Abstract

This study presents a new framework for detecting and preventing phishing attacks in organizations using a Governance, Risk, and Compliance (GRC) approach. The research looks at why phishing attacks succeed and proposes a three-layer defense system: Governance (creating anti-phishing policies), Risk Management (identifying vulnerable assets and people), and Compliance (tracking prevention efforts and reporting incidents). Unlike earlier models, the framework focuses on organizational policy development and employee vulnerability assessment alongside technical solutions. Using a design science approach, we developed this framework to help organizations build an anti-phishing culture that combines human awareness with technological protection.