Developing A Cybersecurity Leadership Model for Educational Organizations in Malaysia: A Grounded Theory Study

Abstract

The digital transformation of education has intensified organizational dependence on connected platforms, cloud systems, and data-driven learning environments, thereby increasing exposure to cybersecurity risks such as ransomware, phishing, identity compromise, and data breaches. While educational cybersecurity research has predominantly focused on technical controls, cybersecurity in education is increasingly recognized as a leadership and governance challenge requiring institutional direction, cultural change, and strategic capabilitybuilding. In Malaysia, national initiatives such as MyDIGITAL, the Malaysia Education Blueprint (2013–2025), and the Digital Education Policy highlight the importance of digital readiness; however, there remains limited empirical understanding of how educational leaders enact cybersecurity leadership in complex organisational contexts. This study aims to develop a Cybersecurity Leadership Model for educational organizations in Malaysia, using grounded theory to capture leadership practices and governance mechanisms from practitioner perspectives. Semi-structured interviews were conducted with N=26 participants comprising education leaders, ICT coordinators, cybersecurity officers, and policy stakeholders across key educational settings. Data were analyzed through constant comparative analysis using open, axial, and selective coding, leading to the emergence of six core leadership dimensions such as strategic cyber governance, risk-informed decisionmaking, cyber-resilient culture and awareness, capability development and professional learning, incident leadership and crisis communication, and ethical compliance and data stewardship. The resulting model positions cybersecurity leadership as a socio-technical and governance-driven function that integrates institutional values with initiative-taking risk management and sustainable capacity-building. The study contributes a context-sensitive framework for guiding cybersecurity readiness and leadership development in Malaysia’s educational ecosystem and offers actionable implications for leadership training institutions such as Institute Aminuddin Baki in strengthening cyber governance and organizational resilience.