University of Oulu

Mari Karjalainen, Mikko Siponen, Suprateek Sarker, Toward a stage theory of the development of employees’ information security behavior, Computers & Security, Volume 93, 2020, 101782, ISSN 0167-4048,

Toward a stage theory of the development of employees’ information security behavior

Saved in:
Author: Karjalainen, Mari1; Siponen, Mikko2; Sarker, Suprateek3
Organizations: 1M3S Research Unit, Faculty of Information Technology and Electrical Engineering, University of Oulu, Oulu, FI 90014, Finland
2Faculty of Information Technology, University of Jyvaskyla, P.O. Box 35, FI 40014, Finland
3McIntire School of Commerce, University of Virginia, USA
Format: article
Version: published version
Access: open
Online Access: PDF Full Text (PDF, 0.9 MB)
Persistent link:
Language: English
Published: Elsevier, 2020
Publish Date: 2020-04-14


Existing behavioral information security research proposes continuum or non-stage models that focus on finding static determinants for information security behavior (ISB) that remains unchanged. Such models cannot explain a case where the reasons for ISB change. However, the underlying reasons and motives for users’ ISB are not static but may change over time. To understand the change in reasoning between different antecedents, we examine stage theorizing in other fields and develop the requirements for an emergent theory of the development of employees’ ISB: (1) the content of stages based on the stage elements and their stage-specific attributes; (2) the stage-independent element explaining the instability of ISB; and (3) the temporal order of stages based on developmental progression. To illustrate the stage theory requirements in an information security context, we suggest four stages: intuitive thinking, declarative thinking, agency-related thinking, and routine-related thinking. We propose that learning is a key driver of change between the stages. According to our theorizing, employees start with intuitive beliefs and later develop routine-related thinking. Furthermore, using interview data collected from employees in a multinational company, we illustrate the differences in the stages. For future information security research, we conceptualize ISB change in terms of stages and contribute a theoretical framework that can be empirically validated. In relation to practice, understanding the differences between the stages offers a foundation for identifying the stage-specific challenges that lead to non-compliance and the corresponding information security training aimed at tackling these challenges. Given that users’ ISB follows stages, although not in a specific order, identifying such stages can improve the effectiveness of information security training interventions within organizations.

see all

Series: Computers & security
ISSN: 0167-4048
ISSN-E: 1872-6208
ISSN-L: 0167-4048
Volume: 93
Article number: 101782
DOI: 10.1016/j.cose.2020.101782
Type of Publication: A1 Journal article – refereed
Field of Science: 113 Computer and information sciences
512 Business and management
Copyright information: © 2020 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license. (