Physical and Cognitive Ergonomics

7 Lessons

This is the fourth and final module in the Cyber-Physical Industry course; however, it can be taught as a standalone module.  The purpose of this module is to introduce students to physical and cognitive ergonomics (human factors), and explain why this discipline is so critical for cybersecurity management. The lessons relate musculoskeletal, metabolic, environmental, and cognitive aspects of performance to contextual risk. The lessons learned are applied to design for safe, secure, reliable Human-Machine Interfaces (HMIs) in industrial environments. Finally, common research methods used to determine whether improvements have or have not occurred as a result of training or other interventions are explained, with practical examples.

Learning Objectives
  • Explain the elements that impact human performance, and how ergonomics is important for cybersecurity
  • Explain function allocation, and how to apply it
  • Explain why L5/S1 is so important, and use Bloswick’s approximation to estimate the compressive force on L5/S1 and the NIOSH Lifting Equation to determine recommended weight limits for lifting
  • Describe and apply metrics or techniques for assessing heat stress and cold stress
  • Apply Fitts Law, Hicks-Hyman Law, design affordances, and/or Gestalt principles to design effective Human-Machine Interfaces (HMIs)
  • Use NASA TLX to evaluate subjective cognitive workload
  • Apply Situation Awareness (SA) to a task or activity
  • Use common parametric and nonparametric statistical inference techniques to determine whether or not an improvement has occurred
Faculty Instructions

This module has been designed with configurability in mind. Optional homeworks and additional assessment opportunities are outlined in each lesson plan, but can be incorporated or completely left out at the discretion of the instructor (with no adverse effect).

This module also contains one exam with 8 short-answer questions, and three lab exercises that can be completed in one or two 50-60 minute sessions. They are:

  • 4D – Hicks Law and the Nature of Choice
  • 4E/4F – Designing Safe and Secure HMIs
  • 4D/4G – Fitts Law
Physical and Cognitive Ergonomics Module Description
Module 4 Exam
Module 4 Exam Answer Key

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0004: * Knowledge of cybersecurity principles.
  • K0036: Knowledge of human-computer interaction principles.
  • K0053: Knowledge of measures or indicators of system performance and availability.
  • K0120: Knowledge of how information needs and collection requirements are translated, tracked, and prioritized across the extended enterprise
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0164: Knowledge of functionality, quality, and security requirements and how these will apply to specific items of supply (i.e., elements and processes).
  • K0245: Knowledge of principles and processes for conducting training and education needs assessment.
  • K0246: Knowledge of relevant concepts, procedures, software, equipment, and technology applications.
  • K0252: Knowledge of training and education principles and methods for curriculum design, teaching and instruction for individuals and groups, and the measurement of training and education effects.
  • K0309: Knowledge of emerging technologies that have potential for exploitation by adversaries.
  • K0329: Knowledge of statistics.
  • K0335: Knowledge of current and emerging cyber technologies.
  • K0436: Knowledge of fundamental cyber operations concepts, terminology/lexicon (i.e., environment preparation, cyber attack, cyber defense), principles, capabilities, limitations, and effects.
  • K0437: Knowledge of general SCADA system components.
  • K0511: Knowledge of organizational hierarchy and cyber decision making processes.
  • K0612: Knowledge of what constitutes a “threat” to a network.
  • S0010: Skill in conducting capabilities and requirements analysis.
  • S0021: Skill in designing a data analysis structure (i.e., the types of data your test must generate and how to analyze those data).
  • S0030: Skill in developing operations-based testing scenarios.
  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system
  • S0050: Skill in design modeling and building use cases (e.g., unified modeling language).
  • S0060: Skill in writing code in a currently supported programming language (e.g., Java, C++).
  • S0085: Skill in conducting audits or reviews of technical systems.
  • S0109: Skill in identifying hidden patterns or relationships.
  • S0134: Skill in conducting reviews of systems.
  • S0228: Skill in identifying critical target elements, to include critical target elements for the cyber domain.
  • S0256: Skill in providing understanding of target or threat systems through the identification and link analysis of physical, functional, or behavioral relationships.
  • S0278: Skill in tailoring analysis to the necessary levels (e.g., classification and organizational).
  • A0009: Ability to apply supply chain risk management standards
  • A0026: Ability to analyze test data.
  • A0030: Ability to collect, verify, and validate test data. NIST SP 800-181 (DRAFT) NICE CYBERSECURITY WORKFORCE FRAMEWORK (NCWF) 93
  • A0034: Ability to develop, update, and/or maintain standard operating procedures (SOPs).
  • A0035: Ability to dissect a problem and examine the interrelationships between data that may appear unrelated.
  • A0040: Ability to translate data and test results into evaluative conclusions.
  • A0064: Ability to interpret and translate customer requirements into operational capabilities.
  • A0085: Ability to exercise judgment when policies are not well-defined.
  • A0101: Ability to recognize and mitigate cognitive biases which may affect analysis.
  • A0107: Ability to think like threat actors.
  • A0108: Ability to understand objectives and effects.
  • A0116: Ability to prioritize and allocate cybersecurity resources correctly and efficiently.
  • A0118: Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
* NSA/DHS Center of Excellence (CAE) KUs Addressed
  • Basic Data Analysis
  • Basic Scripting and Programming (BSP)
  • Probability and Statistics
  • Industrial Control Systems (ICS)

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit: