SMotW #19: employee turnover/absenteeism

Security Metric of the Week #19: rate of change in employee turnover and/or absenteeism

In most organizations, employee turnover rumbles along at a 'normal' rate most of the time, due to the routine churn of people joining and leaving the organization.  Likewise, there is a 'normal' rate of absenteeism, due to sickness, holidays/leave and unexplained absences.  Big changes (especially sudden increases) in either set of numbers suggest the possibility that information security risks associated with disaffected or malicious employees might6 have substantially increased, in other words increased turnover and absenteeism may be indicators of a discontented workforce voting with their feet, or indeed of management sacking loads of employees.

Of course there are many reasons why people leave the organization or are temporarily absent, aside from discontent and redundancy, hence the metric is unlikely to be particularly useful in isolation.  We refer to it as an indicator, since an adverse change signals or indicates a situation that merits further investigation to determine the likely reasons.

We calculated the following PRAGMATIC score for this metric:

P
R
A
G
M
A
T
I
C
Score
60
66
20
85
60
80
75
80
91
69%




Being an indicator means it is fairly Predictive and Relevant to information security, but not very Actionable (if only there was some simple and straightforward thing that management could do to improve morale!).  

Assuming that the raw numbers are available from HR (and possibly Procurement if you account for the comings and goings of consultants and contractors, as well as employees), they are likely to be both Genuine and Independent.  

The score for Meaning suffers because of the need to investigate and explain changes in the metric, while the Timeliness suffers because of the inevitable delays in gathering, analyzing, presenting and using the numbers.

In comparison to most other measures of the morale and contentedness of the workforce, this metric has the merit of being low Cost to gather although as we said the analysis does involve a bit of digging to determine the likely reasons for sudden changes, so it is not exactly free.

Organizations that employ seasonal workers and have greater 'normal' variations in employee numbers could still use this kind of metric by normalizing the statistics over successive years, assuming sufficient historical data are available.  You can probably picture a scattergram-type graph showing employee numbers through the year, with a smoothed curve following the mean level and a range of values at any point based on historical data.  Highlighting this year's curve and particularly the current/latest value against the mean and  usual range should show whether or not things are ticking along nicely, or something unusual is going on.

Although the overall PRAGMATIC score of 69% is hardly outstanding, this metric does feature in the top three HR-related information security metrics in our example set.  The HR security maturity metric that we discussed recently on this blog scored over 80% so - given the choice between those two - we would definitely expect that metric to be a better option than this one.

What HR security metrics would you prefer to use?  We welcome your suggestions of totally different metrics and variants of those we have discussed here, particularly those that you feel score substantially better on the PRAGMATIC criteria.  So, over to you ...