A Model-Based Framework for Detecting and Preventing Phishing Attacks in Organizations Using a GRC Approach
Author(s)
Asia Soomro , Fahimullah Hisbani ,
Download Full PDF Pages: 23-31 | Views: 4 | Downloads: 1 | DOI: 10.5281/zenodo.16932743
Abstract
this study presents a new framework for detecting and preventing phishing attacks in organizations using a Governance, Risk, and Compliance (GRC) approach. The research looks at why phishing attacks succeed and proposes a three-layer defense system: Governance (creating anti-phishing policies), Risk Management (identifying vulnerable assets and people), and Compliance (tracking prevention efforts and reporting incidents). Unlike earlier models, the framework focuses on organizational policy development and employee vulnerability assessment alongside technical solutions. Using a design science approach, we developed this framework to help organizations build an anti-phishing culture that combines human awareness with technological protection
Keywords
Phishing detection, Cyber security framework, Social engineering, GRC model, Organizational security, Security policy, Risk assessment, Compliance monitoring
References
1. Adewusi, A. O., Chiekezie, N. R., & Eyo-Udo, N. L. (2022). Cybersecurity threats in agriculture supply chains: A comprehensive review. World Journal of Advanced Research and Reviews, 15(03), 490-500.
2. Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021). Phishing attacks: A recent comprehensive study and a new anatomy. Frontiers in Computer Science, 3, 563060.
3. Andress, J. (2019). Foundations of information security: a straightforward introduction. No Starch Press.
4. Bhardwaj, A. (2024). Cybercrime, Digital Terrorism, and 5G Paradigm: Attack Trends of the New Millennium. In 5G and Fiber Optics Security Technologies for Smart Grid Cyber Defense (pp. 1-27). IGI Global.
5. Choudhary, P., Das, S., Potta, M. P., Das, P., & Bichhawat, A. (2024, December). Online Authentication Habits of Indian Users. In 2024 Conference on Building a Secure & Empowered Cyberspace (BuildSEC) (pp. 66-73). IEEE.
6. Clarke, S. (2006). Theory and practice: Psychoanalytic sociology as psycho-social studies. Sociology, 40(6), 1153-1169.
7. Ghelani, D. (2022). Cyber security, cyber threats, implications and future perspectives: A Review. Authorea Preprints.
8. Khonji, M., & Iraqi, Y. (2018, December). Attributing authors of emirati tweets. In 2018 IEEE Global Communications Conference (GLOBECOM) (pp. 206-212). IEEE.
9. Kron, E. (2018). Effective foundational security principles. Cyber Security: A Peer-Reviewed Journal, 1(4), 343-350.
10. Mouton, F., Leenen, L., & Venter, H. S. (2016). Social engineering attack examples, templates and scenarios. Computers & Security, 59, 186-209.
11. McAlaney, J., & Hills, P. J. (2020). Understanding phishing email processing and perceived trustworthiness through eye tracking. Frontiers in Psychology, 11, 1756.
12. Miró, F. (2014). Routine activity theory. The encyclopedia of theoretical criminology, 1-7.
13. Nishanth, K. J., Ravi, V., Ankaiah, N., & Bose, I. (2012). Soft computing based imputation and hybrid data and text mining: The case of predicting the severity of phishing alerts. Expert Systems with Applications, 39(12), 10583-10589.
14. Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of management information systems, 24(3), 45-77.
15. Shaikh, F. A., & Siponen, M. (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers & Security, 124, 102974.
16. Vayansky, I., & Kumar, S. (2018). Phishing–challenges and solutions. Computer Fraud & Security, 2018(1), 15-20.
17. Van Aken, J. E., & Romme, G. (2009). Reinventing the future: adding design science to the repertoire of organization and management studies. Organization Management Journal, 6(1), 5-12
Cite this Article: