Decision Lattice

Cognitive Load

More data does not always mean better security: insights from neuroscience

What neuroscience says about signal probability and event rate in cybersecurity analysts.

By · · 4 min read

Originally published on Medium. Read on Medium.

What neuroscience says about signal probability and event rate in cybersecurity analysts.

I recently reviewed an article titled “ Cyber Vigilance: Effects of Signal Probability and Event Rate” by Sawyer et al. (2014), (thanks to the suggestion of Dr. Josiah Dykstra) and realized its findings have direct implications for how cybersecurity teams structure their work schedules, design monitoring tasks, and manage cognitive workload. The study highlights key challenges in sustained attention, demonstrating that cybersecurity monitoring shares similarities with other vigilance-based tasks such as air traffic control and medical monitoring.

In a Nutshell

  • Vigilance decrement reduces signal detection performance over time.
  • Fast data streams reduce accuracy. The more rapidly security dashboards update with information, the worse analysts perform.
  • When real threats are infrequent, analysts struggle to stay attentive, increasing the risk of missing critical threats.
  • Analysts report high levels of mental demand, frustration, and effort, contributing to burnout and potential security gaps.
  • Leadership must understand vigilance decrement, apply it to shift structures, implement AI-driven alert filtering, and introduce simulated threats to keep analysts engaged.

Understanding the Research

The study Cyber Vigilance: Effects of Signal Probability and Event Rate (Sawyer et al., 2014) examined how different factors affect cybersecurity analysts’ ability to detect threats over time. The research focused on three key variables that influence performance:

  1. Time on Task: The longer an analyst monitors a system, the more their attention and accuracy decline — a phenomenon common in many high-stakes vigilance tasks.
  2. Signal Probability: This refers to how often real threats appear in a data stream. A high signal probability means analysts encounter more actual threats, while a low signal probability means they mostly scan irrelevant or benign data.
  3. Event Rate: This refers to how frequently new data appears on the analyst’s screen. A fast event rate means a rapid stream of information updates, whereas a slow event rate means fewer updates over time.

The study’s goal was to understand how these variables interact and whether they impact cybersecurity analysts’ ability to identify threats accurately.

Key Findings from the Study

Analyst Performance Declines Over Time (Vigilance Decrement)

The study confirmed that performance declines as time on task increases (Sawyer et al., 2014). Analysts start strong but experience a noticeable drop in accuracy after prolonged monitoring sessions. This matches findings from other high-attention tasks such as air traffic control and medical monitoring (Warm et al., 2008).

Cybersecurity teams cannot rely on analysts maintaining the same level of accuracy throughout long shifts. Without structured interventions, missed threats are inevitable. Organizations should consider shorter, structured monitoring shifts with designated breaks to sustain optimal performance.

High Event Rates Reduce Accuracy

When analysts received more frequent data updates (fast event rate), their accuracy decreased (Sawyer et al., 2014). The sheer volume of information overwhelmed their ability to process threats efficiently.

More data does not always mean better security. Overloading analysts with constant logs and alerts will decrease their ability to focus on real threats.

Higher Signal Probability Improves Performance

When analysts encountered more real threats (high signal probability), their performance improved (Sawyer et al., 2014). They were more engaged and attentive when actual security risks were present. However, when threats were rare (low signal probability), their attention declined, leading to missed detections.

If analysts go long periods without encountering real security incidents, their ability to detect real threats when they do appear is compromised.

Mental Workload in Cybersecurity Is High

The study measured analysts’ cognitive workload using the NASA Task Load Index (NASA-TLX) and found that cybersecurity monitoring is mentally demanding and stressful (Sawyer et al., 2014). The biggest contributors to workload were:

  • Mental Demand: The complexity of continuously analyzing incoming data.
  • Frustration: The stress of monitoring high volumes of mostly irrelevant information.
  • Effort: The energy required to sustain focus over time.

Cybersecurity teams face significant cognitive strain, increasing the risk of burnout and high staff turnover.

Considerations for Cybersecurity Leadership

Shift Structures Need to Change

Continuous, uninterrupted monitoring is ineffective.

  • Implement shorter shifts and rotations to reduce vigilance decline.
  • Introduce scheduled mental breaks to sustain performance.
  • Consider task-switching strategies to engage different cognitive processes.

AI-Driven Filtering Can Improve Accuracy

More data is not always better.

  • Use AI-powered filtering to reduce alert fatigue.
  • Prioritize critical threats while suppressing unnecessary notifications.
  • Introduce adaptive alerting where event rate adjusts based on workload.

Simulated Threats Can Keep Analysts Engaged

Rare threats reduce attention.

  • Introduce red team exercises to simulate real security threats.
  • Conduct periodic live attack drills to keep analysts engaged.
  • Use automated training scenarios to reinforce real-world risk perception.

Mental Health and Burnout Prevention Must Be Prioritized

Cybersecurity is mentally demanding — support is critical.

  • Provide stress management resources and encourage psychological safety in the workplace.
  • Monitor analyst fatigue using real-time tracking tools like eye-tracking or EEG-based cognitive workload monitors.
  • Ensure leadership understands the impact of high workloads on security performance.

Cognitive fatigue, alert overload, and low threat engagement reduce security effectiveness. Optimizing shift structures, using AI for alert management, incorporating simulated threats, and prioritizing mental health can enhance both security performance and analyst well-being, creating a more sustainable cybersecurity approach.

References

Sawyer, B. D., Finomore, V. S., Funke, G. J., Mancuso, V. F., Funke, M. E., Matthews, G., & Warm, J. S. (2014). Cyber vigilance: Effects of signal probability and event rate. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 58(1), 1771–1775. https://doi.org/10.1177/1541931214581369

Warm, J. S., Matthews, G., & Parasuraman, R. (2008). Vigilance requires hard mental work and is stressful. Human Factors, 50(3), 433–441. https://doi.org/10.1518/001872008X312152

Wickens, C. D., Hollands, J. G., Banbury, S., & Parasuraman, R. (2013). Engineering psychology and human performance (4th ed.). Pearson.

Matthews, G., Warm, J. S., Reinerman-Jones, L. E., Langheim, L. K., Washburn, D. A., & Tripp, L. D. (2010). Task engagement, cerebral blood flow velocity, and diagnostic monitoring for sustained attention. Journal of Experimental Psychology: Applied, 16(2), 187–203. https://doi.org/10.1037/a0019574