Human Resource Issues

3.4.1 Hiring and Employee Turnover

It can be difficult to find and hire qualified individuals willing to accept low-wage, part-time and/or seasonal work. If a stadium is understaffed due to this issue, then these problems could eventually be reflected through other metrics. For example, if there is not enough event staff trained to screen patrons, this might be reflected in long queue lines to enter the stadium. It is

strongly recommended that venues monitor security employment levels in order to identify

issues before a lack of employees begins to affect other metrics of performance.

Stadium security can also suffer due to high employee turnover. In general, at venues with proprietary staff, turnover rates are thought to be lower. Just like the inability to hire enough qualified individuals described above, problems related to high employee turnover might eventually be reflected in other metrics. But, just as above, a venue might determine how to monitor employee turnover rates in order to identify this problem as early as possible. It is

strongly recommended that a venue track employee turnover rates, and address the issue if

rates become so high that they adversely affect the ability of the venue to fully implement the security plan.

The issue of maintaining high quality job performance does not end with front-line or lower- level security employees. Security professionals – including managers and directors – often work multiple jobs due to the realities of today’s economy. This reality can lead to

performance fatigue that becomes compounded due to managers’ decision-making

responsibilities high atop the organizational chart. It is strongly recommended that a venue’s human resources department institute language into the employment contract for annual or bi- annual performance interviews with top security managers or directors. These interviews can be used to update the current occupational situation of key personnel (e.g. “How many jobs are you currently working?”), and also to quiz these personnel on key organizational,

in their current role.

It is strongly recommended that security clearly define which employees have the authority to grant credentials to employees, media and other groups, and that the credentialing process be written down and reviewed by security. It is strongly recommended that a database of credentials granted be maintained. It is recommended that entries in this database be randomly audited to ensure that credentials are being properly disseminated.

Questions Metrics

What is the monthly/yearly employee turnover rate for various positions? % What are current staffing levels and estimated current staffing needs? Comparison

Is it clear who has the authority to grant credentials? Y/N

Is a database of credentials maintained? Y/N

Are credentials randomly audited to ensure proper distribution? Y/N

3.4.2 Insider Threat

Employees naturally have easier access to the venue, the players ,and the overall security plan than does the average event-day patron or other outsiders. Attacks by insiders may be more difficult to detect and deter and ultimately may be more likely to succeed compared to attacks by others. For this reason, it is strongly recommended that a venue consider how to limit the threat of an insider attack. For example, a venue could use background checks prior to employment combined with monitoring and occasionally updating background checks during employment. It is suggested that the updating of background checks be done at random as well as whenever there are indicators of a re-check (e.g. employees who show up driving expensive vehicles clearly outside their apparent economic means). Venue security can work with the human resources group to let employees and event staff knows that this process is in place and what can happen if a person fails the background check. As another way to limit the threat of an insider attack, it is strongly recommended that a venue limit the access of employees to only what is determined necessary for their specific job. Some metrics that could be used to gauge the threat of an insider attack are the number of employees with certain levels of access, such as access to computing systems, and the strength of the background check that they have been through.

Metrics can also be developed to assess how well internal monitors recognize unusual

employee behavior. This second metric could be part of a red-team exercise or training game. For example, third party consultants could attempt to access certain areas or do something that would pose a threat if they had malicious intent, and they could be rewarded if they successfully do so without setting off employee monitors that are in place.

Former employees also pose a risk because of their possibly detailed knowledge of the security plan, as long as it remains unchanged since their employment, as well as their potential possession of ID badges and employee uniforms. One metric available to measure this threat is the repossession rate of such items. A second metric is the ability of an

individual to gain access to the facility without proper credentials. This can be tested, via red- teaming, not just at initial employee entrances, but also at secondary checkpoints. Details about how to set up this red- teaming can be found in the appendix.

Questions Metrics

What is the number of access levels? #

Can a red-team access off-limit areas? Y/N

What are the repossession rates of terminated employees’ badges/keys/uniforms/etc.

%

Can a red-team access the venue, or pass through secondary screening, with outdated or terminated credentials?

Y/N

Are repeated background checks run on potential employees? If so, how often?

Y/N, Freq.