Received: 17 March 2017 Revised: 12 April 2018 Accepted: 30 April 2018

DOI: 10.1111/isj.12202

RESEARCH ARTICLE

The impact of leadership on employees' intended

information security behaviour: An examination of
the full‐range leadership theory
Nadine Guhr1 | Benedikt Lebek2 | Michael H. Breitner1

1
Information Systems and Management
Institute, Leibniz Universität Hannover, Abstract
Information Systems and Management Explaining the influence of management leadership on
Institute (ISMI), Leibniz Universität Hannover,
Königsworther Platz 1, 30167 Hannover, employees' information security behaviour is an important
Germany focus in information systems research and for companies
2
bhn Dienstleistungs GmbH & Co. KG, Hans‐
and organizations. Unfortunately, the role of leadership
Lenze‐Straße 1, 31855 Aerzen, Germany
Correspondence
has remained largely unexplored in the information security
Nadine Guhr, Information Systems and context. Our study addresses this gap in literature: how the
Management Institute, Leibniz Universität
Hannover, Information Systems and
dimensions of full‐range leadership influence employees'
Management Institute (ISMI), Leibniz intended information security behaviour. Consequently,
Universität Hannover, Königsworther Platz 1,
30167 Hannover, Germany.
our study takes an interactional psychology perspective
Email: guhr@iwi.uni‐hannover.de and links the dimensions of the full‐range model of leader-
ship to employees' security compliance intention and secu-
rity participation intention. We tested our multitheoretical
model using Smart PLS 3.2.7 on a proprietary data set of
322 professionals in more than 14 branches throughout
different regions worldwide. Our study contributes to the
literature on information security, management, and leader-
ship by exploring how and why different leadership styles
enhance employees' intended information security behav-
iour. Our empirical findings emphasize the importance of
transformational leaders because they are capable of
directly influencing employees on the extra‐role and in‐role
behaviour levels. Our results indicate new directions for
information security and leadership research and implica-
tions for leadership practices.

MUHAMMAD FAISAL JAMAL BIN JAMALIS

4203002381
ARTICLE 10
Info Systems J. 2018;1–23. wileyonlinelibrary.com/journal/isj © 2018 John Wiley & Sons Ltd 1
2 GUHR ET AL.

KEYWORDS

full‐range leadership, information security behaviour, structural

equation modelling, survey research, transactional leadership,
transformational leadership

1 | I N T RO DU CT I O N

Employees' information security awareness and behaviour, and their resulting (non)compliance with information
security policies, which has attracted increased attention in research, are considered a key socio‐organizational
resource (Boss, Galletta, Lowry, Moody, & Polak, 2015; Bulgurcu, Cavusoglu, & Benbasat, 2010; Dhillon & Backhouse,
2001; Guo, Yuan, Archer, & Connelly, 2011; Hu, Dinev, Hart, & Cooke, 2012; Siponen & Vance, 2010). While referring
to employees as the weakest link in the information security chain, researchers have focused on employees' individual
perspectives (Crossler et al., 2013; Hu et al., 2012; Kearney & Kruger, 2016; Öğütçü, Testik, & Chouseinoglou, 2016;
Wall, Prashant, & Lowry, 2013; Wang, Xiao, & Rao, 2015; Warkentin & Willison, 2009). A major challenge for organiza-
tions is to find an effective way to promote information security policies to individual employees (Boss, Kirsch,
Angermeier, Shingler, & Boss, 2009; Cram, Proudfoot, & D'Arcy, 2017; Lowry & Moody, 2015) because employees have
considerable influence on the effectiveness of the information security efforts of the organization (Herath et al., 2014;
Öğütçü et al., 2016; Posey, Roberts, Lowry, & Hightower, 2014). In this context, the design of security policies and the
motivation of individuals to follow those policies are highly important (Boss et al., 2009).
Due to ever shorter innovation cycles and the constant development of new technologies (eg, cloud platform and
other collaboration tools), employees are exposed to ongoing changes in the work environment that require perma-
nent adaptations to their ways of working. The resulting complexity in daily work demands a high degree of informa-
tion security awareness from employees. Therefore, managers must exemplify information security awareness to
provide the necessary framework for the appropriate organizational structures to anchor the issue of information
security in the organization. Effective information security arises only if it permeates the entire organization and is
practiced by all employees and all departments. Organizations are confronted with the question of what leadership
styles should be promoted to positively influence the information security behaviour of their employees. This
pressing problem for practitioners is reflected in the research, where studies have emphasized that a change in
organizational culture towards increased emphasis on information security can only be accomplished if managers
possess certain soft skills (Ashenden, 2008). However, the role leadership style plays in the context of employees'
information security behaviour has been considered in only a few studies.
The aim of this study is to contribute to academic research as well as to derive an effective approach for practi-
tioners. Therefore, an organizational information systems artefact (see Lowry, Dinev, & Willison, 2017) in form of a
research model is developed and empirically tested. The model provides insights into the relationship between
management's leadership style and employees' behavioural intentions towards information security. We consider the
following 2 characteristics of employees' intended information security behaviour: employees' security compliance inten-
tion and employees' security participation intention. The first term refers to an employee's intention to meet the minimum
information security standards (ie, in‐role behaviour), and the second refers to the behavioural intention that actively
promotes organizational information security (ie, extra‐role behaviour). Since employees can become motivated to
perform in‐role and extra‐role behaviours, there are techniques that encourage employees' positive behaviour towards
the protection of their organizations from information security threats (Posey, Roberts, Lowry, Bennett, & Courtney,
2013). We posit that management leadership motivates employees to engage in a certain behaviour and thus is one
technique to positively influence employees' behavioural intentions towards information security.
Accounting for a broad range of leadership styles, our study is based on the full‐range leadership theory (Bass &
Avolio, 1994), which provides theoretically and empirically sound guidance on the effectiveness of leadership. The
model includes eight factors, which are attributed to transformational, transactional, and laissez‐faire leadership styles.
GUHR ET AL. 3

These factors can be represented on a 2‐dimensional continuum, which results from the level of managerial activity
and the effectiveness of the leadership.
Referring to previous leadership research, we define transformational leadership as a style of leadership that
transforms associates to rise above their self‐interest by altering their ideals, morale, values, and interests, motivating
them to perform better than initially expected (Avolio & Bass, 2004; Bass, 1985). “Transformational leaders are pro-
active: they seek to optimize individual, group and organizational development and innovation, not just achieve per-
formance ‘at expectations’” (Avolio & Bass, 2004, p. 101). In contrast, we define transactional leaders as leaders who
display behaviours associated with constructive and corrective transactions (ie, clarifying what the employee should do
in order to be rewarded as well as monitoring performance and taking action when problems occur). “Transactional
leadership defines expectations and promotes performance to achieve these levels.” (Avolio & Bass, 2004, p. 102).
Last, we define passive/avoidant leaders as more passive and “reactive” and “tend to react only after problems have
become a serious to take corrective action and may avoid making any decisions at all” (Avolio & Bass, 2004, p. 51).
In previous research, we only considered a section of the leadership continuum: The direct influence of transfor-
mational leadership on employees' intended information security behaviour was confirmed, and the missing link was
assumed to be closely related to transactional leadership (Lebek, Guhr, & Breitner, 2014). To address this gap, this
study considers the following research question by examining and comparing the effects of transformational,
transactional, and passive/avoidant leadership:

How do the dimensions of full‐range leadership influence employees' behavioral intentions towards
information security?

In the remainder of this article, we discuss the concepts of transactional, transformational, and passive/avoidant
leadership that have been identified in the research literature. In the next section, hypotheses are derived and a
conceptual model is developed that links these leadership styles to the intention to comply with organizational infor-
mation security policies and participate in organizational information security. Then, the methodology of the survey
study is described. After that, we report the data analysis results. Following the discussion and implications for
research and practice, we conclude by identifying limitations and providing an outlook for further research.

2 | L I T E R A T U R E R E V I E W A N D T HE O R E T I C A L B A C K G R O U N D

2.1 | Leadership in information security research

Previous studies on information security primarily focused on employees' perspectives regarding security awareness
and behaviour. Although researchers began to examine the influence of IT executives and managers on employees'
information security compliance (eg, Stewart & Thelander, 2005), the role of managerial leadership has not been a focal
point of information security research (Uffen, Guhr, & Breitner, 2012). However, Hsu and Wang (2015) provide evi-
dence in their study that the diversity of top management can influence the efficacy of information security manage-
ment. Broadbent and Kitzis (2004) argue that the success of chief information officers depends on their ability to go
beyond pure management and lead by setting expectations and influencing others to change. Humaidi and Balakrishnan
(2015) state that leaders play an important role by encouraging employees to be aware of organizational information
security policies and to comply with them. It is essential for organizations to establish a leadership style that promotes
information security by establishing a firmly anchored security culture (Dutta & McCrohan, 2002). According to
Dojkovski, Lichtenstein, and Warren (2007), leaders must act as role models to develop governance structures for main-
taining adequate information security. Mishra and Dhillon (2006) argue that management accountability is a fundamen-
tal factor in effective information security. Hence, information security responsibilities require both formal and informal
measures. Formal measures are the promotion of compliant behaviour and punishment of noncompliant behaviour. On
the informal side, managerial information security measures concern the creation of an organizational culture that
4 GUHR ET AL.

recognizes the importance of information security by considering prevalent norms, individual beliefs, and the personal
values of employees (Mishra & Dhillon, 2006). Managerial leadership styles and organizational culture strongly influence
employees' motivation to comply with organizational information security regulations (Siponen, 2000).

