Leadership Influence on Cybersecurity Culture Development
Khamis, Hamdi (2026)
2026
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202603184535
https://urn.fi/URN:NBN:fi:amk-202603184535
Tiivistelmä
This exploratory thesis examines how leadership approaches appear to influence the development of cybersecurity culture, and how organizational context may shape culturebuilding mechanisms. Using an exploratory mixed-methods design, the study integrates (1) a thematic literature review, (2) two illustrative documentary case studies (Princeton University and Liberty Mutual) based on published materials, and (3) an exploratory survey of 12 Chief Information Security Officers (CISOs) and senior security leaders administered between August 28, 2025 and September 3, 2025.
The case studies suggest how context shapes feasible leadership strategies: decentralized academic environments tend to require influence-based approaches that build trust and participation, while regulated corporate environments can embed secure behavior through formal management systems, structured communications, and reinforcement mechanisms. Survey findings indicate that transformational and adaptive leadership are the most frequently reported primary styles (33.3% each). Half of respondents (50.0%) reported a "Managed" level of cybersecurity culture maturity, while fewer reported "Optimizing" maturity (16.7%), suggesting that sustained continuous improvement remains difficult. The most frequently cited barrier to culture development was lack of executive support (33.3%), followed by competing priorities and resource constraints (25.0% each).
This thesis contributes a preliminary conceptual framework linking leadership approach, organizational levers, and culture maturity, and provides initial guidance for leaders seeking to move beyond compliance-oriented programmes toward sustained, humancentered secure behavior. Given the study's exploratory nature and methodological limitations—including the use of documentary case studies based on secondary sources and a small survey sample—the findings represent preliminary insights that require further validation through future research.
The case studies suggest how context shapes feasible leadership strategies: decentralized academic environments tend to require influence-based approaches that build trust and participation, while regulated corporate environments can embed secure behavior through formal management systems, structured communications, and reinforcement mechanisms. Survey findings indicate that transformational and adaptive leadership are the most frequently reported primary styles (33.3% each). Half of respondents (50.0%) reported a "Managed" level of cybersecurity culture maturity, while fewer reported "Optimizing" maturity (16.7%), suggesting that sustained continuous improvement remains difficult. The most frequently cited barrier to culture development was lack of executive support (33.3%), followed by competing priorities and resource constraints (25.0% each).
This thesis contributes a preliminary conceptual framework linking leadership approach, organizational levers, and culture maturity, and provides initial guidance for leaders seeking to move beyond compliance-oriented programmes toward sustained, humancentered secure behavior. Given the study's exploratory nature and methodological limitations—including the use of documentary case studies based on secondary sources and a small survey sample—the findings represent preliminary insights that require further validation through future research.