Cybersecurity dial

by John Bandler

Here is a quick definition of the term and explanation of cybersecurity best practices.

Cybersecurity dial definition in sumBandler's cybersecurity dial

The "cybersecurity dial" is my way of conceptualizing that individuals and organizations choose their level of cybersecurity, as if they are turning a knob dial and picking a setting from zero to eleven.

A level of cybersecurity is chosen based upon risks and risk tolerances, then other choices are made about practices and measures to improve cybersecurity and prevent cybercrime.

Cybersecurity dial best practices in sum

Dials still exist, even in today's digital world. Zero is typically the off position, and most dials go to ten, but this dial goes to eleven in honor of the classic movie, "This is Spinal Tap" (see link below). The extremes are unreasonable for anyone, so 0, 11, 1, and 10 are probably not reasonable settings.

Organizations who have never given formal thought to cybersecurity or their cybersecurity program might need to worry if they are at zero, or close to it.

Then organizations need to think about what their risk levels are, and what they can tolerate. Risk can be a highly subjective concept, though many will try to quantify it. But we can use it this conceptual exercise as an opportunity to evaluate cybercrime threats, our current cybersecurity posture, and our desired cybersecurity posture, and always how we can improve upon things.

As we evaluate our current and desired dial position, questions we can ask include:

  • What is our knowledge and awareness level, in order to make accurate assessments of our current dial setting and desired setting?
    • This includes knowledge of technology, cybersecurity, cybercrime, legal requirements
  • For individuals, how would we break it down within the Four Pillars of Cybersecurity, including
    • Knowledge and awareness, device security, data security, network and Internet use security
  • For organizations, we can also apply the Four Pillars of Cybersecurity, but need to get into more formality
  • Is there a cybersecurity program, with formal documentation (policies, procedures, other internal rules)?
  • Is the formal documentation properly followed and kept updated?
  • Are organization members trained on cybersecurity and cybercrime threats and internal rules?
  • Does the organization properly understand and comply with applicable laws relating to cybersecurity?
  • How would we want to describe our current dial setting and desired dial setting to customers, clients, a government regulator? Can we proved that desired description honestly and be able to defend it?
  • What are the risks we face?
    • Do we properly understand the concepts of risk and how to properly manage risk? (see my other article)
    • What are the threats we face? What are the potential harms that could befall us? How probable are they? How serious would they be? What can we do to manage those risks?
    • Some factors increase our risks, and also our legal duties

Other applications

This dial concept can be applied to many areas, including:

  • cybersecurity
  • physical security and physical safety
  • privacy
  • risk management
  • any other area of life that is not binary (on/off) but a gradation or continuum within two extremes.

Related terms

About this key term definition article

I have decided to experiment by creating short webpages to provide definitions and best practices for certain key terms. This is one of those webpages.

These are terms that I have explained or defined dozens or even hundreds of times in my life, either through conversation or in writing.

So I thought it would be helpful to make them available online. After explaining the term I try to explain best practices relating to those terms. These are terms or guidance that may appear in my cybersecurity policies.


This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform, you assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words.

I may explain nuances further in other articles, or one of my books. I can only convey limited information in a limited, short blog article.

Other experts may have differing opinions. Ask ten different IT or IS experts, you will get eleven or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.


If your organization needs help with improving its cybersecurity, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This short key term article will not be made available on

Originally posted 3/30/2023, updated 6/23/2023.