Malicious communications aimed at tricking employees are a serious threat for organisations, necessitating the creation of procedures and policies for how to quickly respond to ongoing attacks. While automated measures provide some protection, they cannot completely protect an organisation. In this case study, we use interviews and observations to explore the processes staff at a large University use when handling reports of malicious communication, including how the help desk processes reports, who they escalate them to, and how teams who manage protections like the firewalls and mail relays use reports to improve defences. We found that the process and work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access, and tactic knowledge. Sudden large campaigns were found to overwhelm the help desk with reports, greatly impacting staff's workflow and hindering effective application of mitigation's and the potential for learning. We detail potential improvements to the current ticketing system, and reflect on ITIL, the framework of best practices that informed the full process.
https://doi.org/10.1145/3476079
The 24th ACM Conference on Computer-Supported Cooperative Work and Social Computing