Cybersecurity has become a competitive factor, especially for small and medium-sized enterprises (SMEs) (Bitkom, 2023). Their resources are rarely sufficient for comprehensive structural security measures (BSI, 2024), while their employees are considered the "weakest link" in the security chain (Bulgurcu, Cavusoglu & Benbasat, 2010). Managers, on the other hand, are tasked with establishing an organizational information security culture (ISC) and promoting willingness to implement information security measures through incentives (Hassan et al., 2017). Nevertheless, there is a lack of studies examining the possibilities and limitations of leadership activities to reach these aims (Humaidi & Balakrishnan, 2015; Zakaria, Omar et al., 2007).

Our study addresses this research gap by examining, from the employee's perspective, which leadership behaviors motivate them to comply with IT security guidelines. Relevant behavioral dimensions such as security communication or monitoring are derived from concepts of Information Security Culture (ISC) (e.g., Nasir, Arshah & Ab Hamid, 2017; Schein, 1992). In addition, assumptions of Deci & Ryan’s Self-Determination Theory (SDT) (1993) is used to establish connections between leadership behavior, employee motivation, and security-compliant behavior.

Data was collected via an online survey of the target group (panel: Prolific; n=300). A preliminary pilot study involving 181 employees showed that the instruments used are reliable and that five forms of motivational regulation for information-secure behavior in the workplace can be validly mapped in accordance with SDT. In addition, these initial analyses suggest that credible commitment and security-related communication by managers are associated with higher identified motivation and lower amotivation among employees, which in turn is linked to a greater willingness to comply with security guidelines.

Using latent profile analysis, the main survey aims to clarify how different profiles of leadership behaviors are systematically related to different forms of action regulation and compliance on the part of employees. This profile-analytical approach enables an integrative view of compliance-supporting activities of managers, provides insights into its occurrence in German SMEs, and allows motivationally informed recommendations from the ISC literature.

Keywords: Cybersecurity, Leadership, Motivation.