the senior analyst recognizes as a false positive.
Observed behavior: Senior analyst walks the junior through the indicators that distinguish this pattern from the real attack, documents the reasoning in the team wiki, and sets up a 30-min weekly office hour for similar questions.
IneffectiveEffective
CI08 scenario: Incident response handoff at end-of-shift; complex investigation ongoing.
Observed behavior: Analyst writes a 1-paragraph status: 'still looking, will update in AM.' No timeline, no current hypotheses, no list of evidence collected so far.
IneffectiveEffective
O*NET Cross-Walk
O*NET (occupationalinfo.org) is the U.S. Department of
Labor's standardized occupational database. The closest match for
Meridian's SecOps Analyst role is 15-1212.00 Information Security
Analysts. Below are the actual O*NET descriptors. Your job: map
them to the KSAOs you've identified.
Why this matters
O*NET cross-walks support two important arguments under UGESP:
§1607.7 validity generalization — if your role is
substantially the O*NET occupation, you can argue that meta-analytic
validity coefficients for the occupation apply locally.
§1607.14(B)(3) job-similarity — for content-validity
claims, O*NET task lists provide an external benchmark for what
"the job" typically includes.
O*NET tasks for 15-1212.00
Compare these against your task inventory. Are there tasks O*NET
includes that your inventory missed? Tasks in your inventory that O*NET
doesn't list (i.e., organization-specific)?
Encrypt data transmissions and erect firewalls to conceal confidential information
Develop plans to safeguard computer files against accidental or unauthorized modification, destruction, or disclosure
Monitor current reports of computer viruses to determine when to update virus protection systems
Confer with users to discuss issues such as computer data access needs, security violations, and programming changes
Modify computer security files to incorporate new software, correct errors, or change individual access status
Perform risk assessments and execute tests of data processing system to ensure functioning of data processing activities and security measures
Coordinate implementation of computer system plan with establishment personnel and outside vendors
Train users and promote security awareness to ensure system security
Maintain permanent fleet cryptologic and tactical/strategic intelligence support systems
Document computer security and emergency measures policies, procedures, and tests
Map O*NET descriptors to your KSAOs
Click the KSAO chips that each O*NET descriptor corresponds to.Hover any chip to see what it stands for,
and hover any importance numberO*NET’s national 0–100 rating of how important that descriptor is for this occupation across the whole U.S. labor market. It comes from O*NET’s survey data — it is NOT your rating and does not change with what you entered on the Tasks tab. to see what it means.
This cross-walk is scored. After you lock your analysis, your mappings are compared to
the SME panel's key (10 of the descriptors carry a key; the rest are exploratory context).
Two rules: (1) if a descriptor genuinely corresponds to none of the KSAOs, click
None — an explicit "no defensible mapping" is a scorable professional judgment,
while a row you never touch counts as unanswered; (2) attempt every row, since unanswered
keyed rows count as zero alignment.
What the numbers do (and don’t) mean. The chips K01, K02, S01, A01…
are your Meridian KSAO identifiers — the same ones from the KSAOs tab. The
number beside each descriptor (e.g., Computers and Electronics 91, Engineering and
Technology 72) is O*NET’s national importance score, 0–100 —
not your task ratings and unaffected by them. A high score means O*NET’s nationwide data
says that area is highly important for this occupation. How it relates: when the KSAOs
you map onto the high-importance descriptors match O*NET’s national picture, you have a
validity generalizationThe argument that evidence gathered for an occupation nationally (here, O*NET’s importance data) supports the requirements you identified locally — strengthening your case without a separate local validation study. argument that your local analysis is consistent with the broader evidence base.
KSAO quick reference — the IDs not already listed above
Knowledge areas
Computers and Electronics 91
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Engineering and Technology 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Mathematics 65
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
English Language 81
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Customer and Personal Service 62
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Skills
Critical Thinking 78
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Complex Problem Solving 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Reading Comprehension 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Active Listening 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Judgment and Decision Making 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Systems Analysis 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Writing 69
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Abilities
Information Ordering 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Deductive Reasoning 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Inductive Reasoning 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Oral Comprehension 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Problem Sensitivity 75
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Written Comprehension 72
K01
K02
K03
K04
S01
S02
S03
A01
A02
A03
Diagnostic questions
After mapping:
Do any O*NET items have no matching Meridian KSAO?
That's a gap in your job analysis.
Do any Meridian KSAOs have no matching O*NET item?
That's an organization-specific requirement that O*NET
doesn't capture.
Does "Mathematics" (O*NET importance 65) really apply to
Meridian's SecOps role? If not, you've identified that
O*NET's generic profile diverges from local reality.
Explore any occupation (live O*NET)
Exploration only — not scored. The cross-walk above is the scored exercise and stays
anchored to Meridian's SecOps Analyst role (15-1212.00). This section lets you pull the same
job-analysis data — tasks with importance, knowledge, skills, abilities, and work activities —
for any of the ~1,000 U.S. occupations, live from the Department of Labor's O*NET
database. Use it to see how a real job-analysis evidence base differs across occupations
(compare a nurse's ability profile to this analyst's), or to ground your Unit paper in an
occupation you know. Requires an internet connection; everything else in this module works
offline.
Your instructor issues your access code. It allows a limited number of new occupation loads during the 8-week course window. Searches and cached occupations remain available without consuming a load.
Tasks
Knowledge · Skills · Abilities · Work Activities (top 12 each, by importance)
This site incorporates information from O*NET Web Services by the U.S. Department of Labor, Employment and Training Administration (USDOL/ETA). O*NET® is a trademark of USDOL/ETA.
Results are cached in this browser for one week.
Cognitive Task Analysis
Klein, Calderwood, & MacGregor (1989) and Crandall, Klein,
& Hoffman (2006) developed CTA to decompose expert performance in
knowledge-intensive work. CTA produces think-aloud protocols, decision
ladders, and concept maps — particularly useful for designing SJTs and
work samples.
Scenario
Task: Triage a SIEMSecurity Information and Event Management — the platform that aggregates and alerts on security events from across the network. This is the alert queue an analyst triages. alert: 'Unusual PowerShell execution detectedPowerShell is a legitimate Windows administration tool, but attackers heavily abuse it for "living off the land" / fileless attacks — running malicious code without dropping a detectable file. An "unusual execution" flag (odd parent process, encoded command, or off-baseline host like HOST-4471) is a medium-to-high severity signal that warrants immediate triage: it may be a routine admin script, or the first stage of an intrusion. The analyst’s job is to decide which, fast. on HOST-4471, 14:32 UTC'
A senior analyst is asked to think aloud
while triaging this alert. Below is the protocol.
The think-aloud protocol
This is a worked example, not an exercise. The protocol below is a
transcript of one senior analyst thinking aloud; the cognitive-demand labels
and KSAO tags (A01, K02…) were coded by the SME panel. Nothing here is
scored or calculated — read it to see how expert reasoning decomposes into
the KSAOs you selected, then note how those decision points become SJTSituational Judgment Test — a selection method that presents candidates with realistic on-the-job scenarios and asks how they would respond. Well-built SJTs sample the actual reasoning the job requires rather than abstract ability. (Situational Judgment Test) and
work-sample items in the selection blueprint.
1
"First thing I'm looking at: is this host normally noisy? Let me pull its last 7 days of PS activity."
Establishing baseline / contextual reasoning
A01
2
"OK, this host averages 3 PS events per day. Today there are 47. That's a flag."
Statistical anomaly detection (informal)
A01
3
"What's the command line? ... Encoded base64. That's another flag — legitimate admin scripts rarely encode."
Pattern matching against threat indicators
K02
4
"Decoding the base64... it's calling out to an IP I don't recognize. Let me check threat intel."
Hypothesis generation + verification
A01
5
"IP is in the threat intel feed, flagged as a known C2Command and Control — the infrastructure (servers, domains) an attacker uses to remotely control compromised machines and exfiltrate data. Traffic to a known C2 address is strong evidence a host is actively compromised, not just probing. server. This is a real attack."