2.2 | Full‐range leadership theory

Based on Burns' (1978) work on leadership (Bass, Waldman, Avolio, & Bebb, 1987), Bass and Avolio (1994) developed
the full‐range leadership model, which has become one of the most widely used theories in today's research on
followers' perception of leadership (Salter, Harris, & McCormack, 2014). In addition to Burn's assumption that leaders
can either be transformational or be transactional, Bass and Avolio (1994) suggested that there is a third leadership
style in organizations, namely, passive/avoidant leadership (Gill, 2012).
Passive/avoidant leadership consists of 2 leadership styles: management‐by‐exception (passive) and laissez‐faire.
With the passive management‐by‐exception leadership style, leaders tend to avoid corrective actions (Bass et al.,
1987) and wait until deviations and errors occur before taking actions (Stewart, 2006), thereby avoiding ex‐ante
clarification of agreements and expectations to their followers (Sadeghi & Lope Pihie, 2012). With the laissez‐faire
style, leaders completely avoid influencing followers because they do not clarify goals, objectives, or expectations
to followers or take any corrective actions (Bass, Avolio, Jung, & Bergson, 2003). Therefore, this leadership style is
often also referred to as nonleadership.
Transactional leadership aims to motivate followers by helping them to fulfil their own self‐interests (Sadeghi &
Lope Pihie, 2012). Leaders provide rewards and punishment in exchange for achieving previously defined perfor-
mance goals (Jung & Sosik, 2002; Rafferty & Griffin, 2004). The relationship between leaders and followers is based
on an inherent contract of mutual reinforcement, to achieve higher performance (Jung & Sosik, 2002). Transactional
leadership is mainly composed of 2 dimensions of behaviour: contingent reward and active management‐by‐exception
(Avolio, Bass, & Jung, 1999; Bono & Judge, 2004; Stewart, 2006). Contingent reward encompasses the degree to
which followers are rewarded (eg, wages or prestige) in exchange for meeting defined performance standards (Bass
et al., 1987; Bono & Judge, 2004). The active management‐by‐exception leader monitors follower behaviour for mis-
takes and rule violations and corrects errors and problems before they become severe (Sadeghi & Lope Pihie, 2012).
In contrast to transactional leadership, transformational leadership encourages people to collaborate, rather than
work as individuals (Burns, 1978). Transformational leaders are charismatic and encourage people to adapt their
values and standards by motivating them to put their own interests behind those of the organization (Jung & Sosik,
2002). Four specific components of transformational leadership, namely, idealized influence, inspirational motivation
(IM), intellectual stimulation (IS), and individualized consideration (IC) have been identified (Bass et al., 2003; Geijsel,
Sleegers, Leithwood, & Jantzi, 2003; Jung & Sosik, 2002). Through idealized influence, leaders lead by good example
and motivate followers to identify with them (Bass et al., 2003; Bono & Judge, 2004). Inspirational leaders promote
enthusiasm, optimism, and energy in their followers (Liu, Siu, & Shi, 2010; Rafferty & Griffin, 2004; Stewart, 2006).
An intellectually stimulating leader inspire followers to develop their own innovative strategies for challenging
established methods and improving standards (Avolio et al., 1999; Bass et al., 1987; Bono & Judge, 2004). With
IC, leaders establish a supportive climate and provide coaching and mentoring to help followers raise their personal
abilities and potential (Geijsel et al., 2003; Stewart, 2006). These four characteristics not only enable transformational
leaders to satisfy their followers' current needs but also facilitate development of their followers' personalities,
thereby allowing them to consider higher needs of themselves and their groups (Bass et al., 1987).

3 | H Y P O T H E S I S G E NE R A T I O N A N D R E S E A R C H M O D E L

Figure 1 depicts our research model, which encompasses the entire continuum of leadership styles from the full‐
range leadership model, including all 8 components. Although previous studies provide evidence that passive/
GUHR ET AL. 5

FIGURE 1 Operational model of hypotheses

avoidant leadership behaviour does not result in employees' willingness to follow organizational information security
policies (Siponen & Kajava, 1998), we considered this leadership style in our survey to provide a comprehensive
analysis of leadership influence on employees' behavioural intentions towards information security.
We anticipate that leadership behaviour will directly influence employees' intended information security behav-
iour. Furthermore, we argue that employees' information security behaviour is a bidimensional construct that is com-
posed of 2 behavioural dimensions, namely, in‐role and extra‐role behaviour, which have been considered in previous
studies (eg, Guo, 2013; Hsu, Shih, Hung, & Lowry, 2015). Although academic research should strive to investigate
employees' actual behaviour, certain obstacles in real‐life organizational settings can make this undertaking impossible,
thereby providing justification for assessing behavioural intentions as approximations of actual behaviour (D'Arcy &
Lowry, 2017; Hu et al., 2012; Lowry et al., 2017; Mehri & Ahluwalia, 2013; Vroom & Von Solms, 2004). It is commonly
argued that the relationship between behavioural intention and actual behaviour is grounded in the theory of planned
behaviour by Ajzen (1985) (eg, Anderson & Agarwal, 2010; Siponen & Vance, 2010) and several researchers demon-
strated a strong correspondence between the 2 constructs (D'Arcy & Lowry, 2017; Herath et al., 2014; Li, Sarathy,
Zhang, & Luo, 2014; Webb & Sheeran, 2006). This is especially true when there is a short time gap between the stated
intention and actually performing behaviour (Ajzen, 1991, 2011; D'Arcy & Lowry, 2017). The reviewed information
security literature provides evidence that intention is a behavioural action tendency. We adopted this argument and
queried employees' behavioural intention towards information security compliance as proximal cognitive antecedents
of their actions to gain insights into employees' information security behaviour.

3.1 | Management influence on employees' in‐role behaviour

In‐role behaviour is represented by the construct of employees' information security compliance intention within the
proposed research model. Following Zhu (2013), we define in‐role behaviours as “all the behaviors that were neces-
sary for the completion of the responsible work,” which means, in the context of this study, employees' intention
to comply with the information security regulations of the organization. Compliance intention is generally defined
as “behavior that protects the information and technology resources of the organization from potential security
6 GUHR ET AL.

breaches” (Guo, 2013) and has been frequently used in previous studies (cf. Johnston, Warkentin, & Siponen, 2015;
Lebek et al., 2014; Wall et al., 2013).
Transformational leaders should positively influence employees' information security compliance intention
because they stimulate employees to neglect their self‐interest (ie, avoidance of inconvenient security measures) in
favour of the organizational group interest (cf. Burns, 1978). Moreover, transformational leadership results in high
organizational commitment of employees as we expect transformational leaders to convey the value and importance
of information‐policy‐compliant behaviour to their followers.
Transactional leadership can influence in‐role behaviour, where employees are rewarded or punished based on
their level of information security compliance (MacKenzie, Podsakoff, & Rich, 2001). The effects of reward and
punishment on employees' security compliance intention have been highly debated in the information security liter-
ature (eg, Bulgurcu et al., 2010; D'Arcy, Hovav, & Galetta, 2009; Liang, Xue, & Wu, 2013). The use of rewards and
punishment is closely related to transactional leadership (Avolio & Bass, 2004; Podsakoff, Bommer, Podsakoff, &
MacKenzie, 2006). Consequently, we propose that transactional leadership behaviour directly influence employees'
in‐role security behaviour.
In contrast, passive/avoidant leaders do not clarify the goals and standards that must be achieved by their
followers (Bass et al., 2003). They aim only to react when problems have become too serious to take corrective
actions or to not intervene at all (Avolio et al., 1999). In the information security context, this means that passive/
avoiding managers give their employees too much responsibility in deciding which security measures to take in each
situation. Furthermore, the laissez‐faire component of this leadership style commonly prevents employees from
learning from misbehaviour, thereby leading to employees' general incompliance with security standards.
Therefore, we propose the following hypotheses:

H1a: Transformational leadership behaviour is positively related to employees' in‐role behaviour in the
form of information security compliance intention.

H1b: Transactional leadership behaviour is positively related to employees' in‐role behaviour in the form
of information security compliance intention.

H1c: Passive/avoidant leadership is not positively related to employees' in‐role behaviour in the form of
information security compliance intention.

3.2 | Management influence on employees' extra‐role behaviour

It is insufficient for organizations to focus solely on employees' in‐role behaviour to sustainably promoting
employees' information security compliant behaviour. As Zhu (2013) stated, organizations that rely mainly on in‐role
behaviour are prone to developing an insubstantial social system. We used the construct of employees' security par-
ticipation intention, which refers to extra‐role behaviour or organizational citizenship behaviour (Clarke & Ward, 2006;
Rafferty & Griffin, 2004). Extending the effects of in‐role behaviour, extra‐role behaviour includes a greater voluntary
element and benefits the organizational information security, as opposed to simply adhering to minimum information
security standards. This behaviour includes, for example, helping co‐workers with information security issues, attend-
ing security training, and developing ideas on how to enhance information security in daily work and is not specified
in employees' formal job requirements. Extra‐role behaviour is not directly recognized by an organization's formal
reward system (Organ, 1988) but can enhance organizational effectiveness and operational efficiency (Zhu, 2013).
Because previous research considered passive/avoidant to be ineffective for facilitating desired employee
behaviour (Kelloway, Mullen, & Francis, 2006; Sadeghi & Lope Pihie, 2012), we do not expect that this leadership
style will cause employees to actively invest in enhancing information security on a voluntary basis.
Podsakoff, MacKenzie, Moorman, and Fetter (1990) found a direct link between transactional leadership behav-
iour and employees' extra‐role behaviour (ie, organizational citizenship behaviours). The authors argue that positive
GUHR ET AL. 7

feedback from managers on employees' high extra‐role behaviour leads to greater willingness of employees to
engage in extra‐role behaviour. MacKenzie et al. (2001) follow this logic as they conclude that punishing employees
due to low levels of extra‐role behaviour will act as an incentive for employees to engage in higher levels of extra‐role
behaviour. However, the authors further state that the influence of transactional leadership on employees' extra‐role
performance is not distinct. Because transformational leaders are capable of motivating employees on contextual
levels to achieve goals that are beyond their formal job descriptions (Podsakoff et al., 1990) and to exceed the
minimum job requirements (Bass, 1985), we expect transformational leadership to be ideally suited to increase
employees' extra‐role behaviour.
Thus, we propose the following hypotheses:

H2a: Transformational leadership behaviour is positively related to employees' extra‐role behaviour in the
form of information security participation intention.

