A Case Study of Phishing Incident Response in an Educational Organization

Kholoud Althobaiti; Adam D.G. Jenkins; Kami Vaniea

doi:10.1145/3476079

A Case Study of Phishing Incident Response in an Educational Organization

Kholoud Althobaiti, Adam D.G. Jenkins, Kami Vaniea

Research output: Contribution to journal › Article › peer-review

Abstract

Malicious communications aimed at tricking employees are a serious threat for organizations, necessitating the creation of procedures and policies for quickly respond to ongoing attacks. While automated measures provide some protection, they cannot completely protect an organization. In this case study, we use interviews and observations to explore the processes staff at a large University use when handling reports of malicious communication, including how the help desk processes reports, whom they escalate them to, and how teams who manage protections such as the firewalls and mail relays use these reports to improve defenses. We found that the process and work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access and tactic knowledge. Sudden large campaigns were found to overwhelm the help desk with reports, greatly impacting staff's workflow and hindering the effective application of mitigations and the potential for reflection. We detail potential improvements to ticketing systems and reflect on ITIL, a common framework of best practice in IT management.

Original language	English
Article number	338
Number of pages	32
Journal	Proceedings of the ACM on Human-Computer Interaction
Volume	5
Issue number	CSCW2
DOIs	https://doi.org/10.1145/3476079
Publication status	Published - 18 Oct 2021

Keywords

distributed cognition
ITIL framework
phishing
phishing incident
phishing management
reactive security

Access to Document

10.1145/3476079Licence: All Rights Reserved

https://dl.acm.org/doi/10.1145/3476079Licence: All Rights Reserved

Cite this

@article{9753295d44ce486cb5b393f89480415d,

title = "A Case Study of Phishing Incident Response in an Educational Organization",

abstract = "Malicious communications aimed at tricking employees are a serious threat for organizations, necessitating the creation of procedures and policies for quickly respond to ongoing attacks. While automated measures provide some protection, they cannot completely protect an organization. In this case study, we use interviews and observations to explore the processes staff at a large University use when handling reports of malicious communication, including how the help desk processes reports, whom they escalate them to, and how teams who manage protections such as the firewalls and mail relays use these reports to improve defenses. We found that the process and work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access and tactic knowledge. Sudden large campaigns were found to overwhelm the help desk with reports, greatly impacting staff's workflow and hindering the effective application of mitigations and the potential for reflection. We detail potential improvements to ticketing systems and reflect on ITIL, a common framework of best practice in IT management. ",

keywords = "distributed cognition, ITIL framework, phishing, phishing incident, phishing management, reactive security",

author = "Kholoud Althobaiti and Jenkins, {Adam D.G.} and Kami Vaniea",

note = "Funding Information: We thank the IS teams who allowed us to conduct this study. We also thank Maria Wolters and TULiPS lab members for their feedback and discussion on the observations. This research was funded in part by a Google Faculty Research Award. Publisher Copyright: {\textcopyright} 2021 ACM.",

year = "2021",

month = oct,

day = "18",

doi = "10.1145/3476079",

language = "English",

volume = "5",

journal = "Proceedings of the ACM on Human-Computer Interaction",

issn = "2573-0142",

publisher = "Association for Computing Machinery (ACM)",

number = "CSCW2",

}

TY - JOUR

T1 - A Case Study of Phishing Incident Response in an Educational Organization

AU - Althobaiti, Kholoud

AU - Jenkins, Adam D.G.

AU - Vaniea, Kami

N1 - Funding Information: We thank the IS teams who allowed us to conduct this study. We also thank Maria Wolters and TULiPS lab members for their feedback and discussion on the observations. This research was funded in part by a Google Faculty Research Award. Publisher Copyright: © 2021 ACM.

PY - 2021/10/18

Y1 - 2021/10/18

N2 - Malicious communications aimed at tricking employees are a serious threat for organizations, necessitating the creation of procedures and policies for quickly respond to ongoing attacks. While automated measures provide some protection, they cannot completely protect an organization. In this case study, we use interviews and observations to explore the processes staff at a large University use when handling reports of malicious communication, including how the help desk processes reports, whom they escalate them to, and how teams who manage protections such as the firewalls and mail relays use these reports to improve defenses. We found that the process and work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access and tactic knowledge. Sudden large campaigns were found to overwhelm the help desk with reports, greatly impacting staff's workflow and hindering the effective application of mitigations and the potential for reflection. We detail potential improvements to ticketing systems and reflect on ITIL, a common framework of best practice in IT management.

AB - Malicious communications aimed at tricking employees are a serious threat for organizations, necessitating the creation of procedures and policies for quickly respond to ongoing attacks. While automated measures provide some protection, they cannot completely protect an organization. In this case study, we use interviews and observations to explore the processes staff at a large University use when handling reports of malicious communication, including how the help desk processes reports, whom they escalate them to, and how teams who manage protections such as the firewalls and mail relays use these reports to improve defenses. We found that the process and work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access and tactic knowledge. Sudden large campaigns were found to overwhelm the help desk with reports, greatly impacting staff's workflow and hindering the effective application of mitigations and the potential for reflection. We detail potential improvements to ticketing systems and reflect on ITIL, a common framework of best practice in IT management.

KW - distributed cognition

KW - ITIL framework

KW - phishing

KW - phishing incident

KW - phishing management

KW - reactive security

UR - http://www.scopus.com/inward/record.url?scp=85117930526&partnerID=8YFLogxK

U2 - 10.1145/3476079

DO - 10.1145/3476079

M3 - Article

AN - SCOPUS:85117930526

VL - 5

JO - Proceedings of the ACM on Human-Computer Interaction

JF - Proceedings of the ACM on Human-Computer Interaction

SN - 2573-0142

IS - CSCW2

M1 - 338

ER -

A Case Study of Phishing Incident Response in an Educational Organization

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this