Evidence integration
K02
6
"Escalating to IRIncident Response — the formal team and process that takes over a confirmed security incident: containing it, eradicating the threat, recovering systems, and documenting lessons learned. "Escalating to IR" means handing a verified attack to that dedicated function.. Notifying the host owner. Pulling network logs for lateral movement evidence."
Procedural execution under time pressure
A03
Observation: This took the senior analyst 8 minutes. A junior analyst working the same alert typically takes 35-45 minutes and may miss step 3 (the base64 pattern). The cognitive demand differential here is what distinguishes early-career from experienced SOC work.
Implications for selection
Each cognitive demand identified in the protocol corresponds to a
KSAO requirement. The SJT scenarios in Meridian's hiring system are
designed by extracting decision points like steps 3 and 5 (pattern
matching, evidence integration) and asking candidates how they would
respond. This is what makes a well-designed SJT measure
job-sampled reasoning rather than abstract reasoning.
Step
Cognitive demand
KSAO it taps
Selection method
In your analysis
1-2
Baseline establishment
A02A02 — Attention to detail sustained over long monitoring shifts. One of the ability (A-type) KSAOs from your KSAO list. (attention to detail)
SJT scenario
—
3
Pattern matching against threat indicators
K02K02 — Knowledge of the MITRE ATT&CK framework of adversary tactics and techniques. A knowledge (K-type) KSAO from your list. (MITRE ATT&CK)
SJT + cognitive test
—
4-5
Hypothesis generation + verification
A01A01 — Ability to reason about ambiguous, partial evidence under time pressure. An ability (A-type) KSAO from your list. (ambiguous reasoning)
Work sample
—
6
Procedural execution under pressure
A03A03 — Ability to communicate across IT, engineering, and legal functions. An ability (A-type) KSAO from your list. (cross-functional communication)
Structured interview
—
—
Position Analysis Questionnaire (PAQ)
McCormick, Jeanneret, & Mecham (1972) developed the PAQ
as a worker-oriented job analysis instrument. Unlike task-based methods,
PAQ characterizes jobs by the worker behaviors required, making jobs
comparable across very different domains.
When PAQ is useful
Job comparison and classification — comparing SecOps
Analyst to Financial Analyst to Lab Technician on the same metric
Compensation analysis — PAQ scores predict wage levels
well (validity ~0.85 against compensation surveys)
Broad-bandwidth selection systems — when designing a
selection system intended to generalize across multiple roles
Less useful for designing specific selection instruments
for a single role — too generic
This profile is a read-only reference, not an exercise — the bars show the
SME panel's fixed ratings of the SecOps Analyst on each PAQ dimensionThe PAQ groups all jobs into six worker-oriented divisions (information input, mental processes, work output, relationships, job context, other). Rating a job on these makes it comparable to very different jobs on the same scale. . The PAQ's value here is comparative: it lets you place SecOps Analyst
against other job families on a common scale, which is what supports a
validity generalizationThe argument that a selection method validated for one job (or job family) can be applied to a sufficiently similar job without a full local validation study. The more your role resembles an established family, the stronger the claim. argument.
P1
Information Input
Where and how does the worker get the information they use?
Almost entirely visual/textual from screens; very high information density
5/5
P2
Mental Processes
Reasoning, decision making, planning, and information processing
Core of the job — high-demand, real-time analytical reasoning
Interpersonal contact required for job performance
Frequent cross-functional coordination; lower direct face-time
4/5
P5
Job Context
Physical and social context in which work is performed
Office or remote; on-call rotation introduces context volatilityUnpredictable shifts in the conditions under which the work is performed — here, an on-call analyst may go from a quiet evening to a high-severity incident at 3 a.m. with no warning. High context volatility raises stress and turnover risk and matters for both job design (JCM) and realistic-preview hiring.
3/5
P6
Other Characteristics
Schedule, responsibility, methodology, dress
24x7 coverage model; high responsibility for organizational risk
4/5
Interpretation
The SecOps Analyst PAQ profile is heavy on information input
and mental processes, moderate on relationships and
other characteristics, light on work output (physical
demands). This profile resembles other knowledge-work roles such as
software engineer or data analyst — supporting validity generalization
arguments from those job families.
