Leadership Commitment: A Key Factor in Implementation of Event-Based Cybersecurity Risk Assessment

Wan Azlena Wan Mohamad; Noor Hayani Abd Rahim; Nurul Nuha Abdul Molok

doi:10.47405/mjssh.v10i4.3365

Wan Azlena Wan Mohamad Kulliyyah of Information and Communication Technology, International Islamic University Malaysia, Jalan Gombak, 53100 Kuala Lumpur, Selangor, Malaysia
Noor Hayani Abd Rahim Kulliyyah of Information and Communication Technology, International Islamic University Malaysia, Jalan Gombak, 53100 Kuala Lumpur, Selangor, Malaysia
Nurul Nuha Abdul Molok Kulliyyah of Information and Communication Technology, International Islamic University Malaysia, Jalan Gombak, 53100 Kuala Lumpur, Selangor, Malaysia

DOI: https://doi.org/10.47405/mjssh.v10i4.3365

Keywords: Leadership commitment, Cybersecurity risk assessment, Event-based approach

Abstract

Implementing event-based cybersecurity risk assessment offers organisations a proactive approach to managing cyber threats in real-time. Unlike the asset-based approach, the event-based approach focuses on identifying and analysing potential cyber-attacks or events, rather than relying on static asset inventories. However, successful cybersecurity implementation relies not only on technical expertise but also on managerial expertise, such as strong leadership commitment. Leadership plays an important role in prioritising cybersecurity initiatives. It secures the necessary resources and ensures strategic integration into the organisation’s overall risk management framework. Despite its importance, limited research explores the impact of leadership commitment on implementing event-based cybersecurity risk assessment in organisations. This study uses a qualitative research approach to address this gap through semi-structured interviews with ten cybersecurity experts across multiple public sector organisations in Malaysia. Thematic analysis revealed three key leadership factors: (i) top management buy-in, which embeds cybersecurity into organisational priorities; (ii) resource allocation, which ensures adequate funding and support; and (iii) leadership advocacy, which maintains cybersecurity as a strategic agenda. These findings highlight that without strong leadership support, organisations may struggle to successfully implement event-based cybersecurity risk assessment. This study contributes to cybersecurity governance research by highlighting the critical role of leadership in adopting event-based cybersecurity risk assessment. It highlights the need for strategic leadership engagement in shaping cybersecurity policy, allocating resources and fostering a cyber risk-aware culture. The findings also provide practical insights for policymakers, cybersecurity professionals and organisational leaders in developing risk management frameworks to strengthen cybersecurity resilience.

Downloads

Download data is not yet available.

References

Abdul Molok, N. N., Chang, S., & Ahmad, A. (2013). Disclosure of Organizational Information on Social Media: Perspectives from Security Managers. Pacific Asia Conference on Information Systems (PACIS). http://aisel.aisnet.org/pacis2013/108

Abrahams, T. O., Farayola, O. A., Kaggwa, S., Uwaoma, P. U., Hassan, A. O., & Dawodu, S. O. (2024). Cybersecurity Awareness and Education Programs: A Review of Employee Engagement and Accountability. Computer Science & IT Research Journal, 5(1), 100–119. https://doi.org/10.51594/csitrj.v5i1.708

Ahmad, A., Desouza, K. C., Maynard, S. B., Naseer, H., & Baskerville, R. L. (2020). How integration of cyber security management and incident response enables organizational learning. Journal of the Association for Information Science and Technology, 71(8), 939–953. https://doi.org/10.1002/asi.24311

Aksoy, C. (2024). Building a Cyber Security Culture for Resilient Organizations Against Cyber Attacks. İşletme Ekonomi ve Yönetim Araştırmaları Dergisi, 7(1), 96–110. https://doi.org/10.33416/baybem.1374001

Al-Hawamleh, A. M. (2024). Investigating the multifaceted dynamics of cybersecurity practices and their impact on the quality of e-government services: evidence from the KSA. Digital Policy, Regulation and Governance, 26(3), 317–336. https://doi.org/10.1108/DPRG-11-2023-0168

