Sanctions are advocated by major cybersecurity management standards. The leading theory of sanctions is Deterrence Theory (DT), which is one of the most studied theories in information systems (IS) security. However, sanctions under DT may lead to difficulties in cybersecurity, including potential side effects due to the monitoring required. Recently, the concept of passive sanctions has been suggested as an alternative viewpoint on sanctions that does not rely on DT. Passive sanctions show promise, as they may sidestep the negative impacts associated with DT and can be applied in cases where monitoring is virtually unfeasible. In this paper, I further develop the theory of passive sanctions. In contrast to DT's statistical explanations, which focus on statistical generalization within the population, I propose that the theory of passive sanctions consists of stages and mechanisms that provide 'how possible' explanations, making a phenomenon possible.