Developing A Cybersecurity Leadership Model for Educational Organizations in Malaysia: A Grounded Theory Study

The digital transformation of education has intensified organizational dependence on connected platforms, cloud systems, and data-driven learning environments, thereby increasing exposure to cybersecurity risks such as ransomware, phishing, identity compromise, and data breaches. While educational cybersecurity research has predominantly focused on technical controls, cybersecurity in education is increasingly recognized as a leadership and governance challenge requiring institutional direction, cultural change, and strategic capabilitybuilding. In Malaysia, national initiatives such as MyDIGITAL, the Malaysia Education Blueprint (2013–2025), and the Digital Education Policy highlight the importance of digital readiness; however, there remains limited empirical understanding of how educational leaders enact cybersecurity leadership in complex organisational contexts. This study aims to develop a Cybersecurity Leadership Model for educational organizations in Malaysia, using grounded theory to capture leadership practices and governance mechanisms from practitioner perspectives. Semi-structured interviews were conducted with N=26 participants comprising education leaders, ICT coordinators, cybersecurity officers, and policy stakeholders across key educational settings. Data were analyzed through constant comparative analysis using open, axial, and selective coding, leading to the emergence of six core leadership dimensions such as strategic cyber governance, risk-informed decisionmaking, cyber-resilient culture and awareness, capability development and professional learning, incident leadership and crisis communication, and ethical compliance and data stewardship. The resulting model positions cybersecurity leadership as a socio-technical and governance-driven function that integrates institutional values with initiative-taking risk management and sustainable capacity-building. The study contributes a context-sensitive framework for guiding cybersecurity readiness and leadership development in Malaysia’s educational ecosystem and offers actionable implications for leadership training institutions such as Institute Aminuddin Baki in strengthening cyber governance and organizational resilience.

cybersecurity leadership, grounded theory, educational organizations, governance, resilience, digital leadership, Malaysia

1. Argyris, C., & Schön, D. A. (1996). Organizational learning II: Theory, method, and practice. AddisonWesley. [Google Scholar] [Crossref]

2. Bada, M., & Nurse, J. R. C. (2019). Developing cybersecurity education and awareness programs for small-and-medium-sized enterprises (SMEs). Information and Computer Security, 27(3), 393–410. [Google Scholar] [Crossref]

3. Baxter, G., & Sommerville, I. (2011). Socio-technical systems: From design methods to systems engineering. Interacting with Computers, 23(1), 4–17. [Google Scholar] [Crossref]

4. Charmaz, K. (2014). Constructing grounded theory (2nd ed.). SAGE Publications. [Google Scholar] [Crossref]

5. Creswell, J. W., & Poth, C. N. (2018). Qualitative inquiry and research design: Choosing among five approaches (4th ed.). SAGE Publications. [Google Scholar] [Crossref]

6. Duchek, S. (2020). Organizational resilience: A capability-based conceptualization. Business Research, 13, 215–246. [Google Scholar] [Crossref]

7. ENISA. (2023). ENISA threat landscape 2023. European Union Agency for Cybersecurity. [Google Scholar] [Crossref]

8. Floridi, L., Cowls, J., Beltrametti, M., Chatila, R., Chazerand, P., Dignum, V., Luetge, C., Madelin, R., Pagallo, U., Rossi, F., Schafer, B., Valcke, P., & Vayena, E. (2022). AI4People.An ethical framework for a good AI society: Opportunities, risks, principles, and recommendations. Minds and Machines, 28(4), 689–707. [Google Scholar] [Crossref]

9. Glaser, B. G., & Strauss, A. L. (1967). The discovery of grounded theory: Strategies for qualitative research. Aldine. [Google Scholar] [Crossref]

10. Hollnagel, E. (2014). Safety-I and Safety-II: The past and future of safety management. Ashgate. [Google Scholar] [Crossref]

11. ISO. (2018). ISO 31000:2018 risk management—Guidelines. International Organization for Standardization. [Google Scholar] [Crossref]

12. Lincoln, Y. S., & Guba, E. G. (1985). Naturalistic inquiry. SAGE Publications. [Google Scholar] [Crossref]

13. OECD. (2023). Cybersecurity policy-making in the education sector: An overview. OECD Publishing. [Google Scholar] [Crossref]

14. UNESCO. (2021). Recommendation on the ethics of artificial intelligence. UNESCO Publishing. [Google Scholar] [Crossref]

15. von Solms, R., & von Solms, S. (2018). Cybersecurity and information security—What goes where? Information & Computer Security, 26(1), 2–9. [Google Scholar] [Crossref]

• “Next-Generation Cybersecurity Through Blockchain and AI Synergy: A Paradigm Shift in Intelligent Threat Mitigation and Decentralised Security”
• Forensic Payroll Analytics for IPPIS: A Hybrid Anomaly-Detection Framework to Expose Payroll Fraud, Improve Data Governance, and Protect Employee Rights
• Factors Influencing Data Protection on Global Trade
• Development Of Artificial Intelligence-Based Model for Forensic Analysis of Cross-Platform Deepfakes
• Cyber Threats and Nigeria’s National Security: Assessing the Role of Regional Cooperation in West Africa