Al-Kumaim, N. H., & Alshamsi, S. K. (2023). Determinants of Cyberattack Prevention in UAE Financial Organizations: Assessing the Mediating Role of Cybersecurity Leadership. Applied Sciences, 13(10), 5839. https://doi.org/10.3390/app13105839

Benjamin, L. B., Adegbola, A. E., Amajuoyi, P., Adegbola, M. D., & Adeusi, K. B. (2024). Digital transformation in SMEs: Identifying cybersecurity risks and developing effective mitigation strategies. Global Journal of Engineering and Technology Advances, 19(2), 134–153. https://doi.org/10.30574/gjeta.2024.19.2.0084

Braun, V., & Clarke, V. (2022). Thematic Analysis - A practical guide. SAGE publications.

Chen, J., Zhu, Q., & Başar, T. (2021). Dynamic Contract Design for Systemic Cyber Risk Management of Interdependent Enterprise Networks. Dynamic Games and Applications, 11(2), 294–325. https://doi.org/10.1007/s13235-020-00363-y

Creswell, J. W., & Poth, C. N. (2016). Qualitative inquiry and research design: Choosing among five approaches. (4th Edition). SAGE Publication.

Döringer, S. (2021). ‘The problem-centred expert interview’. Combining qualitative interviewing approaches for investigating implicit expert knowledge. International Journal of Social Research Methodology, 24(3), 265-278.

Elmarady, A. A., & Rahouma, K. (2021). Studying Cybersecurity in Civil Aviation, Including Developing and Applying Aviation Cybersecurity Risk Assessment. IEEE Access, 9, 143997-144016. https://doi.org/10.1109/ACCESS.2021.3121230

Etikan, I. (2016). Comparison of Convenience Sampling and Purposive Sampling. American Journal of Theoretical and Applied Statistics, 5(1), 1. https://doi.org/10.11648/j.ajtas.20160501.11

Finkelstein, S., Hambrick, D. C., & Cannella, A. A. (2009). Strategic leadership: Theory and research on executives, top management teams, and boards. Oxford University Press.

Fujs, D., Mihelič, A., & Vrhovec, S. L. R. (2019, August 26). The power of interpretation: Qualitative methods in cybersecurity research. ACM International Conference Proceeding Series. https://doi.org/10.1145/3339252.3341479

Goli, D., Al-Mohannadi, H., & Shah, M. (2023). Plan, Prepare and Respond: A Holistic Cyber Security Risk Management Platform. 2023 10th International Conference on Future Internet of Things and Cloud (FiCloud), 367–374. https://doi.org/10.1109/FiCloud58648.2023.00060

He, W., Ash, I., Anwar, M., Li, L., Yuan, X., Xu, L., & Tian, X. (2019). Improving employees’ intellectual capacity for cybersecurity through evidence-based malware training. Journal of Intellectual Capital, 21(2), 203–213. https://doi.org/10.1108/JIC-05-2019-0112

International Organization for Standardization (ISO). (2022). ISO/IEC 27005: Information Security, Cybersecurity and Privacy Protection - Guidance on Managing Information Security Risks. International Organization for Standardization (ISO). https://www.iso.org/standard/80585.html

International Organization for Standardization (ISO). (2020). ISO/IEC TS 27100: Information Technology — Cybersecurity — Overview and Concepts. International Organization for Standardization (ISO). https://www.iso.org/standard/72434.html

Khaw, T. Y., Amran, A., & Teoh, A. P. (2024). Building a thematic framework of cybersecurity: a systematic literature review approach. Journal of Systems and Information Technology, 26(2), 234–256. https://doi.org/10.1108/JSIT-07-2023-0132

Krishtanosov, V. B., & Brovko, N. A. (2023). Conceptual-Analytical Approaches to Threats in the Digital Economy. AlterEconomics, 20(1), 216–245. https://doi.org/10.31063/AlterEconomics/2023.20-1.11

Lau, P., Wang, L., Liu, Z., Wei, W., & Ten, C.-W. (2021). A Coalitional Cyber-Insurance Design Considering Power System Reliability and Cyber Vulnerability. IEEE Transactions on Power Systems, 36(6), 5512–5524. https://doi.org/10.1109/TPWRS.2021.3078730

Layapan, M., Esa, Mohd. S., & Ationg, R. (2022). The Significance of Leadership Ethics in Youth Voluntary Organization Development in Malaysia. Malaysian Journal of Social Sciences and Humanities (MJSSH), 7(6), e001556. https://doi.org/10.47405/mjssh.v7i6.1556

Matthew B., M., A. Michael, H., & Johnny, S. (2018). Qualitative Data Analysis: A Methods Sourcebook (4th Edition). SAGE Publications.

Mumtaz Awan, T., & Riaz Pitafi, Z. (2024). Perspective Chapter: Cybersecurity and Risk Management—New Frontiers in Corporate Governance. In Corporate Governance - Evolving Practices and Emerging Challenges [Working Title]. IntechOpen. https://doi.org/10.5772/intechopen.1005153

Muna, A. N. (2022). Examining The Importance of Leadership Skills in Todays Life. International Journal of Social Service and Research, 2(10), 977–982. https://doi.org/10.46799/ijssr.v2i10.185

National Cybersecurity Agency of Malaysia (NACSA). (2020). Malaysia Cyber Security Strategy 2020-2024. https://asset.mkn.gov.my/web/wp-content/uploads/sites/3/2019/08/MalaysiaCyberSecurityStrategy2020-2024Compressed.pdf

Neri, M., Niccolini, F., & Martino, L. (2024). Organizational cybersecurity readiness in the ICT sector: a quanti-qualitative assessment. Information & Computer Security, 32(1), 38–52. https://doi.org/10.1108/ICS-05-2023-0084

Nifakos, S., Chandramouli, K., Nikolaou, C. K., Papachristou, P., Koch, S., Panaousis, E., & Bonacina, S. (2021). Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review. Sensors, 21(15), 5119. https://doi.org/10.3390/s21155119

National Institute of Standards and Technology (NIST). (2012). NIST SP 800-30: Guide for Conducting Risk Assessments. U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-30r1

National Institute of Standards and Technology (NIST). (2024). Cybersecurity Framework (CSF) 2.0. U.S. Department of Commerce. https://doi.org/https://doi.org/10.6028/NIST.CSWP.29

Nurwanah, A. (2024). Cybersecurity in Accounting Information Systems: Challenges and Solutions. Advances in Applied Accounting Research, 2(3), 157–168. https://doi.org/10.60079/aaar.v2i3.336

Safitra, M. F., Lubis, M., & Fakhrurroja, H. (2023). Counterattacking Cyber Threats: A Framework for the Future of Cybersecurity. Sustainability, 15(18), 13369. https://doi.org/10.3390/su151813369

Sallos, M. P., Garcia-Perez, A., Bedford, D., & Orlando, B. (2019). Strategy and organisational cybersecurity: a knowledge-problem perspective. Journal of Intellectual Capital, 20(4), 581–597. https://doi.org/10.1108/JIC-03-2019-0041

Shaikh, F. A., & Siponen, M. (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers & Security, 124, 102974. https://doi.org/10.1016/j.cose.2022.102974

Sukumar, A., Mahdiraji, H. A., & Jafari‐Sadeghi, V. (2023). Cyber risk assessment in small and medium‐sized enterprises: A multilevel decision‐making approach for small e‐tailors. Risk Analysis, 43(10), 2082–2098. https://doi.org/10.1111/risa.14092

Triplett, W. J. (2022). Addressing Human Factors in Cybersecurity Leadership. Journal of Cybersecurity and Privacy, 2(3), 573–586. https://doi.org/10.3390/jcp2030029

Ujah, O., Duru, M., & Akinola, S. (2024). Cybersecurity Strategic Plan Part 2. International Journal of Latest Technology in Engineering Management & Applied Science, 13(7), 197–207. https://doi.org/10.51583/IJLTEMAS.2024.130724