In our lab, we operationalize John Sweller’s cognitive load theory as an experimental framework for quantifying how working memory supports the acquisition and integration of new information during cybersecurity tasks. Drawing on the distinction between intrinsic, extraneous, and germane load, we systematically manipulate task complexity (e.g., number of simultaneous information streams), interface design (e.g., signal salience, display clutter), and training structure (e.g., worked examples versus unguided practice) to observe their effects on memory performance and error rates. These manipulations allow us to estimate the relative contribution of each load type to total cognitive workload and to identify conditions under which working memory resources become saturated.

Our experimental paradigm centers on simulated security operations center (SOC) environments in which participants perform incident detection and response tasks under varying workload and vigilance demands. During each session, participants monitor dynamic network or alert displays, triage potential threats, and execute response actions, thereby engaging continuous updating and maintenance processes in working memory. We systematically vary parameters such as event rate, signal salience, and number of concurrent alerts to induce transitions in cognitive workload and to probe the onset of vigilance decrement. Behavioral measures include detection accuracy, response time distributions, miss and false-alarm rates, and secondary-task performance, which together provide a multi-dimensional profile of cognitive load and operational effectiveness.

To capture cognitive workload more directly, we combine these behavioral metrics with psychophysiological and subjective measures. Depending on the study, we record neurophysiological indices (e.g., EEG-based workload markers or related neuroergonomic measures), and eye-tracking data (e.g., fixation patterns, pupil dilation) as converging evidence of mental effort and attention allocation.

Survey Data

Participants also complete validated workload and affect scales (e.g., NASA-TLX, fatigue, and stress questionnaires) at predefined intervals to characterize perceived mental effort, frustration, and fatigue across conditions. These multimodal data streams enable us to relate specific task manipulations to both subjective and objective signatures of cognitive load.

Natural Language

A key element of our work involves the analysis of natural language produced during simulated operations, including chat logs, verbal protocols, and written incident reports. We preprocess these text streams and encode their content using a combination of natural language processing and formal predicate logic representations to capture propositions, roles, and relationships among entities (e.g., host, alert type, action taken). This logical formalization allows us to trace how operators represent threat information, propagate inferences, and coordinate with team members under different load conditions.

Machine Learning

We then apply machine learning models to these structured representations to estimate the weighted contribution of specific utterances, discourse patterns, and logical dependencies to overall task performance and workload indices.

Human Interaction

Across experiments, our primary outcome measures are: (a) task performance metrics (accuracy, latency, error profiles), (b) multimodal workload indicators (physiological, behavioral, and self-report), and (c) derived linguistic–logical features such as proposition density, inference chains, and coordination structures. By integrating these measures, we test hypotheses about how intrinsic task complexity, extraneous interface demands, and training-related factors jointly shape working memory utilization in real-time cyber defense scenarios. This method’s framework positions us to evaluate both human-centered interventions (e.g., training, procedures) and automated supports (e.g., decision aids, intelligent alerting) aimed at reducing overload and enhancing resilient performance in high-stakes cyber operations.