Think it through: Which two dimensions dominate this profile, and what
does that pairing imply for which selection methods will have the highest
content validityThe degree to which a selection method samples the actual content (tasks, knowledge, behaviors) of the job. A work sample of real SOC triage has high content validity; a generic personality test has low content validity for this role.? (Hint: a job dominated by information input and mental processes
is best assessed by methods that sample reasoning, not physical or
interpersonal performance.)
Job Characteristics Model (Hackman & Oldham, 1976)
The JCM connects job analysis to work design. Five core
job dimensions combine into a Motivating Potential ScoreMPS = ((Skill variety + Task identity + Task significance) / 3) × Autonomy × Feedback. Because Autonomy and Feedback multiply, a job scores low on motivating potential if either is near zero — even when the other three dimensions are high. (MPS) that
predicts intrinsic motivation, satisfaction, and turnover. While not
directly a selection tool, MPS informs whether the job, as currently
designed, will retain hires.
Rate the SecOps Analyst role on each dimension
All five sliders start at the scale midpoint. Rate each dimension yourself —
your MPS appears once all five are rated (no defaults are filled in for you). The SME panel's
ratings, rationale, and MPS unlock when you lock your analysis on the Handoff tab.
Degree to which the job requires a variety of different activities and skills
SME note: Detection, forensics, communication, scripting, briefing — wide skill range
—
Degree to which the job requires completion of a whole, identifiable piece of work
SME note: Investigations have clear start/end; shift work fragments some tasks
—
Degree to which the job has a substantial impact on lives of others
SME note: Failures expose customer data, threaten business continuity
—
Degree of freedom and independence in scheduling and methods
SME note: Tight runbooks for routine; high autonomy in investigation phase
—
Degree to which carrying out the work activities provides direct information about performance
SME note: Detections confirmed/refuted within hours; longer-cycle feedback for tuning
Notice that MPS is highly sensitive to autonomy and
feedback because they enter multiplicatively. A job with high
skill variety, task identity, and task significance still scores low if
autonomy or feedback is near zero. This is why micromanaged SOC roles
often have high turnover despite intrinsically interesting work.
Results & Report
How to read this page. Everything below is generated from your
inputs — the tasks you rated, the KSAOs you marked required, and the incidents
you sorted. Hover the dashed termsLike this! Dashed-underline terms reveal a definition or a note about why the item appears, on hover.
for definitions. When you're satisfied, use the buttons in the top-right of the title bar
to download the full report (Word), export to Excel, or print.
Saving and submitting your work (buttons are in the top-right of the title bar):
📄 Full Report (Word) downloads the complete analysis — job description, task ratings,
required KSAOs, incident calls, alignment scores, the UGESP legal checklist, and the competency
analysis — as a real .docx with no browser header or footer.
📊 Excel (CSV) exports the same data as labeled tables that open directly in Excel/Sheets,
best for grading.
🖨 Print sends Results + Legal + Competency to your browser’s print dialog (PDF).
Note: the date/filename/page line on a printout is added by the browser, not this page — to
remove it, uncheck “Headers and footers” in the print dialog, or just use the Word report,
which has none. Your work also saves automatically in this browser as you go.
As you completed the previous modules, the job analysis
automatically generated three artifacts. These are the practical outputs
of the analysis — the documents an HR department would file and use.
Job Description
Auto-generated from your task inventory. Tasks with criticality ≥ 4
appear as "essential duties"; others as "additional responsibilities".
Complete the Task Inventory to generate the job description.
Job Specification (KSAO Matrix)
Auto-generated from your KSAO selections. Shows which KSAOs are
required, at what proficiency level, and which critical tasks each
supports.
Mark KSAOs as required in the KSAOs tab.
Selection-System Blueprint
Auto-generated from your KSAO profile. Recommends the selection
stages and methods that would best assess the required KSAOs.