H2b: Transactional leadership behaviour is positively related to employees' extra‐role behaviour in the
form of information security participation intention.

H2c: Passive/avoidant leadership is not positively related to employees' extra‐role behaviour in the form
of information security participation intention.

4 | RESEARCH METHODS

4.1 | Research design and data collection

Since inappropriate information security behaviour can cause serious harm to organizations and is therefore
unacceptable behaviour, employees can be expected to whitewash their behavioural intention when directly asked.
Therefore, we needed to study such intended behaviour in a manner that would elicit honest responses. Given the
research goals and the study level of the research model, we chose to use a cross‐sectional anonymous self‐reported
survey to collect empirical data and multivariate analysis methods to test the revised model statistically, which is a
well‐accepted approach in the literature (Lowry, Zhang, Wang, & Siponen, 2016). As mentioned by Lowry et al.
(2016), a substantial volume of IS research has used cross‐sectional studies that involve self‐reported behaviours,
in different contexts (eg, Moody & Siponen, 2013; Vance, Siponen, & Pahnila, 2012; Venkatesh, Thong, & Xu,
2012). Therefore, data sets from employees were used to test the research model. We chose the survey methodol-
ogy to collect empirical data and multivariate analysis methods to test the revised model statistically.
To increase content validity and assess the conciseness and clarity of the survey questions and instructions, sev-
eral measures were used to validate the survey instrument. First, as per Johnston and Warkentin (2010), content
validity for the instrument scales was established through a content validity expert panel, which was composed of
15 information systems faculty members and doctoral students. The information systems faculty members and doc-
toral students are consulted to identify and rectify potential problems in the framing and phrasing of questions. They
provided multiple perspectives on the instrument, which also helped diminish common method variance (CMV) in
subsequent instrument application (Podsakoff, MacKenzie, Lee, & Podsakoff, 2003) and ensure the appropriateness
of the items for the intended purpose. Next, we conducted one session of unlabelled and labelled sorting by
recruiting people from different age groups and asking for their feedback. Comments and opinions on the survey
questions were collected, compiled, and evaluated, and several modifications to the phrasing and framing of the
questions were made according to these suggestions.
We made the final questionnaire available in English and in German; the original questionnaire was translated into
German. To check for translation bias, a back‐translation technique was used to ensure linguistic equivalence. The back‐
translated items had a high degree of correspondence with the original English items, thereby assuring a relative lack of
translation bias. For the final study, we used a simple random sample to provide an unbiased random selection of
8 GUHR ET AL.

employees. For this purpose, e‐mail addresses and contact information were collected from social media profiles (eg,
Xing, LinkedIn, Facebook) and international company websites over a span of 12 months. Potential participants were
contacted, and the link to the online survey was sent to the participants. We included a broad range of industries and
firms to maximize the generalizability of the findings (seeTable 1). Our survey package consisted of a cover letter, which
stated the objective of the study, and the survey questionnaire. Due to the critical information that was being shared in
the survey, participants were assured that their responses would be treated with anonymity and confidentiality. The

TABLE 1 Profile of respondents

Measure Items Frequency Percent Cumulative Percent

Age ≤19 6 1.9 2.6

20‐29 120 37.3 53.6
30‐39 58 24.7 78.3
40‐49 24 7.5 88.5
50‐59 21 6.5 97.4
≥60 6 1.9 100.0
Missing 87 27.0
Gender Female 106 32.9 45.1
Male 129 40.1 100.0
Missing 87 27.0
Region North America 27 7.8 10.6
South America 1 0.3 11.1
Africa 4 1.2 12.8
Europe 204 63.4 99.6
Oceania 1 0.3 100.0
Missing 87 27.0
Branch of industry Education 14 4.3 6.0
Financial services 15 4.7 12.3
Government 6 1.9 14.9
Food/beverage/CPG 2 0.6 15.7
Health care 17 5.3 23.0
Manufacturing 29 9.0 35.3
Nonprofit 4 1.2 37.0
Medical, bio‐technology, pharmacology 4 1.2 38.7
Real estate 4 1.2 40.4
Services 30 9.3 53.2
Information technology 46 14.3 72.8
Telecommunications 3 0.9 74.0
Tourism 4 1.2 75.7
Wholesale/retail 13 4 81.3
Other 44 13.7 100.0
Missing 87 27.0
Company size (no. of employees) ≤9 10 3.1 4.3
10‐49 50 15.5 25.5
50‐249 55 17.1 48.9
250‐499 27 8.4 60.4
500‐999 13 4.0 66.0
≥1.000 80 24.8 100.0
Missing 87 27.0
IT experience Extremely unexperienced 7 2.2 3.0
Unexperienced 17 5.3 10.2
Undecided 44 13.7 28.9
Experienced 122 37.9 80.9
Extremely experienced 45 14.0 100.0
Missing 87 27.0
Information sensitivity Absolutely not sensitive 6 1.9 2.6
Not sensitive 19 5.9 10.6
Undecided 41 12.7 28.1
Sensitive 100 31.1 70.6
Highly sensitive 69 21.4 100.0
Missing 87 27.0
GUHR ET AL. 9

purpose of the survey and the data handling procedure were explained in the cover letter of the questionnaire. The first
question of the online survey eliminated participants who were unemployed. This restriction on the target group
allowed the authors to accurately measure the proposed hypotheses. From an initial sampling of 487 employees, we
screened out 66 responses with mostly missing values and 99 responses from participants who were unemployed. This
left 322 usable responses for an overall response rate of 66.12%. A summary of the demographic characteristics of the
respondents (age, gender, region, branch of industry, and company size) is provided in Table 1.
We also collected data on the respondents' IT experience and information sensitivity. We asked the respondents
to state how experienced they are in dealing with IT and how sensitive the information with which they deal is. As
expected, the majority of the participants are experienced or very experienced in IT. Furthermore, the majority of
the participants reported dealing with sensitive or very sensitive data in their profession (see Table 1).
In the first part of our questionnaire, the participants were asked to respond to the leadership items according to
their subjective perceptions of their respective supervisors. Therefore, the 4 dimensions of transformational leader-
ship, namely, idealized influence, IC, IM, and IS, the 2 dimensions of transactional leadership, namely, contingent
reward and management by exception (active), and the 2 dimensions of passive/avoidant leadership, namely,
laissez‐faire and management by exception (passive), were measured using a 5‐point rating scale, which ranged from
“not at all” to “frequently, if not always.” In the second part of the survey, employees were asked to indicate how
strongly they agreed or disagreed with multiple statements regarding their information security compliance intention
and information security participation intention. These constructs were measured with multiple items using a 5‐point
Likert scale, which ranged from “strongly disagree” to “strongly agree.”
Because the data were self‐reported, we used several approaches to prevent CMV ex ante in the research design
stage and ex post after the research has been conducted. The most critical point of CMV is that if it exists, the constructs
of the research model will be highly correlated with each other. Based on our analysis and given our care in survey
design, common method bias in our model is not likely. Appendix S3 provides the full details of our preanalyses.

4.2 | Operationalization of variables and measurement

We operationalized the research constructs through definitions of the constructs using prevalidated measures wher-
ever possible. When no existing scale was available for a given construct, items were adapted from the most closely
related scale, and some terms were changed to fit the specific research context. Appendix S1 provides the full details
of the items and questions.
To measure transformational leadership, transactional leadership, and passive/avoidant leadership as perceived
by the participants, we used the Multifactor Leadership Questionnaire (MLQ) form 5X‐Short. The MLQ is a well‐
established instrument and has been extensively used in laboratory and field research with a broad range of sample
populations and in a variety of settings. (Antonakis, Avolio, & Sivasubramaniam, 2003; Avolio & Bass, 2004; Sadeghi
& Lope Pihie, 2012). The questionnaire was used without modification in our study. As mentioned by Avolio and Bass
(2004), the MLQ can appropriately be used for individual, group, or organizational development and counselling.
Transformational leadership was conceptualized as being a function of idealized influence (attributed and behav-
iour—IIA/IIB), IM, IC, and IS. These subdimensions, which are viewed as defining attributes of the focal construct,
were measured using 18 indicators (MacKenzie, Podsakoff, & Podsakoff, 2011). We conceptualized transactional
leadership as being a function of contingent reward and management by exception (active) (MbEa). These
subdimensions were measured using 5 indicators. The attributes and behaviours from the components laissez‐faire
and passive management‐by‐exception that are assigned to the passive/avoidant leadership style (Avolio & Bass,
2004) were measured using 6 indicators.
After examining the relationship between each indicator and each construct in the proposed research model, we
determined the overall constructs to be reflective because of the interchangeability of the indicators, the covariation
among the indicators, the direction of the causality, and the nomological net of the constructs, which should not
differ (Petter, Straub, & Rai, 2007). Transformational, transactional, and passive/avoidant leadership are modelled
10 GUHR ET AL.

as hierarchical component models of the reflective‐formative type (Becker, Klein, & Wetzels, 2012; Cadogan & Lee,
2013). In the reflective‐formative–type models, the lower‐order constructs are reflectively measured constructs that
do not share a common cause but rather form a general concept that fully mediates the influence on subsequent
endogenous variables (Becker et al., 2012). This higher‐order abstraction is justified because if all items are bundled
together, the explanation of the resultant construct is incomplete (Gerbing, Hamilton, & Freeman, 1994) and the
contributions of various content domains to the final scale score will not be known (Koufteros, Babbar, & Kaighobadi,
2009). By enabling the collection of complex concepts in comparatively simple abstractions, multidimensional
constructs, such as second‐order constructs, provide opportunities for advancing research (Polites, Roberts, &
Thatcher, 2012) and increase the realism of empirical models (Edwards, 2001). Transformational, transactional, and
passive/avoidant leadership models are conceptualized as having multiple behavioural subdimensions that together
define what it means to be a transformational, transactional, or passive/avoidant leader and determine a leader's level
of transformational, transactional, or passive/avoidant leadership (MacKenzie et al., 2011). Even though these
constructs have been modelled consistently in the literature as having reflective indicators, transformational, transac-
tional, and passive‐avoidant leadership, constructs should be modelled as hierarchical component models of the
reflective‐formative type (MacKenzie, Podsakoff, & Jarvis, 2005). A detailed view of the hierarchical component
models of the reflective‐formative type can be found in Appendix S2, Figure S1.

