Cybersecurity Leadership as Governance: A Constructivist Grounded Theory of Digital Risk Stewardship in Public Education

Abstract

Digital transformation has intensified reliance on digital infrastructures within public education while simultaneously amplifying institutional exposure to cybersecurity risks. Yet educational leadership scholarship continues to privilege innovation and digital maturity, leaving cybersecurity under-theorised as a governance responsibility. Addressing this gap, this study developed a constructivist grounded theory of Cybersecurity Leadership within Malaysia’s public education system. Drawing on 26 semi-structured interviews across school, district, and policy levels, constant comparative analysis generated a multidimensional governance model. Findings reveal a governance internalisation process in which digital risk shifts from delegated technical management to executive accountability. Six interdependent dimensions were identified: strategic governance integration, risk-informed decision-making, cultural reinforcement, capability development, crisis leadership, and ethical stewardship. Through their recursive interaction, these dimensions generate institutional resilience and digital trust. The study reframes cybersecurity as a core executive leadership competency embedded within strategic direction-setting rather than a peripheral compliance function. By integrating socio-technical systems and organisational resilience perspectives, it advances digital leadership theory beyond innovation-centric paradigms and positions risk-informed governance as a foundational principle of sustainable digital transformation in public education.