Select required KSAOs first.
Legal Defensibility Checklist
The UGESPUniform Guidelines on Employee Selection Procedures (29 CFR Part 1607), issued 1978 by the EEOC, DOL, DOJ, and OPM. They define what evidence an employer must have to defend a selection procedure that produces adverse impact. (Uniform Guidelines on Employee
Selection Procedures, 29 CFR §1607) require specific elements of job-analysis
evidence to support validation claims. Below is a 10-point checklist mapped to
UGESP sections. As you complete the job-analysis modules, items shift from
"in progress" to "compliant".
Why this module uses UGESP as the standard
We score against UGESP because it is the enforceable federal benchmark
courts and agencies actually apply when a hiring practice is challenged for
adverse impactA substantially different selection rate for a protected group (often assessed by the "four-fifths rule"). Adverse impact is not automatically illegal — but once shown, the employer must demonstrate the procedure is job-related and consistent with business necessity, which is exactly what a defensible job analysis supports.. Even employers technically outside its scope are measured against it in
litigation, so it is the most demanding and transferable yardstick to learn on.
For your awareness — other frameworks (not used for scoring here):
professional and international practice often references, alongside UGESP:
the SIOP Principles for the Validation and Use of Personnel Selection Procedures (the I/O profession's own technical standard);
the AERA/APA/NCME Standards for Educational and Psychological Testing (the authoritative measurement standard);
EEOC enforcement guidance interpreting Title VII, the ADA, and the ADEA; and
ISO 10667, an international standard for assessment-service delivery used by multinational employers.
These generally reinforce the same job-analysis logic; UGESP is simply the one with regulatory teeth in U.S. hiring litigation.
Current status
Document the analysis — required for L07 & L08 (Source & Date)
Begin completing modules to populate the checklist.
The 10-point checklist
A note on UGESP scope
UGESP applies to federal-contractor employers with ≥15 employees
and to public-sector employers. Many private employers without
federal contracts are not directly bound by UGESP, but UGESP is the
de facto standard in employment-discrimination litigation under
Title VIITitle VII of the Civil Rights Act of 1964 — prohibits employment discrimination based on race, color, religion, sex, or national origin. It is the statute most adverse-impact hiring cases are brought under., ADEAAge Discrimination in Employment Act (1967) — protects workers age 40 and older from age-based employment discrimination., and ADAAmericans with Disabilities Act (1990) — prohibits disability discrimination and requires that selection criteria reflect the job’s essential functions, with reasonable accommodation. This is why documenting "essential duties" in the job analysis matters.. Courts routinely apply UGESP-style
scrutiny even outside its strict regulatory scope.
Job Analysis vs. Competency Modeling
Competency modeling emerged in the 1970s-80s from
management consulting (McClelland, 1973; Boyatzis, 1982) as a
flexible alternative to traditional job analysis. The two methods
differ in their unit of analysis, methodology, and legal defensibility.
Below is a consultant-style competency model for the SecOps Analyst
role. Compare it to the KSAO-based specification you built. Each
competency card includes a job-analysis diagnosis of what the competency
misses, conflates, or risks legally, plus a check against the KSAOs you marked required.
Strategic Thinker
Sees the big picture; connects security work to business outcomes
Behavioral indicators:
Frames security investments in business language
Anticipates threats before they materialize
Builds long-term security roadmaps
Job-analysis diagnosis. No task in the SecOps Analyst job analysis requires 'building long-term roadmaps' — this is a Director-level expectation imported into an analyst role.
Results Orientation
Drives to outcomes; doesn't get distracted by process
Behavioral indicators:
Closes tickets efficiently
Meets SLAs consistently
Takes ownership of incidents end-to-end
Job-analysis diagnosis. 'Closes tickets efficiently' may inadvertently penalize careful investigation. Conflates speed with quality.
Customer Focus
Treats internal stakeholders as customers; service mindset
Behavioral indicators:
Communicates security decisions empathetically
Balances user productivity with risk
Builds trust across the organization
Job-analysis diagnosis. 'Treats stakeholders as customers' is a service-org framing inappropriate to high-stakes investigative work where saying NO is sometimes the right answer.
Innovation
Brings creative approaches to security challenges
Behavioral indicators:
Proposes new detection ideas
Adopts emerging tools and techniques
Challenges status quo when warranted
Job-analysis diagnosis. Not anchored to any specific work behavior. Likely produces interview ratings based on candidate confidence, not job-relevant capability.
Cultural Fit
Aligns with Meridian values: curiosity, integrity, ownership
Behavioral indicators:
Demonstrates curiosity about new threats
Acts with integrity in ambiguous situations
Takes ownership without being asked
Job-analysis diagnosis. 'Curiosity, integrity, ownership' — three abstract traits with no behavioral definition. Known disparate-impactAnother name for adverse impact: a neutral-looking requirement that screens out a protected group at a higher rate. Vague "culture fit" constructs are a classic source because they invite subjective, unstandardized judgments. risk; classic 'culture fit' construct.
When to use which
Use job analysis when designing selection systems, defending
decisions in litigation, classifying jobs for compensation, or
making validity claims. JA is the foundation of psychometric
defensibility.
Use competency modeling for leadership development, succession
planning, organizational culture alignment, and strategic talent
management. Competency models are powerful for these purposes
precisely because they're broader and less constrained.
Do not confuse the two. A competency model is not a substitute
for a job analysis when the use case is selection or termination.
Many adverse-impact cases hinge on this confusion: an employer
relies on a competency model that is too vague to defend
operationally, and discovers in litigation that competency-based
decisions cannot pass the UGESP §1607.14The section of the Uniform Guidelines that spells out the technical evidence required to validate a selection procedure — including that a job analysis identify critical work behaviors and the KSAOs needed to perform them. evidence standard.
Handoff to the Hiring System Audit
You have completed (or partially completed) a job
analysis for the SecOps Analyst role. The same analysis was performed
by Meridian's SME panel. Below: alignment between your work and
theirs, then a guided handoff to the hiring system audit.
Alignment with the SME panel
🔒 Step 1 — finish your first pass, then lock it.
Scoring compares your locked first pass against the
SME panel — the way a working analyst commits an analysis before comparing notes. Until you lock,
no SME answers appear anywhere in the module. After locking you can keep exploring and changing
answers freely; the locked pass is what is scored and exported.
—
Overall alignment with Meridian's SME panel (weighted, from your locked pass)
Task ratings weight 55%
Similarity of your frequency and criticality ratings to the panel's
across the 18 tasks. Criticality misses weigh double (they drive the essential-duty designation
and UGESP evidence). Combined = accuracy on rated tasks × completion.
—
KSAO requirements weight 18%
Scored with a signal-detection rule: hits + correct rejections
− 1.5 × false alarms, over all 12 KSAOs. A false-required (especially a credential) is the
adverse-impact trap, so it costs more than a miss — and marking everything required no longer pays.
—
Critical-incident anchors weight 12%
Distance between your 1–5 BARS anchor and the SME panel's, per
incident (closer = higher). Unsorted incidents count as zero. Random clicking averages
about 56% on this metric, so read your score against that chance baseline.
—
O*NET cross-walk weight 15%
Overlap (Jaccard) between your descriptor→KSAO mappings and the
SME key on the 10 keyed descriptors. An explicit None on a descriptor with no
defensible mapping is a correct answer; an untouched row is unanswered.
—
Why these weights. Each component is weighted by how many independent judgments it
contains: 36 task ratings (55%), 12 KSAO decisions (18%), 10 keyed O*NET mappings (15%),
8 incident anchors (12%). More judgments carry more reliable signal, so they carry more
weight — a small measurement lesson embedded in the scoring model itself.
What your alignment means
Your reflection (exports with your report)
Where did you diverge most from the panel — and now that you can see
their reasoning, where do you stand? Concede where they convinced you; defend, with task
linkage, where they didn't. Aim for 75–150 words.
