Stage Theorizing in Behavioral Information Systems Security Research

In information systems (IS) and IS security (ISS) literature, models are commonly divided into variance and process models. In other scientific disciplines, models are instead commonly divided into stage-less versus stage models. This division is also useful in ISS for two reasons. First, despite common claims, most IS and ISS models, especially in behavioral research, may not be variance models. Second, not only users’ ISS behavior but also their reasons for it may change over time. Stage models can be helpful in capturing this development and change in terms of idealized stages. However, while stage models exist in IS(S), their philosophical foundations benefit from clarifications. For instance, the requirements for stage theories cannot be unreservedly copied from other disciplines, such as health psychology, for use in ISS research. ISS scholars must consider a case-by-case basis in building a stage model. To aid in this, cyber security examples are used here to illustrate the concepts and usefulness of stage models. I also explain how stage models differ from process models, which also model change.