The ISA/IEC 62443 cybersecurity standard defines five Security Levels (SLs), numbered from SL 0 to SL 4. 

These levels represent the increasing degree of security protection required for industrial automation and control systems (IACS) against cyber threats:

- SL 0: No specific requirements or protection needed (essentially no security).

- SL 1: Protection against casual or coincidental violation.

- SL 2: Protection against intentional violation using simple means with low resources, generic skills, and low motivation.

- SL 3: Protection against intentional violation using sophisticated means with moderate resources, IACS-specific skills, and moderate motivation.

- SL 4: Protection against intentional violation using sophisticated means with extended resources, IACS-specific skills, and high motivation.

However, these definitions are based on the skills and resources of the attacker. While this provides some guidance in terms of the level of effort required to prevent that kind of attacker, it makes it difficult to compare a cybersecurity risk with other risks that a corporation may face (and invest in preventing).

Instead, many corporations use a "Consequence-based" Security Level definition such as the following.

- SL 0: No specific requirements or protection needed.

- SL 1: Nothing or a mild inconvenience - A nuisance alarm. Someone spends some time to investigate.

- SL 2: Production affected - Production slows, quality suffers, scrap increases, maintenance costs including manhours and parts.

- SL 3: Production halted and/or equipment damaged - Production stops, capital expenditure required.

- SL 4: Risk of death and or destruction of major equipment - May include explosion or fire, environmental disaster.

Since costs can be estimated, company-standard loss criteria can be applied, and costs for mitigation measures can be compared to other corporate risks.