What this job analysis enables in the hiring system
Every dimension of the Meridian hiring system audit depends, directly
or indirectly, on the job analysis you just performed. Here's the map:
Audit dimension
JA dependency
#1 Job relevance
Direct. Tasks define what "relevant" means.
#2 Validity
Direct. Content validity = match between assessment and job tasks.
#4 Fairness
Direct. Differential prediction is judged against JA-derived criteria.
#5 Adverse impact
Indirect but pivotal. JA defines job-relatedness defense under §703(k).
Direct. Criteria must be JA-derived to be uncontaminated.
#23 Generalizability
Direct. Validity transport requires JA-based job-similarity demonstration.
You've completed the job analysis — here's what comes next
A job analysis like the one you just built is the foundation for evaluating
an organization's selection system — the set of methods used to hire for
the role. Part 2 of this series audits how Meridian's real selection system measures up
against the tasks and KSAOs you just defined — whether its methods are fair, valid,
and worth their cost — and then follows the chain one link further: building the
BARS that rates the people who were hired, and linking those ratings to
pay. It ends with a guided hand-off into your applied assignment,
From Ratings to Raises.
Open Part 2 from this same folder, in this same browser, and it will greet
you by name — your locked analysis carries over as the evidence base for everything
that follows.
Glossary
Reference glossary. Every term shown as a hover-tooltip
elsewhere in this module is collected here — click any dotted term in
the app to jump straight to its entry.
frequency
How often the task is performed (1 = rarely, 5 = daily). Frequency alone does not make a task important — a rare task can be the most critical one in the job. That is why frequency and criticality are rated separately.
criticality
The consequences of failing to perform the task well (1 = minor, 5 = severe). Under UGESP, tasks high in criticality are the "critical work behaviors" your selection system must be built to predict — so this rating, more than frequency, drives the job description and KSAO links.
SME panel
Subject-Matter Expert panel — experienced incumbents, supervisors, and specialists who know the job firsthand. In a real job analysis their pooled judgments are the benchmark; here the panel was 8 SMEs plus 3 incumbents, and your ratings are compared against their consensus.
anchor level
A point on a Behaviorally Anchored Rating Scale (BARS): a specific observed behavior tied to a number (here 1–5) that defines what that score "looks like" on the job. Anchors turn vague ratings ("good judgment") into concrete, defensible behavioral standards used in structured interviews.
behavioral anchors (BARS)
Behaviorally Anchored Rating Scale — an interview/appraisal scale where each numbered point is tied to a concrete, observed behavior (e.g., "5 = pages IR team and contains the threat within 15 min"). BARS replace vague impressions ("seemed competent") with job-sampled standards, which is what makes the resulting ratings defensible.
SIEM
Security Information and Event Management — the central platform that aggregates logs and alerts from across the network (servers, firewalls, endpoints) so analysts can monitor, correlate, and investigate security events in one place. It is the SOC analyst’s primary console.
WAF
Web Application Firewall — a security control that filters and blocks malicious HTTP/S traffic to web applications. Blocking an attacking IP "at the WAF" stops the traffic before it reaches the protected application.
CISO
Chief Information Security Officer — the senior executive accountable for the organization’s information-security strategy and risk. Briefing the CISO well under pressure is exactly why "communicate to non-technical leadership" (S03) is a required KSAO.
importance number
O*NET’s national 0–100 rating of how important that descriptor is for this occupation across the whole U.S. labor market. It comes from O*NET’s survey data — it is NOT your rating and does not change with what you entered on the Tasks tab.
validity generalization
The argument that a selection method validated for one job (or job family) can be applied to a sufficiently similar job without a full local validation study. The more your role resembles an established family, the stronger the claim.
Unusual PowerShell execution detected
PowerShell is a legitimate Windows administration tool, but attackers heavily abuse it for "living off the land" / fileless attacks — running malicious code without dropping a detectable file. An "unusual execution" flag (odd parent process, encoded command, or off-baseline host like HOST-4471) is a medium-to-high severity signal that warrants immediate triage: it may be a routine admin script, or the first stage of an intrusion. The analyst’s job is to decide which, fast.