5 | D A T A A N A L Y S I S A N D RE S U L T S

Empirical data were analysed via partial least squares structural equation modelling (PLS‐SEM). The use of PLS‐SEM
has increased exponentially in a variety of research disciplines, eg, IS research (Henseler, Ringle, & Sarstedt, 2015;
Ringle, Sarstedt, & Straub, 2012), strategic management (Hair, Sarstedt, Pieper, & Ringle, 2012), operations manage-
ment (Peng & Lai, 2012), accounting (Lee, Petter, Fayard, & Robinson, 2011), online social behaviour (James, Lowry,
Wallace, & Warkentin, 2017), and organizational research (Sosik, Kahai, & Piovoso, 2009), and has several advantages
in many situations, eg, when the data are not normally distributed, when sample sizes are small, or when complex
models with many model relationships and indicators are estimated (Hair, Hult, Ringle, & Sarstedt, 2014; Wetzels,
Odekerken‐Schroder, & Van Oppen, 2009). Furthermore, PLS‐SEM allows simultaneous testing of the measurement
model and the estimation of the structural model (Xu, Benbasat, & Centefelli, 2014). In contrast to covariance‐based
approaches, the evaluation of the measurement and structural model results in PLS‐SEM build on a set of nonpara-
metric evaluation criteria. In this research article, measurement validation and model testing were conducted using a
2‐step approach with the software SmartPLS version 3.2.7 (Ringle, Wende, & Becker, 2015). The 2‐step approach
involves separate assessments of the measurement models and the structural model (Hair et al., 2014). For the 3
latent constructs, namely, transformational, transactional, and passive/avoidant leadership, which are of the reflec-
tive‐formative type, we used the repeated indicator approach. The advantage of the repeated indicator approach
is that it takes the entire nomological network into account, rather than only the higher‐ or lower‐level model. This
is due to its ability to estimate all constructs simultaneously instead of estimating all dimensions separately (Becker
et al., 2012; Lowry & Gaskin, 2014).
Before testing the hypotheses, we evaluated the reliability and validity of the construct measures. First, we
checked for reliability because reliability is a necessary condition for validity. To ensure indicator reliability, we
examined the loadings of each indicator to their respective underlying construct. Acceptable indicator loadings are
recommended to be above the threshold of 0.70, which indicates that at least 50% of the variance is shared with
the respective construct (Chin, 1998). All outer loadings of the reflective constructs are well above this threshold.
The indicator MbEa_2 has the smallest indicator reliability, with a value of 0.50 (0.7042), while the indicator ISC_2
has the highest indicator reliability, with a value of 0.85 (0.9222) (see Appendix S2, Table S2.).
The composite reliability (internal consistency reliability; ICR) measures its internal consistency, but presumes, a
priori, that each indicator of a construct contributes equally (Chin, 1998; Fornell & Larcker, 1981). Fornell and Larcker
GUHR ET AL. 11

(1981) argued that their measure is superior to Cronbach alpha because it uses the actual item loadings that are
obtained within the nomological network to calculate the ICR. The ICR should be 0.70 or higher (Diamantopoulos,
Riefler, & Roth, 2008). The values for all reflective constructs are above the threshold (cf. Table 2). Convergent valid-
ity was assessed by the average variance extracted value as the evaluation criterion. The average variance extracted
values for all reflective constructs are well above the required minimum level of 0.50. Thus, the measures of the
reflective constructs have high levels of convergent validity (cf. Table 2).
Next, we checked for discriminant validity. Discriminant validity is the degree to which measures of different con-
structs are distinct (Campbell & Fiske, 1959; Henseler et al., 2015). If discriminant validity is not established, “constructs
have an influence on the variation of more than just the observed variables to which they are theoretically related” and,
thus, “researchers cannot be certain results confirming hypothesized structural paths are real or whether they are a

TABLE 2 Results of the reflective measurement assessment

Internal Consistency Discriminant
Convergent Validity Reliability Validity
Indicator Composite HTMT (Confidence
t‐ reliability AVE Reliability Cronbach α Interval Does not
Construct Items Loadings statistics (> 0.50) (> 0.50) (> 0.70) (>.60) Include 1)
Information security ISP_1 0.851 30.303 0.724 0.689 0.917 0.886 Yes
participation ISP_2 0.884 46.871 0.781
intention (ISP) ISP_3 0.876 56.520 0.767
ISP_4 0.802 31.355 0.643
ISP_5 0.729 15.204 0.531
Information security ISC_1 0.906 56.241 0.828 0.790 0.938 0.911 Yes
compliance ISC_3 0.922 57.543 0.850
intention (ISC) ISC_4 0.861 23.921 0.728
ISC_5 0.864 17.481 0.728
Contingent reward CR_2 0.886 69.407 0.785 0.748 0.856 0.665 Yes
(CR) CR_3 0.844 34.673 0.712
Idealized influence IIA_1 0.858 55.210 0.736 0.714 0.909 0.866 Yes
(attributed) (IIA) IIA_2 0.811 33.322 0.658
IIA_3 0.893 77.645 0.797
IIA_4 0.813 26.456 0.661
Idealized influence IIB_2 0.852 50.735 0.726 0.673 0.860 0.756 Yes
(behaviour) (IIB) IIB_3 0.780 29.182 0.608
IIB_4 0.828 41.059 0.686
Individualized IC_1 0.870 58.079 0.757 0.707 0.906 0.861 Yes
consideration (IC) IC_2 0.783 24.012 0.613
IC_3 0.817 26.779 0.667
IC_4 0.888 75.380 0.789
Inspirational IM_1 0.857 42.013 0.734 0.738 0.918 0.882 Yes
motivation (IM) IM_2 0.853 39.672 0.728
IM_3 0.856 50.958 0.733
IM_4 0.869 54.120 0.755
Intellectual IS_2 0.787 26.634 0.619 0.722 0.886 0.806 Yes
stimulation (IS) IS_3 0.883 61.989 0.780
IS_4 0.876 49.023 0.767
Management‐by‐ MbEa_2 0.704 16.852 0.500 0.568 0.797 0.619 Yes
exception (active) MbEa_3 0.805 29.482 0.648
(MbEa) MbEa_4 0.749 17.547 0.561
Management‐by‐ MbEp_1 0.821 36.841 0.647 0.627 0.890 0.814 Yes
exception MbEp_2 0.870 42.510 0.757
(passive) (MbEp) MbEp_4 0.870 53.446 0.757
Laissez‐faire (LF) LF_1 0.833 35.042 0.694 0.604 0.868 0.772 Yes
LF_3 0.825 28.097 0.680
LF_4 0.829 36.257 0.687
12 GUHR ET AL.

result of statistical discrepancies” (Farrell, 2010, p. 324). Different approaches are available for evaluating discriminant
validity, eg, the Fornell‐Larcker criterion and the examination of cross‐loadings. In our study, we use a new alternative
approach by Henseler et al. (2015) because traditional criteria do not reliably identify discriminant validity issues. They
propose an approach to assess discriminant validity that is based on the multitrait‐multimethod matrix, which is called
the heterotrait‐monotrait ratio of correlations (HTMT). HTMT is the average of the heterotrait‐heteromethod correla-
tions relative to the average of the monotrait‐heteromethod correlations (Henseler et al., 2015). HTMT is an estimate of
the correlation between 2 constructs. Therefore, if the indicators of 2 constructs exhibit an HTMT value that is smaller
than one, the correlation between these constructs is most likely different from one, and they should differ (Henseler
et al., 2015). They suggest that the threshold level of HTMT be 0.85 (Henseler et al., 2015), whereas Teo, Srivastava,
and Jiang (2008) propose a value of 0.9. In our model, the values for all constructs except the second‐order constructs
range from 0.148 to 0.848. We conclude that discriminant validity has been established based on the more conservative
0.85 threshold. Within the second‐order constructs, all the lower constructs are assumed to belong to a single overarch-
ing concept. Hence, discriminant validity is not necessarily a requirement within a second‐order construct. Table 2
summarizes the results of the reflective measurement assessment.
Because formative constructs may be influenced by multicollinearity, it is obligatory to test for multicollinearity
at the indicator level. Therefore, we examined the multicollinearity between contingent reward and MbEa, which are
the two dimensions of transactional leadership, among II, IC, IM, and IS, which are the dimensions of transformational
leadership, and the 2 dimensions of passive/avoidant leadership (management‐by‐exception and laissez‐faire). In the
context of PLS‐SEM, a tolerance variance inflation factor is calculated, and a value of 5 and higher indicates a poten-
tial collinearity problem (Hair, Ringle, & Sarstedt, 2011). In our study, all variance inflation factor values are below this
threshold (1.165 to 4.033) thereby indicating sufficient construct validity for our formative constructs.
Figure 2 shows the PLS‐SEM path coefficient estimates from the 2‐stage approach and their significance
(applying a bootstrapping procedure with 5.000 replications) (Henseler et al., 2015). With this procedure, the analysis
produced estimates of both the explained variance and the path coefficients. As shown by the PLS results from the
analysis of the structural model, of the 6 hypotheses (H1a‐H2c), two were found to be significant.
The final assessments address the effect size f2. The effect size has the benefit that its measurement allows for the
direct comparison of different measured quantities and it is independent of the sample size (Selya, Rose, Dierker,

