A Case Study of Phishing Incident Response in an Educational Organization

Kholoud Althobaiti, Adam D.G. Jenkins, Kami Vaniea

Research output: Contribution to journalArticlepeer-review


Malicious communications aimed at tricking employees are a serious threat for organizations, necessitating the creation of procedures and policies for quickly respond to ongoing attacks. While automated measures provide some protection, they cannot completely protect an organization. In this case study, we use interviews and observations to explore the processes staff at a large University use when handling reports of malicious communication, including how the help desk processes reports, whom they escalate them to, and how teams who manage protections such as the firewalls and mail relays use these reports to improve defenses. We found that the process and work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access and tactic knowledge. Sudden large campaigns were found to overwhelm the help desk with reports, greatly impacting staff's workflow and hindering the effective application of mitigations and the potential for reflection. We detail potential improvements to ticketing systems and reflect on ITIL, a common framework of best practice in IT management.

Original languageEnglish
Article number338
Number of pages32
JournalProceedings of the ACM on Human-Computer Interaction
Issue numberCSCW2
Publication statusPublished - 18 Oct 2021


  • distributed cognition
  • ITIL framework
  • phishing
  • phishing incident
  • phishing management
  • reactive security


Dive into the research topics of 'A Case Study of Phishing Incident Response in an Educational Organization'. Together they form a unique fingerprint.

Cite this