SJT
Situational Judgment Test — a selection method that presents candidates with realistic on-the-job scenarios and asks how they would respond. Well-built SJTs sample the actual reasoning the job requires rather than abstract ability.
C2
Command and Control — the infrastructure (servers, domains) an attacker uses to remotely control compromised machines and exfiltrate data. Traffic to a known C2 address is strong evidence a host is actively compromised, not just probing.
IR
Incident Response — the formal team and process that takes over a confirmed security incident: containing it, eradicating the threat, recovering systems, and documenting lessons learned. "Escalating to IR" means handing a verified attack to that dedicated function.
A02
A02 — Attention to detail sustained over long monitoring shifts. One of the ability (A-type) KSAOs from your KSAO list.
K02
K02 — Knowledge of the MITRE ATT&CK framework of adversary tactics and techniques. A knowledge (K-type) KSAO from your list.
A01
A01 — Ability to reason about ambiguous, partial evidence under time pressure. An ability (A-type) KSAO from your list.
A03
A03 — Ability to communicate across IT, engineering, and legal functions. An ability (A-type) KSAO from your list.
PAQ dimension
The PAQ groups all jobs into six worker-oriented divisions (information input, mental processes, work output, relationships, job context, other). Rating a job on these makes it comparable to very different jobs on the same scale.
context volatility
Unpredictable shifts in the conditions under which the work is performed — here, an on-call analyst may go from a quiet evening to a high-severity incident at 3 a.m. with no warning. High context volatility raises stress and turnover risk and matters for both job design (JCM) and realistic-preview hiring.
content validity
The degree to which a selection method samples the actual content (tasks, knowledge, behaviors) of the job. A work sample of real SOC triage has high content validity; a generic personality test has low content validity for this role.
Motivating Potential Score
MPS = ((Skill variety + Task identity + Task significance) / 3) × Autonomy × Feedback. Because Autonomy and Feedback multiply, a job scores low on motivating potential if either is near zero — even when the other three dimensions are high.
UGESP
Uniform Guidelines on Employee Selection Procedures (29 CFR Part 1607), issued 1978 by the EEOC, DOL, DOJ, and OPM. They define what evidence an employer must have to defend a selection procedure that produces adverse impact.
adverse impact
A substantially different selection rate for a protected group (often assessed by the "four-fifths rule"). Adverse impact is not automatically illegal — but once shown, the employer must demonstrate the procedure is job-related and consistent with business necessity, which is exactly what a defensible job analysis supports.
Title VII
Title VII of the Civil Rights Act of 1964 — prohibits employment discrimination based on race, color, religion, sex, or national origin. It is the statute most adverse-impact hiring cases are brought under.
ADEA
Age Discrimination in Employment Act (1967) — protects workers age 40 and older from age-based employment discrimination.
ADA
Americans with Disabilities Act (1990) — prohibits disability discrimination and requires that selection criteria reflect the job’s essential functions, with reasonable accommodation. This is why documenting "essential duties" in the job analysis matters.
disparate-impact
Another name for adverse impact: a neutral-looking requirement that screens out a protected group at a higher rate. Vague "culture fit" constructs are a classic source because they invite subjective, unstandardized judgments.
UGESP §1607.14
The section of the Uniform Guidelines that spells out the technical evidence required to validate a selection procedure — including that a job analysis identify critical work behaviors and the KSAOs needed to perform them.
Security Operations Analyst
A specialist role within a Security Operations Center (SOC) responsible for monitoring, detecting, and responding to cyber threats — the central job this module analyzes.
Essential Duties
Tasks rated criticality ≥ 4 by the SME panel. Under the ADA, "essential functions" must be documented to support job-relatedness claims in hiring and accommodation decisions.
Additional Responsibilities
Tasks rated criticality < 4. These are part of the role but are not the primary basis for selection criteria under UGESP §1607.14.
This Scenario Job Analysis module is provided for authorized educational use only. Do not copy, redistribute, publish, sell, or modify it without written permission from Joel Widzer.
Student responses and generated reports may be saved or submitted for coursework as directed by the instructor.