FIGURE 2 Partial least squares results for the structural model

GUHR ET AL. 13

Hedeker, & Mermelstein, 2012). The effect size provides information about the size of the effect, although a low value
of f2 does not necessarily imply an insignificant or unimportant effect (Chin, Marcolin, & Newsted, 2003). To evaluate
whether the omitted exogenous constructs in our research model are meaningful and have a substantial impact on
the endogenous constructs (cf. Table 3), and to check for practical significance, we used the f2 effect size as per Cohen
(1988). According to Cohen (1988), the guidelines for assessing f2 are as follows: values of 0.02 to 0.14, 0.15 to 0.34, and
above 0.35 represent small, medium, and large effects, respectively, of the exogenous latent variable (Hair et al., 2014).
Prior research has identified follower age as sometimes positively related to leader effectiveness (Riordan, Grif-
fith, & Weatherly, 2003; Walumbwa, Avolio, & Zhu, 2008). Kearney (2008) also notes that theorists and practitioners
should pay attention to “how age differences might affect the influence of a leader's transformational behaviors on
team performance” (Kearney, 2008, p. 810). To investigate whether there are significant differences in the influence
of the different leadership styles on security participation intention and security compliance intention, we performed
a multigroup analysis. We split the respondents into groups of millennials and younger vs those who are older to ana-
lyse whether age has any influence. Authors in the literature are not specific about the dates that define digital
natives or millennials, but they can be defined collectively as those born in or after 1980 (Jones & Czerniewicz,
2010; Tapscott, 2009). These young people have grown up in this digital era, in a world where the use of information
and communication technology is omnipresent and where these technologies are used in different contexts
(Tapscott, 2009; Vodanovich, Sundaram, & Myers, 2010). Here, we make a conservative demarcation based on our
existing data. However, we are aware that this decision is not without problems because it assumes that, irrespective
of other socio‐economic variables, age determines ability to work with computers (and mobile devices). This assump-
tion is problematic because research has shown that the digital divide in terms of access (based on education, income
level, and age) has a direct impact on the skill divide (the ability to use computers and new technology). Thus, as
mentioned before, we performed an additional multigroup analysis, as detailed in Appendix S4.
Our results show that there are no differences between the age groups in terms of the relationships between
transactional and passive/avoidant leadership and security compliance and participation intention. This finding is also
true for the relationship between transformational leadership and security intention. However, there is a significant
difference in the influence of transformational leadership on security compliance intention. Interestingly, the results
of the multigroup analysis showed that the influence is significant only for the millennials. This factor requires further
research with respect to leadership and information security behaviour.

6 | DISCUSSION

6.1 | Contributions to research, theory, and practice

Our research aims to clarify how full‐range leadership, as reflected by its dimensions of transformational, transac-
tional, and passive/avoidant leadership, is linked to security compliance intention and security participation intention.
We subsequently discuss the different facets of our theoretical contribution regarding this research question.

TABLE 3 Effect size

Latent Variable Being Explained (Endogenous) Explanatory Latent Variable (Exogenous) f2

Information security participation intention Transformational leadership 0.120

Transactional leadership 0.001
Passive/avoidant leadership 0.001
Information security compliance intention Transformational leadership 0.089
Transactional leadership 0.000
Passive/avoidant leadership 0.007

Note: Cohen f2‐statistics = [R2incl. − R2 excl.]/[1 − R2 incl.] (Cohen, 1988).

14 GUHR ET AL.

Our research paper addresses a substantial security problem at the organizational level, which is relevant to not
only IS practice but also IS research. Our study contributes to theory by proposing the first theoretical model to
account for the influence of managerial leadership by considering the effect of full‐range leadership on employees'
intended information security behaviour. This approach is particularly interesting because there are differing views
in both the literature and practice regarding the impacts of different leadership styles on employee behaviour.
Addressing this question is of particular interest in the information security context because information security
behaviour can have a significant and lasting influence on a company. Therefore, adequate employee leadership,
among other factors that are already known, is essential for implementing adequate information security behaviour.
We effectively used the full‐range leadership model (MLQ) in an information security context. Such an empirically
grounded and theoretically informed understanding has been absent from the existing research and practice
discourses.
Our study provides insights into the effects of managerial leadership on employees' intended information
security behaviour. Although the role of leadership in the information security context has been addressed previously
by researchers, the utilization of the full‐range leadership model (Bass & Avolio, 1994) in the specific context of
employees' information security behaviour research is new. Building on this model, we take into account the com-
plete range of management leadership behaviours, transformational leadership, transactional leadership, and pas-
sive/avoidant leadership. Moreover, the recognition of the entire leadership behaviour spectrum contributes to
academic research because, even in other areas of behavioural research (ie, employees' safety behaviour), passive/
avoidant leadership has been neglected in favour of the 2 other leadership styles (Kelloway et al., 2006). The results
clearly demonstrate that the transformational leadership style is best suited to achieve the desired behavioural inten-
tion of employees compared with transactional and passive/avoidant behaviours.
Furthermore, the empirical results of this study imply that transactional leadership behaviour does not
influence employees' behavioural intention towards information security on either the in‐role or extra‐role level.
Previous research assumed that the exertion of formal measures (eg, rewards and punishment), which is closely
related to the transactional leadership style, can enhance employees' behavioural intention towards information
security (Lebek et al., 2014). However, on the basis of our results, we reject this hypothesis, thereby contradicting
a recent study by Humaidi and Balakrishnan (2015) who found transactional leadership to be more effective than
transformational leadership in inducing compliant behaviour in employees. Their results indicate that employees'
information‐security‐compliant behaviour was enhanced when leaders clarified the rewards of performance and
expressed satisfaction with the achievements of their employees in the organization in relation to compliance with
information security policies. The authors further state that strict punishment of information security violations
results in higher security awareness and thus more compliant behaviour. These 2 views on the roles of rewards
and punishments are in line with an ongoing discussion in recent research. While the question as to whether
rewards and punishments result in higher information security behaviour by employees has been frequently exam-
ined within the academic literature (eg, D'Arcy et al., 2009; Herath & Rao, 2009; Xue, Liang, & Wu, 2011), studies
have led to divergent results; there is not yet a definite answer (D'Arcy & Herath, 2011).
Contributing to this discussion on the indistinct role of formal control measures, the results of this study under-
line the importance of informal measures as related to transformational leadership behaviour. Our findings demon-
strate that transformational leaders are capable of positively influencing employees' behavioural intention towards
information security. As hypothesized, transformational leaders are capable of motivating employees to perform
beyond expectations (Avolio & Bass, 2004), thereby influencing employees' in‐role and extra‐role security behav-
ioural intentions. Because we investigate generalized transformational leadership, this finding also suggests that
transformational leaders do not need to possess a specific orientation towards information security to stimulate
information security participation intention of employees. Generalized transformational leadership enables supervi-
sors to achieve interpersonal and organizational goals.
As expected, passive/avoidant leadership does not have a positive effect on employees' intended information
security behaviour. This result is in line with the assumption that ignoring the information‐security–related behaviour
GUHR ET AL. 15

of employees has no positive effects on information security outcomes. Our findings stress the necessity of
managers' involvement in information security and reacting to employees' behaviour to facilitate the desired behav-
ioural intentions, which means that the mere set‐up of rules and guidelines is not sufficient. However, our study does
not show a negative correlation between passive/avoidant leadership and employees' behavioural intention towards
information security, as was demonstrated by studies in other areas of application (eg, Kelloway et al., 2006;
Skogstad, Einarsen, Torsheim, Aasland, & Hetland, 2007). For companies with a middle management that is not
concerned with information security, it is necessary to find other ways to communicate the importance of
security‐compliant behaviour to the employees. One possibility is the establishment of a security education training
and awareness programme that fulfils this task and monitors employees' security behaviour. Moreover, the results of
our study can be used by security experts to convince managers to take an active role in information security and
become aware of information security issues in their respective areas of responsibility.
Regarding enhancing employees' behavioural intentions towards information security, we demonstrate that the
effects of transformational leaders exceed those of leaders that rely solely on transactional leadership tactics. This
result emphasizes the need for organizations to encourage the transformational leadership type. By this means, orga-
nizations can prevent the occurrence of the overjustification effect, which can have a negative impact on employees'
compliance behaviour (Griggs, 2012). This effect occurs when employees are unwilling to perform a certain behaviour
and leaders use extrinsic motivational factors (ie, rewards to support the activity). However, the positive influence of
external incentives on employees' motivation is limited and may even displace their intrinsic motivation, which has a
negative impact on employees' behaviour in the long term.
By considering employees' extra‐role behaviour in the form of security participation intention, we add another
important dimension to employees' information security behaviour research that has been previously neglected in
this research area. Since “encouraging extra‐role behaviors is crucial to addressing organizational ‘weak links,’ […]
performing extra‐role behaviour can help employees monitor and report bad behaviour and/or help less capable
employees work more effectively” (Hsu et al., 2015). As Hsu et al. (2015) state, this can be achieved by promoting
social ties among employees and encouraging supportive leadership styles, such as transformational leadership, to
enhance employees' active role in the information security chain and to form a more sustainable and evolving infor-
mation security organization.
Despite the differences between the 2 leadership styles, transformational and transactional leadership are
hypothesized to be complementary rather than competing. In contrast to Burns (1978), who considered transac-
tional and transformational leadership to be at opposite ends of a continuum, Bass (1985) sees them as separate
leadership dimensions that aim to achieve goals of leaders, followers, and organizations. MacKenzie et al. (2001)
noted that

[…] theories of transformational leadership posit that most leaders engage in transactional forms of leader
behavior by providing feedback continent on performance […]. Consequently, these transformational leader
behaviors augment or enhance the effectiveness of the leader over and above what she or he could achieve
through transactional leadership alone (p. 116).

For example, a leader can display all the qualities of a transformational leader to enhance employees' willingness
to show greater commitment and work performance. However, that leader may still use the corrective actions of a
transactional leader (ie, punishment) if employees fail to meet performance goals (Avolio & Bass, 2004). Accordingly,
organizations are not forced to choose between 2 types of leaders, each for a particular objective. However, they
should promote transformational leaders, because they possess an extended set of leadership tactics and, therefore,
are more successful in enhancing employees' information security performance. Organizations can support their
leaders by helping them to develop transformational skill sets through, eg, leadership training and assist them in
creating a shared vision and goals through dedicated information security awareness campaigns. Furthermore,
organizations must grant freedom and flexibility to their leaders to place value on information security and address
the topic in a transformational way.
16 GUHR ET AL.

6.2 | Limitations and suggestions for future research

Reflecting the preliminary nature of our study, our investigation has several limitations that offer opportunities for
future studies. The research question was focused on how, rather than what, leadership style influences employees'
intended information security behaviour. A desirable benefit of the chosen design of our study is the ability to isolate
particular constructs of interest. However, a weakness of that research design is its inability to truly capture other
dynamic processes that concern management leadership in the context of information security behaviour within a
complex organizational environment. Future research should use other methods to provide a triangulation with the
presented findings. It is suggested that a survey and interview approach that targets both the management leadership
of executives and employees' compliance and participation behaviour should be undertaken. An important outcome
of such a research design would be the ability to contrast the attitudes, motivations, and intentions of executives and
their chosen or perceived leadership styles with the attitudes, motivations, and intentions of employees, by the
nature of the desired information security behaviour in organizations.
Moreover, there are limitations regarding the use of generic measures for information security compliance inten-
tion. Siponen and Vance (2014) advocate the use of specific measures to reduce bias: “respondents need to use their
memory and imagination” to answer generic questions. There are 2 reasons for choosing generic measures for this
study: First, because the survey was not limited to any company, branch, or country, it was not possible to investigate
a specific yet common and relevant issue. Second, we adopted the items from renowned and frequently cited sources
to provide validity.
Our nomological model can be further extended by investigating alternative mediators or moderators. In the lit-
erature, several other factors have been discussed with respect to their impact on information security. For example,
risk preference (eg, risk avoidance vs risk seeking) might impact employees' compliance and participation intention.
Furthermore, theories of moral reasoning are also relevant in the information security context because the decision
either to protect or to violate information security policies can be understood as a moral conflict (Myyry, Siponen,
Pahnila, Vartianen, & Vance, 2009). In the context of the influence of transformational and transactional leadership
on employees' security compliance behaviour, a behaviour that protects information and technology resources might
be mediated by moral reasoning and different motivational types of values. It is also questionable whether security
motivation might be influenced by the moral judgement stages, in the form of different stages of moral reasoning.
The current model can benefit from including such variables in future research.
In this study, we regarded employees' intended information security behaviour in general. However, Posey et al.
(2013) argue that employees' information security behaviour is subject to behavioural complexity, meaning that that
information security behaviour is the performance of a portfolio of functions that allow an individual to respond to
complex demands of information security. The authors developed a formal taxonomy and classification scheme of
an overall set of positive information security behaviours. For future research, it would be interesting to investigate
how management leadership affects the different information security behaviours within the overall set. Moreover,
the question arises to what extent the influence of leadership depends on the behavioural repertoire and behavioural
differentiation of employees.
In our research model, the behavioural intention outcome measure is actual, self‐reported security participation
behaviour as opposed to security participation intention. According to D'Arcy and Lowry (2017), and based on the
fact that security participation behaviour is self‐reported, it is similar to an intention measure and not an unbiased
intention measure of actual information security participation. Hence, we view our behavioural outcome variable
(security participation) as conceptually similar to the intention portion of theory of planned behaviour. In future
research, a close collaboration with organizations and companies would be needed to not only collect intended
compliance and actual security participation data. In general, self‐reported compliance and participation data in the
information security context incur concerns for social desirability and anonymity. Therefore is necessary but also
critical to emphasize trust in researchers and the anonymous nature of the survey to reduce the effect of social
desirability (Li et al., 2014).
GUHR ET AL. 17

Furthermore, the inclusion of other antecedents that influence climate and motivation for security might also be
useful. This includes, for example, the risk level of a particular organization or branch (ie, the severity and certainty of
threats) or organizational characteristics such as size. It is likely that confounding variables exist that affect the influ-
ence of transformational leadership on employees' information security behaviour, which must be taken into consid-
eration. National, organizational, and group cultural aspects are critical variables for managerial processes that
directly or indirectly influence IT (Leidner & Kayworth, 2006). Different beliefs, basic assumptions, or shared values
within different cultural settings have a diverse impact on the effects of transformational and transactional leadership
on employees' information security behaviour. In this context, culture is notoriously difficult to define and conceptu-
alize (Boyacigiller, Kleinberg, Phillips, & Sackmann, 1996). One approach is to use the approach of Hofstede (1991).
For example, Miltgen and Peyrat‐Guillard (2014) showed in their research that there are key cultural and generational
differences regarding the significance of trust vs responsibility for personal data. Furthermore, the researchers stated
that young people feel more responsible, more positive, and more confident of their ability to prevent possible data
misuse (Miltgen & Peyrat‐Guillard, 2014). Indeed, it may be that transformational leadership has a greater influence
on the information security performance dimensions in this case, whereas transactional leadership is a more impor-
tant determinant in other countries. Future research could extend this study across different cultural settings.

7 | C O N CL U S I O N

Although recent studies mentioned leadership in the context of information security, academic research does not
properly consider the role of managers and supervisors in the information security chain. To shed light on this issue,
we set forth to answer the following question: How do the dimensions of full‐range leadership influence employees'
behavioural intention towards information security? We developed and tested a nomological model of the relation-
ships among transformational leadership, transactional leadership, passive/avoidant leadership, security participation
intention, and security compliance intention. By identifying the underlying mechanism and boundary conditions of
management leadership and the leadership's influence on the behavioural intentions of employees in the information
security context, our study serves as a basis for future research in this relevant and growing area. By empirically
validating the relationships between transformational leadership, transactional leadership, and passive/avoidant
leadership and the information security dimensions, our study demonstrates the importance of using the most
suitable leadership style in improving employees' behavioural intention towards information security in companies
and organizations.

ORCID
Nadine Guhr http://orcid.org/0000-0001-8812-1488
Michael H. Breitner http://orcid.org/0000-0001-7315-3022

RE FE R ENC ES
Ajzen, I. (1985). From intentions to actions: A theory of planned behavior. In J. Kuhl, & J. Beckmann (Eds.), Action control:
From cognition to behavior (pp. 11–39). Berlin, Heidelberg, New York: Springer‐Verlag.
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211.
Ajzen, I. (2011). The theory of planned behaviour: Reactions and reflections. Psychology & Health, 26(9), 1113–1127.
Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimethod empirical examination of home computer
user security behavioral intentions. MIS Quarterly, 34(3), 613–643.
Antonakis, J., Avolio, B. J., & Sivasubramaniam, N. (2003). Context and leadership: An examination of the nine‐factor
full‐range leadership theory using the multifactor leadership questionnaire. The Leadership Quarterly, 14(3), 261–295.
Ashenden, D. (2008). Information security management: A human challenge? Information Security Technical Report, 13(4),
195–201.
Avolio, B. J., & Bass, B. M. (2004). Multifactor leadership questionnaire: Manual and sample set. California: Mindgarden.
18 GUHR ET AL.

Avolio, B. J., Bass, B. M., & Jung, D. I. (1999). Re‐examining the components of transformational and transactional leadership
using the multifactor leadership questionnaire. Journal of Occupational and Organizational Psychology, 72(4), 441–462.
Bass, B. M. (1985). Leadership and performance beyond expectations. New York: The Free Press.
Bass, B. M., & Avolio, B. J. (1994). Improving organizational effectiveness through transformational leadership. Thousand Oaks,
CA: Sage Publications.
Bass, B. M., Avolio, B. J., Jung, D. I., & Bergson, Y. (2003). Predicting unit performance by assessing transformational and
transactional leadership. Journal of Applied Psychology, 88(2), 207–218.
Bass, B. M., Waldman, D. A., Avolio, B. J., & Bebb, M. (1987). Transformational leadership and the falling dominoes effect.
Group & Organization Management, 73(12), 73–87.
Becker, J. M., Klein, K., & Wetzels, M. (2012). Hierarchical latent variable models in PLS‐SEM: guidelines for using reflective‐
formative type models. Long Range Planning, 45(5–6), 359–394.
Bono, J. E., & Judge, T. A. (2004). Personality and transformational and transactional leadership: A meta‐analysis. Journal of
Applied Psychology, 89(5), 901–910.
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do users have to fear? Using fear appeals to
engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837–864.
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If someone is watching, I'll do what I'm asked:
Mandatories, control, and information security. European Journal of Information Systems, 18(2), 151–164.
Boyacigiller, N. A., Kleinberg, M. J., Phillips, M. E., & Sackmann, S. A. (1996). Conceptualizing culture. In B. J. Punnett, & O.
Shenkar (Eds.), Handbook of international management research (pp. 157–208). Cambridge: Blackwell.
Broadbent, M., & Kitzis, E. S. (2004). The new CIO leader: Setting the agenda and delivering results. Boston, USA: Harvard
Business Press.
Bulgurcu, B. H., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of
rationality‐based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.
Burns, J. M. (1978). Leadership. New York: Harper & Row.
Cadogan, J. W., & Lee, N. (2013). Improper use of endogenous formative variables. Journal of Business Research, 66(2),
233–241.
Campbell, D. T., & Fiske, D. (1959). Convergent and discriminant validation by the multitrait‐multimethod matrix. Psycholog-
ical Bulletin, 56(2), 81–105.
Chin, W. W. (1998). Issues and opinion on structural equation modeling. MIS Quarterly, 29(3), vii–xvi.
Chin, W. W., Marcolin, B. L., & Newsted, P. R. (2003). A partial least squares latent variable modeling approach for measuring
interaction effects: Results from a Monte Carlo simulation study and an electronic‐mail emotion/adoption study.
Information Systems Research, 14(2), 189–217.
Clarke, S., & Ward, K. (2006). The role of leader influence tactics and safety climate in engaging employees' safety
participation. Risk Analysis, 26(5), 1175–1185.
Cohen, J. (1988). Statistical power analysis for the behavioral sciences. Hillsdale, New Jersey: Lawrence Erlbaum Associates,
Publishers.
Cram, W. A., Proudfoot, J. G., & D'Arcy, J. (2017). Organizational information security policies: A review and research
framework. European Journal of Information Systems, 26(6), 605–641.
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioural
information security research. Computer & Security, 32, 90–101.
D'Arcy, J., & Lowry, P. B. (2017). Cognitive‐affective drivers of employees' daily compliance with information security
policies: A multilevel, longitudinal study. Information Systems Journal, 2017, 1–27.
D'Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the
disparate findings. European Journal of Information Systems, 20(6), 643–658.
D'Arcy, J., Hovav, A., & Galetta, D. F. (2009). User awareness of security countermeasures and its impact on information sys-
tems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98.
Dhillon, G., & Backhouse, J. (2001). Current direction in IS security research: Towards socio‐organizational perspectives.
Information Systems Journal, 11(2), 127–153.
Diamantopoulos, A., Riefler, P., & Roth, K. P. (2008). Advancing formative measurement models. Journal of Business Research,
61(12), 1203–1218.
Dojkovski, S., Lichtenstein, S. & Warren, M. J. (2007). Fostering information security culture in small and medium size enter-
prises: An interpretive study in Australia. Proceedings of the 15th European Conference on Information Systems, June
7–9, St. Gallen, Switzerland.
GUHR ET AL. 19

