Precaution-taking information security behaviour: toward a more nuanced leader-member-exchange perspective in information security

Abstract

Contrary to the conventional view that strong leader-member relationships naturally guarantee proactive cybersecurity efforts, this study uncovers a more intricate reality: caring leadership without tangible employee empowerment and accountability can stall precaution-taking information security behaviour. Drawing on leader-member-exchange theory, we shift the focus from individual motivators to relational dynamics, emphasizing that employees' extra-role security behaviours hinge on more than mere managerial support. Through a survey of 433 employees in Vietnamese firms, our findings reveal no direct effect of leader-member-exchange on precaution-taking information security behaviour; instead, accountability and psychological empowerment fully mediate this relationship. These results indicate that high quality leader-member-exchange is not, by itself, sufficient to explain sustained precaution taking security engagement. Instead, our evidence suggests that when leaders only care without simultaneously equipping employees with clear responsibilities (accountability) and genuine autonomy to take security precautions, and that elevated security expectations may lead to frustration or minimal compliance. By highlighting these tensions, this study expands the theoretical discourse on information security from main individualistic perspectives to the nuanced interplay of leader-employee interactions, offering a fresh rationale for why simply being supportive may not yield the desired secure behaviours. For practitioners, rather than relying on goodwill alone, organisations must ensure that accountability structures and empowerment practices are woven into the fabric of leadership styles to transform supportive relationships into robust, precaution-taking security practices.