Executives fund what they can see. They see patch rates, incident counts, mean time to detect, and mean time to respond.

What they rarely see is the reality inside the control room when an incident hits. They do not see operators juggling dozens of alerts, unclear priorities, and production pressure while trying not to make a mistake.

Cognitive overload is treated as a vague human factor instead of a concrete risk. As long as it stays abstract, it stays underfunded. If you want serious investment in fixing overload, you have to make it visible. That means treating it like any other part of cybersecurity: define it, measure it, and report it.

Why Traditional Cyber Metrics Ignore Human Reality

Most cyber dashboards are tool-centric. They show how many vulnerabilities were closed, how many attacks were blocked, how fast the team responded, and how many incidents were classified and closed. These numbers matter, but they hide something critical. They do not tell you what operators were experiencing during those events.

You can have a “fast response” on paper that was in fact a lucky guess. You can have a “contained incident” where the operator missed three early warnings. You can have a “clean shift” where dozens of alerts were ignored out of exhaustion.

If you never measure the strain on the human side, you will convince yourself that the system is working because the reports look green. Then one day, when conditions are slightly worse than usual, the same overloaded humans will miss something they normally catch. You will call it human error. In truth, it was accumulated pressure that nobody bothered to measure.

Signals That Your Operators Are Overloaded

You do not need advanced psychology to see cognitive overload. It leaves simple, measurable traces in your environment.

Common signals include late acknowledgments, dropped alerts, and increasing dependence on a few “hero” operators who can still think clearly in the noise. You might see frequent “near misses” where an issue was noticed but not acted on in time. You might see rising pushback on drills and training because people feel they are already drowning.

Complaints like “the tools are noisy” or “nothing ever happens from these alerts” are not laziness. They are data points. They show that your system is asking too much from human attention and delivering too little value in return. None of this is a personal failure. These are symptoms of a design that pushes cognitive load onto operators instead of managing it.

Practical Metrics You Can Actually Track

The goal is not to create a psychological research project. The goal is to turn overload into numbers that can sit on the same dashboard as your technical metrics. You can start with the data you already have.

Alerts per operator per shift – Count how many alerts are presented to each operator, on average, during a day or night shift. There is a point where this number stops being information and starts being pressure. Percentage of alerts that lead to action – Out of all alerts generated, how many actually trigger a ticket, change, call, or clear operational step. A very low percentage tells you that most of what you show operators is noise.

Time from alert to human acknowledgment – Measure how long it takes from the moment an alert appears to the moment a human interacts with it. When this delay grows over time, it is a strong sign that people are saturated. Number of simultaneous alarms during incidents – When an incident occurs, count how many alerts fire in the same short window. If every serious event produces an alert storm, you can expect confusion, not clarity. Procedure steps skipped during drills – In exercises, record which steps are regularly skipped or improvised. That is where cognitive load is too high, or the design is too weak.

These metrics are not perfect, but they are practical. They move the discussion from “people are overwhelmed” to “here is the overload pattern in numbers.” That is a language executives understand.

Turning Findings Into Design Changes

Metrics are worthless if they do not lead to decisions. Once you see clear signs of overload, you have to change the environment around the operators. Otherwise, you are just documenting stress.

Concrete responses that actually reduce overload include reducing or merging alert types that almost never lead to action, adjusting shift staffing so the most complex periods have enough eyes on the system, and splitting responsibilities so one person does not carry process, safety, and security at the same time.

On the interface side, you can improve the visual hierarchy on key screens so critical information is not buried. You can tune automation logic to group related events into one meaningful incident instead of dozens of fragmented alerts.

Each of these is a technical or design choice. None of them rely on telling humans to “be more careful.” That is the mental shift you want leadership to make. Cognitive overload is not an attitude problem. It is an engineering problem.

Reporting Cognitive Risk to Executives

If you want leaders to care, you have to present cognitive overload like any other risk: clearly, concretely, and in terms of impact. You do not walk into a meeting and say, “Operators are stressed.” You say: At our current alert volume per shift, the chance of a critical alert being missed is high.

Less than ten percent of our alerts lead to action, which means ninety percent of what we show operators is noise.

During our last incident, more than forty alerts fired in five minutes. The key alert was noticed only after eighteen minutes.

Then you draw a straight line from these facts to outcomes they already worry about: risk of unplanned downtime, risk of safety impact, risk of environmental damage, and risk of public incident and regulatory attention.

You are not asking for sympathy for operators. You are showing that cognitive overload is a condition that weakens every other control they have approved and funded.

From Blame to Design

The usual pattern after an incident is always the same. Analyse the timeline. Find the point where a human missed a signal or made a bad decision. Label it human error and move on.

It is a simple story, but it is lazy. It ignores the environment that produced that mistake.

Once you treat cognitive overload as a metric, you can tell a more honest story. You can say that at the time of the missed alert, the operator had already processed over two hundred alerts that shift. You can show that the key alert arrived during a burst of thirty other messages. You can show that the message itself used vague wording and weak visual priority. Now it becomes clear that the system set that person up to fail. The goal is not to remove accountability. It is to put responsibility where it belongs. If your design, alert strategy, and staffing model overload human attention, you cannot be surprised when attention fails.

**Making Human Limits Part of Cybersecurity

**

Cognitive overload will never vanish from OT. The work is complex and continuous. Systems are noisy. Production pressure is built into the business model.

The mistake is treating human limits as something outside cybersecurity, something you acknowledge in a training slide and then forget. Human limits sit right in the middle of your defence.

When you design alerts around human attention, train under realistic cognitive load, and measure overload as a risk, you stop treating the human element as an infinite buffer. You start treating it as a critical part of the system that has to be engineered and protected.

Tools, processes, and humans either work together or fail together. Measuring cognitive overload is how you acknowledge that connection. Once you see it clearly, you can finally stop saying “human error” as if it explains anything, and start fixing the conditions that produce it. That is not a kindness to operators. It is a hard requirement for secure and safe OT.

*About Author *

Muhammad Ali Khan ICS/ OT Cybersecurity Specialist - AAISM | CISSP | CISA | CISM | CEH | ISO27001 LI | CHFI | CGEIT | CDCP