Shimon

Data Hoarding Is Incentive-Optimal
by Shimon|28 May 2026|Data Protection Economics, Data Value & Extraction Dynamics
Data is rarely deleted. It persists in warehouses, backups, and replicated environments long after its purpose has faded. Teams hesitate to remove it—what if it’s needed later, what if deletion breaks something, what if it becomes valuable again. The safer...
continue reading
The Risk Register Is Not a Document
by Shimon|26 May 2026|GRC Games, Risk Systems & Decision Economics
By the time the quarterly risk review arrived, the register looked polished. Each entry had an owner, a score, a treatment status, and a target date. The color coding was clean, the categories were complete, and the summary slides translated...
continue reading
Designing for Governance Is a Game You’re Already Playing
by Shimon|21 May 2026|GRC Economics, Models in the Wild
Governance is often treated as a structure applied after the fact—policies written, controls implemented, approvals enforced, and compliance measured against defined procedures. The underlying assumption is that once rules exist, behavior will naturally align to them. Yet the same patterns...
continue reading
The Point Where Data Stops Paying for Itself
by Shimon|14 May 2026|Data Protection Economics, Data Value & Extraction Dynamics
Data collection rarely presents itself as a decision. It accumulates. New fields are added to forms, logs are retained indefinitely, and integrations expand quietly across systems. Each addition is justified in isolation—future analytics, potential insight, optionality. The marginal cost appears...
continue reading
Multi-Factor Authentication
by Shimon|12 May 2026|Control Systems & Failure Modes, GRC Games
The organization had already implemented multi-factor authentication across its core systems, at least on paper. Engineering teams had integrated MFA into primary authentication flows, and audit reports reflected broad coverage across in-scope applications. From a distance, the control appeared complete....
continue reading
When Dashboards Lie
by Shimon|07 May 2026|GRC Economics, Signals Metrics and Strategic Visibility
The dashboard shows improvement. Metrics trend in the expected direction, risk levels appear stable, and control coverage looks complete across the environment. Executive summaries communicate consistency, operational indicators remain within threshold, and governance reporting suggests that remediation efforts are progressing...
continue reading
The Economics of Delay
by Shimon|23 April 2026|GRC Economics, Thinking Like an Economist
The risk is known, the remediation path is defined, and the underlying exposure has already been acknowledged through governance processes. Still, the work does not begin. It is deferred to the next sprint, the next planning cycle, or a future...
continue reading
When Risk Becomes a Market
by Shimon|09 April 2026|GRC Economics, Thinking Like an Economist
Every risk is documented, scored, and placed into a register that suggests order, comparability, and rational prioritization. Severity is quantified, likelihood estimated, and governance frameworks imply that attention will naturally flow toward the most consequential exposures. On paper, the system...
continue reading
Incentive Design in a World Without Perfect Information
by Shimon|26 March 2026|GRC Economics, Thinking Like an Economist
The incentives are clear, the expectations are defined, and the governance structure appears aligned. Teams are told what matters, how performance will be measured, and which outcomes are expected. Dashboards track progress, metrics are reviewed regularly, and accountability mechanisms are...
continue reading
The Cost of Certainty
by Shimon|12 March 2026|GRC Economics, Thinking Like an Economist
The system is already controlled, the risk is already reduced, and the outcome is already within acceptable bounds. Still, the question persists in a quieter and more persistent form: Can we be more certain? Another control is added, another validation...
continue reading