Dutta, A., & McCrohan, K. (2002). Management's role in information security in a cyber economy. California Management
Review, 45(1), 67–87.
Edwards, J. R. (2001). Multidimensional constructs in organizational behavior research: An integrative analytical framework.
Organizational Research Methods, 4(2), 144–192.
Farrell, A. M. (2010). Insufficient discriminant validity: A comment on Bove, Pervan, Beatty, and Shi (2009). Journal of
Business Research, 63(3), 324–327.
Fornell, C., & Larcker, D. F. (1981). Evaluating structural equation models with unobservable variables and measurement
error. Journal of Marketing Research, 18(1), 39–50.
Geijsel, F., Sleegers, P., Leithwood, K., & Jantzi, D. (2003). Transformational leadership effects on teachers' commitment and
effort toward school reform. Journal of Educational Administration, 41(3), 228–256.
Gerbing, D. W., Hamilton, J. G., & Freeman, E. B. (1994). A large scale second‐order structural equation model of the
influence of management participation on organizational planning benefits. Journal of Management, 20(4), 859–885.
Gill, R. (2012). Theory and practice of leadership (Second ed.). Thousand Oaks, California: SAGE Publication Ltd.
Griggs, R. A. (2012). Psychology: A concise introduction. New York: Worth Publishers.
Guo, K. H. (2013). Security‐related behavior in using information systems in the workplace: a review and synthesis.
Computers & Security, 23(1), 242–251.
Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace:
A composite behavior model. Journal of Management Information Systems, 28(2), 203–236.
Hair, J. F., Hult, G. T. M., Ringle, C. M., & Sarstedt, M. (2014). A primer on partial least squares structural equation modeling
(PLS‐SEM). Thousand Oaks, California: SAGE Publications Inc.
Hair, J. F., Ringle, C. M., & Sarstedt, M. (2011). PLS‐SEM: Indeed a silver bullet. Journal of Marketing Theory and Practice, 19(2),
139–151.
Hair, J. F., Sarstedt, M., Pieper, T. M., & Ringle, C. M. (2012). The use of partial least squares structural equation modeling in
strategic management research: a review of past practices and recommendations for future applications. Long Range
Planning, 45(5–6), 320–340.
Henseler, J., Ringle, C. M., & Sarstedt, M. (2015). A new criterion for assessing discriminant validity in variance‐based
structural equation modeling. Journal of the Academy of Marketing Science, 43(1), 115–135.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security services as coping mechanisms: An
investigation into user intention to adopt an email authentication service. Information Systems Journal, 24(1), 61–84.
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in
organizations. European Journal of Information Systems, 18(2), 106–125.
Hofstede, G. (1991). Culture and organizations: Software of the mind. London: McGraw Hill.
Hsu, C., & Wang, T. (2015). Composition of the top management team and information security breaches. In M. M.
Cruz‐Cunha, & I. M. Portela (Eds.), Handbook of research on digital crime, cyberspace security, and information assurance
(pp. 116–134). IGI Global.
Hsu, J. S.‐C., Shih, S.‐P., Hung, Y. W., & Lowry, P. B. (2015). The role of extra‐role behaviors and social controls in information
security policy effectiveness. Information Systems Research, 26(2), 282–300.
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies: The role of
top management and organizational culture. Decision Science, 43(4), 615–660.
Humaidi, N., & Balakrishnan, V. (2015). Leadership styles and information security compliance behavior: The mediator effect
of information security awareness. International Journal of Information and Education Technology, 5(4), 311–318.
James, T. L., Lowry, P. B., Wallace, L., & Warkentin, M. (2017). The effect of belongingness on obsessive‐compulsive disorder
in the use of online social networks. Journal of Management Information Systems, 34(2), 560–596.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly,
34(3), 549–566.
Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to
the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134.
Jones, C., & Czerniewicz, L. (2010). Describing or debunking? The net generation and digital natives. Journal of Computer
Assisted Learning, 26(5), 317–320.
Jung, D. I., & Sosik, J. J. (2002). Transformational leadership in work groups: The role of empowerment, cohesiveness, and
collective‐efficacy on perceived group performance. Small Group Research, 33(3), 313–136.
Kearney, E. (2008). Age differences between leader and followers as a moderator of the relationship between transforma-
tional leadership and team performance. Journal of Occupational and Organizational Psychology, 81(4), 803–811.
20 GUHR ET AL.

Kearney, W. D., & Kruger, H. A. (2016). Can perceptual differences account for enigmatic information security behaviour in
an organization. Computer & Security, 61(C, 46–58.
Kelloway, E. K., Mullen, J., & Francis, L. (2006). Divergent effects of transformational and passive leadership on employee
safety. Journal of Occupational Health Psychology, 11(1), 76–86.
Koufteros, X., Babbar, S., & Kaighobadi, M. (2009). A paradigm for examining second‐order factor models employing
structural equation modeling. International Journal of Production Economics, 120(2), 633–652.
Lebek, B., Guhr, N., & Breitner, M. H. (2014). Transformational leadership and employees' information security performance:
The mediating role of motivation and climate. Proceedings of the 35th International Conference on Information Systems,
December 14–17, Auckland, New Zealand.
Lee, L., Petter, S., Fayard, D., & Robinson, S. (2011). On the use of partial least squares path modeling in accounting research.
International Journal of Accounting Information Systems, 12(4), 305–328.
Leidner, D. E., & Kayworth, T. (2006). A review of culture in information systems research: Toward a theory of information
technology culture conflict. MIS Quarterly, 30(2), 357–399.
Li, H., Sarathy, R., Zhang, J., & Luo, X. (2014). Exploring the effects of organizational justice, personal ethics and sanction on
internet use policy compliance. Information Systems Journal, 24(6), 479–502.
Liang, H., Xue, Y., & Wu, L. (2013). Ensuring employees' IT compliance: Carrot or stick? Information Systems Research, 24(2),
279–294.
Liu, J., Siu, O. L., & Shi, K. (2010). Transformational leadership and employee well‐being: The mediating role of trust in the
leader and self‐efficacy. Applied Psychology, 59(3), 454–479.
Lowry, P. B., Dinev, T., & Willison, R. (2017). Why security and privacy research lies at the centre of the information systems
(IS) artefact: Proposing a bold research agenda. European Journal of Information Systems, 26(6), 546–563.
Lowry, P. B., & Gaskin, J. (2014). Partial least squares (PLS) structural equation modeling (SEM) for building and testing
behavioral causal theory: When to choose and how to use it. IEEE Transactions on Professional Communication, 57(2),
123–146.
Lowry, P. B., & Moody, G. D. (2015). Proposing the control‐reactance compliance model (CRCM) to explain opposing
motivations to comply with organizational information security policies. Information Systems Journal, 25(5), 433–463.
Lowry, P. B., Zhang, J., Wang, C., & Siponen, M. (2016). Why do adults engage in cyberbullying on social media? An integra-
tion of online disinhibition and deindividuation effects with the social structure and social learning (SSSL) model.
Information Systems Research, 27(4), 962–986.
MacKenzie, S. B., Podsakoff, P. M., & Jarvis, C. B. (2005). The problem of measurement model misspecification in behavioral
and organizational research and some recommended solutions. Journal of Applied Science, 90(4), 710–730.
MacKenzie, S. B., Podsakoff, P. M., & Podsakoff, N. P. (2011). Construct measurement and validation procedures in MIS and
behavioral research: Integrating new and existing techniques. MIS Quarterly, 35(2), 293–334.
MacKenzie, S. B., Podsakoff, P. M., & Rich, G. A. (2001). Transformational and transactional leadership and salesperson
performance. Journal of the Academy of Marketing Science, 29(2), 115–134.
Mehri, M. I., & Ahluwalia, P. (2013). Information security policies compliance: The role of organizational punishment.
Proceedings of the 19th Americas Conference on Information Systems, August 15–17, Chicago, Illinois.
Miltgen, C. L., & Peyrat‐Guillard, D. (2014). Cultural and generational influences on privacy concerns: A qualitative study in
seven European countries. European Journal of Information Systems, 23(2), 103–125.
Mishra, S. & Dhillon, G. (2006). Information systems security governance research: A behavioral perspective. 1st Annual
Symposium on Information Assurance, Academic Track of the 9th Annual 2006 NYS Cyber Security Conference, pp.
18–26. June 14–15, New York, NY.
Moody, G. D., & Siponen, M. (2013). Using the theory of interpersonal behavior to explain non‐work‐related personal use of
the internet at work. Information Management, 50(6), 322–335.
Myyry, L., Siponen, M., Pahnila, S., Vartianen, T., & Vance, A. (2009). What levels of moral reasoning and values explain
adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126–139.
Öğütçü, G., Testik, Ö. M., & Chouseinoglou, O. (2016). Analysis of personal information security behaviour and awareness.
Computers & Security, 56(C), 83–93.
Organ, D. W. (1988). Organizational citizenship behaviour: The good soldier syndrome. Lexington, MA: Lexington Books.
Peng, D. X., & Lai, F. (2012). Using partial least squares in operations management research: A practical guideline and
summary of past research. Journal of Operations Management, 30(6), 467–480.
Petter, S., Straub, D., & Rai, A. (2007). Specifying formative constructs in information systems research. MIS Quarterly, 31(4),
623–656.
GUHR ET AL. 21

Podsakoff, P. M., Bommer, W. H., Podsakoff, N. P., & MacKenzie, S. B. (2006). Relationships between leader reward and pun-
ishment behavior and subordinate attitudes, perceptions, and behaviors: A meta‐analytic review of existing and new
Research. Organizational Behavior and Human Decision Processes, 99(2), 113–142.
Podsakoff, P. M., MacKenzie, S. B., Lee, L. Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: A
critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879–903.
Podsakoff, P. M., MacKenzie, S. B., Moorman, R. H., & Fetter, R. (1990). Transformational leader behaviors and their effects
on followers' trust in leader, satisfaction, organizational citizenship behaviors. The Leadership Quarterly, 1(2), 107–142.
Polites, G. L., Roberts, N., & Thatcher, J. (2012). Conceptualizing models using multidimensional constructs: A review and
guidelines for their use. European Journal of Information Systems, 21(1), 22–48.
Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J., & Courtney, J. (2013). Insiders' protection of organizational information
assets: Development of a systematics‐based taxonomy and theory of diversity for protection‐motivated behaviors. MIS
Quarterly, 37(4), 1189–1210.
Posey, C., Roberts, T. L., Lowry, P. B., & Hightower, R. (2014). Bridging the divide: A qualitative comparison of information
security thought patterns between information security professionals and ordinary organizational insiders. Information
& Management, 51(5), 551–567.
Rafferty, A. E., & Griffin, M. A. (2004). Dimensions of transformational leadership: Conceptual and empirical extensions. The
Leadership Quarterly, 15(3), 329–354.
Ringle, C. M., Sarstedt, M., & Straub, D. W. (2012). A critical look at the use of PLS‐SEM. MIS Quarterly, 36(1), iii–xiv.
Ringle, C.M., Wende, S., & Becker, J. M. (2015). SmartPLS 3. Retrieved from www.smartpls.com.
Riordan, C. M., Griffith, R. W., & Weatherly, E. W. (2003). Age and work‐related outcomes: The moderating effects of status
characteristics. Journal of Applied Social Psychology, 33(1), 37–57.
Sadeghi, A., & Lope Pihie, Z. A. (2012). Transformational leadership and its predictive effects on leadership effectiveness.
International Journal of Business and Social Science, 3(7), 168–197.
Salter, C., Harris, M., & McCormack, J. (2014). Bass & Avolio's full range leadership model and moral development. E‐Leader
Milan.
Selya, A. S., Rose, J. S., Dierker, L. C., Hedeker, D., & Mermelstein, R. (2012). A practical guide to calculating Cohen's f2, a
measure of local effect size, from PROC MIXED. Frontiers in Psychology, 3(111), 1–6.
Siponen, M. (2000). A conceptual foundation for organizational information security awareness. Information Management &
Computer Security, 8(1), 31–41.
Siponen, M., & Kajava, J. (1998). Ontology of organizational IT security awareness—From theoretical foundations to practical
framework. 17th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
Proceedings, June 17–19, Stanford, CA, USA, 327–331.
Siponen, M., & Vance, A. (2010). Neutralization: New insight into the problem of employee information systems security
policy violations. MIS Quarterly, 34(3), 487–502.
Siponen, M., & Vance, A. (2014). Guidelines for improving the contextual relevance of field surveys: The case of information
security policy violations. European Journal of Information Systems, 23(3), 289–305.
Skogstad, A., Einarsen, S., Torsheim, T., Aasland, M. S., & Hetland, H. (2007). The destructiveness of laissez‐faire leadership
behavior. Journal of Occupational Health Psychology, 12(1), 80–92.
Sosik, J. J., Kahai, S. S., & Piovoso, M. J. (2009). Silver bullet or voodoo statistics? A primer for using the partial least squares
data analytic technique in group and organization research. Group & Organization Management, 34(1), 5–36.
Stewart, G. & Thelander, N. (2005). Can IT security be improved with better IT leadership in the 21st century university?
Proceedings of the 11th Americas conference on information systems, august 9–12, Omaha, NE, USA, pp. 2762–2766.
Stewart, J. (2006). Transformational leadership: An evolving concept examined through the works of Burns, Bass, Avolio, and
Leithwood. Canadian Journal of Educational Administration and Policy, 54(1), 1–29.
Tapscott, D. (2009). Grown up digital: How the net generation is changing your world. New York, NY: McGraw‐Hill Professional.
Teo, T. S. H., Srivastava, S. C., & Jiang, L. (2008). Trust and electronic government success: An empirical study. Journal of
Management Information Systems, 25(3), 99–132.
Uffen, J., Guhr, N., & Breitner, M. H. (2012). Personality traits and information security management: An empirical study of
information security executives. Proceedings of the 33rd International Conference on Information Systems, December
16–19, Orlando, FL, USA.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation
theory. Information Management, 49(3–4), 190–198.
22 GUHR ET AL.

Venkatesh, V., Thong, J. Y., & Xu, X. (2012). Consumer acceptance and use of information technology: Extending the unified
theory of acceptance and use of technology. MIS Quarterly, 36(1), 157–178.
Vodanovich, S., Sundaram, D., & Myers, M. (2010). Digital natives and ubiquitous information systems. Information Systems
Research, 21(4), 711–723.
Vroom, C., & Von Solms, R. (2004). Towards information security behavioral compliance. Computer & Security, 23(3),
191–198.
Wall, J. D., Prashant, P., & Lowry, P. B. (2013). Control‐related motivations and information security policy compliance: The
role of autonomy and efficacy. Journal of Information Privacy and Security, 9(4), 52–79.
Walumbwa, F. O., Avolio, B. J., & Zhu, W. (2008). How transformational leadership weaves its influence on individual job per-
formance: The role of identification and efficacy beliefs. Personnel Psychology, 61(4), 793–825.
Wang, J., Xiao, N., & Rao, H. R. (2015). An exploration of risk characteristics of information security threats and related public
information search behavior. Information Systems Research, 26(3), 619–633.
Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems security: The insider threat.
European Journal of Information Systems, 18(2), 101–105.
Webb, T. L., & Sheeran, P. (2006). Does changing behavioral intentions engender behavior change? A meta‐analysis of
experimental evidence. Psychological Bulletin, 132(2), 249–268.
Wetzels, M., Odekerken‐Schroder, G., & Van Oppen, C. (2009). Using PLS path modeling for assessing hierarchical construct
models: Guidelines and empirical illustration. MIS Quarterly, 33(1), 177–195.
Xu, J. D., Benbasat, I., & Centefelli, R. T. (2014). The nature and consequences of trade‐off transparency in the context of
recommendation agents. MIS Quarterly, 38(2), 379–406.
Xue, Y., Liang, H., & Wu, L. (2011). Punishment, justice, and compliance in mandatory IT settings. Information Systems
Research, 22(2), 400–414.
Zhu, Y. (2013). Individual behavior: In‐role and extra‐role. International Journal of Business Administration, 4(1), 23–27.

Nadine Guhr is an assistant professor at the Information Systems and Management Institute, at the Leibniz
Universität Hannover. She received her doctoral degree from the Leibniz Universität Hannover. Her research
interests include behavioural and organizational security and privacy issues, and the adoption, diffusion, and
impact of information systems as well as mobile services and systems. Her research has been published in leading
international conferences (eg, International Conference on Information Systems, European Conference on Infor-
mation Systems, and Hawaii International Conference on System Sciences) and International Journals, including
International Journal of Business, Humanities and Technology, International Journal of Business and Social
Science.

Benedikt Lebek earned his doctoral degree in Economics at the Leibniz Universität Hannover. He currently
works as information security and privacy manager for an international engineering company. His research
focuses on organizational information security and employees' information security behaviour. His research
has been published in leading international conferences (eg, International Conference on Information Systems,
Americas Conference on Information Systems, and Hawaii International Conference on System Sciences) and
International Journals, including Management Research Review.

Michael H. Breitner is a full professor and head of the Information Systems and Management Institute, Leibniz
Universität Hannover. His research includes information security, privacy, cultural dimensions and diversity,
information systems acceptance and success, and change management. His research has been published in lead-
ing international conferences (eg, International Conference on Information Systems, Americas Conference on
Information Systems, and Hawaii International Conference on System Sciences) and International Journals,
including, Journal of Management Information Systems, Electronic Markets, Management Research Review,
Journal of Decision Support Systems, Business & Information Systems Engineering, International Journal of Auto-
motive Technology and Management, and Transportation Research.
GUHR ET AL. 23

SUPPORTING INF ORMATI ON

Additional supporting information may be found online in the Supporting Information section at the end of the
article.

How to cite this article: Guhr N, Lebek B, Breitner MH. The impact of leadership on employees' intended
information security behaviour: An examination of the full‐range leadership theory. Info Systems J.
2018;1–23. https://doi.org/10.1111/isj.12202