HSBC Learning Platform (Social Engineering)


HSBC is one of the global bank leaders and it employs around 2 million customers wordlwide. As growing concerns about data breaches are real, HSBC started to add data learning courses for their employees. The theme of their courses should be fun, interactive but also encouraging to learn and make people aware.

User Groups

  1. Improvers (High risk users) , specifically HSBC employees who failed the phishing test and need to complete ‘compulsory remediation training’, which needs to be tracked and recorded for compliance. High-risk users require the most training and need to sit all modules
  2. New starters at HSBC , who require general training to know how to spot and avoid social engineering attacks. New starters require an intermediate / general level of training, perhaps skipping some lessons / modules which we categorise as basic (unless they self-diagnose as being in need of a deeper level of training, in which case they would be classified as high-risk users)
  3. Ad-hoc learners with a specific just-in-time (JIT) learning need around social engineering, which they can access without having to complete a whole course / module JIT learners can pick and choose the training they do, according to their specific needs

How empliyees go over time

New employees will go through the diagnostic tool and get a custom array of preset lessons, and after 2 months they will start receiving custom lessons over their profile

JIT Learners will be profile and get taylored lessons straight away

User Stories

Here we've layered out three user personas and the stories behind them

Say hello to your cyber self

The journey started with a quiz that created persona based on your answers, there is no good or bad persona, just something that will define you and taylor your experience along.

Based of the profile quiz (diagnostic tool) we can then taylor the content over the user needs in order to ballance and focus on their potential wekneses and what they need to learn more.

Following the profile quiz (diagnostic tool) users will have different


Mandatory learners vs Recomended learners vs Newcommers

We have a couple of segmented user groups that are flagged by HSBC's internal systems so we proposed a route for each individual over a timespan of 4-6 months. We know that constant checks are done every 2 - 3 months, so we created a time flow of how people will be looped in and how the diagnostic tool will select taylored courses over time in each case.

We have Jake here that was flagged by the system as a high risk user, he gets through the diagnostic tool in order to be profiled, but he first receives the modules assigned to him as a 'High Risk' user by the system. After two months when he will get back to do some JIT or Ad-Hoc training, he will receive taylored modules accourding to his profile.

Marie is a regular user, she was not flagged by any security system and has maintain a consistent level on all checkups. Now she is interested to explore more and pottentially learn a few things. She will represent most of our users, they will do the diagnostic tool (the profile quiz) and then will received taylored lessons over their specific persona.

Steve just joined HSBC, he had a similar training at his previous employer. He needs to get to speed starting with the newcomers modules. He goes through the diagnostic tool in order to create his persona but the first two months he deals only with the pre-defined modules, following with the tailored modules tailored over his profile.


The old system

We analised the old system and asked a couple of HSBC SME's to get feedback.

What we've discovered about the old system

  • People where likely to scroll though without reading the content
  • Employees found this plain and boring, lack of interactive experiences
  • Content was too long to read, people often got lost or could not determine how much time it would take to read
  • The left list was confusing and didn't resemble a checklist, users may be mislead and click to dive into each section


Experimenting with templates

In order to figure it out what elements we will use we started creating mockup animation concepts that can be scalable


Documenting the templates over text and imagery requirements

Content templates

User Personas

Here are the four personas so far, before we have validated them with SMEs.

Dominant driver

  • Often seen as a leader or ‘type A’ personality, the dominant driver is hard-working and objective-focused. Determined, decisive and confident, they get to the point and can sometimes appear to be insensitive and harsh
  • With plenty of energy, they generally don’t like being micro-managed and work most effectively if given the freedom to find the best path for meeting goals

Potential vulnerabilities?

  • Being confident and objective-focused can result in carelessness, which makes you vulnerable to social engineering as a whole, and phishing in particular
  • If they use their company mobile phone a lot they could be vulnerable to vishing or smishing
  • A danger of being overly objective-focused can be a willingness to cut corners (and breach security policy) if it’s the only way of completing a task in time
  • This could make them vulnerable to quid pro quo, if they believe they’re getting something they need

Expressive pioneer

  • Optimistic, competitive, charismatic and full of energy, expressive pioneers make natural salespeople or marketeers. They’re generally enthusiastic and humorous, but can also sometimes be undisciplined and disorganised
  • Good at establishing relationships, they’re often risk-takers and are always ready for the next challenge

Potential vulnerabilities?

  • Risk-takers, occasionally undisciplined and disorganised, expressive pioneers are busy people often thinking about the next task ahead
    • This makes them somewhat vulnerable to social engineering as a whole, and phishing in particular, just like the dominant drivers
  • Spotting phishing attacks takes focus and concentration, areas the expressive pioneer may not be the strongest on
  • If they spend a lot of time away from the office, meeting clients / suppliers, they could be vulnerable to baiting
  • If they use their company mobile phone a lot they could be vulnerable to vishing or smishing

Analytical introverts

  • Thoughtful, serious and purposeful, analytical introverts are realists, driven by facts and data, not emotion. Generally neat and tidy and self-disciplined, their tendency to over-analyse can lead to indecision. They respond well to encouragement and time to think, less well to pressure
  • They tend to act rationally, minimising risk, but can sometimes be seen as pessimistic

Potential vulnerabilities?

  • Maybe quid pro quo? They might think an offer of something for something makes sense, without considering it could be a form of social engineering
  • Analytical introverts don’t respond well to pressure, and can be indecisive
    • This could make them vulnerable to vishing or smishing attacks, where the attacker will often try to pressure the victim to take action immediately
    • Alternatively, perhaps they are well placed to withstand this pressure, and their indecisiveness means they don’t do what the attacker is pressuring them to do

Amiable integrators

  • Generally easygoing, patient and sympathetic, they tend to avoid conflict but can sometimes be stubborn or selfish. Diplomatic and calm, collaborative but prone to indecision, they’re best dealt with gently
  • They tend to work well in group situations and generally put the team / group first, and benefit from being encouraged to take more risks

Potential vulnerabilities?

  • Tailgating - amiable integrators tend to avoid conflict, so they’ll find it hard to have to turn around and tell an apparently friendly person behind them that they won't leave the door open for them

Module Structure

Every module will feature multiple lessons. at the end of each chapter the user can see the key takeaways from the content. Little bits of concentrated content that will make people learn much easy.


SME's meeting

We run a couple of user interviews with our SME's from HSBC. These are people who are currently running the training at the company and they where a mix from security experts, IT engineers and training managers.


Deck presentation


Working side by side with copywriters may turn into a chicken and egg kind of a situation so in order to avoid that loop every side needs to make a first step. We created templates wires for each section In order to preview the about of text needed and help the copy team out.


Design Modules

While content was prepared we created a design system that will not only help this project but can be scalable to others by reusing the same component in different structures.



Each modules have been arange to create templates for the web version,


Figma Link (in case the embed does not work)


In Principle app we mocked up the interactions used on the projects, things like the drag and drop lessons — for example in the one bellow it shows how easy is to build a webpage by a hacker using a website builder like tool. Second visual is how the hide and seek menu will reveal itself on hover.



For testing we used an invision link as our stakeholders where spread all across the

User testing

We had the pleasure to work with a broad range of HSBC employees, cyber security people from London. We layered out notebook notes and post it notes to cover each screen section of the journey.


Besides recording video footage of our testing via Webex, we also recorded with, a tool that records audio, transcribes speack to text and also extracts keywords and ability to add anotations.


Research Findings

We gathered all our (virtual) post it notes in Miro as great tool to gahther around teams. As part our team was remote we encouraged solutions that can make collaboration easy and transparent.


Soon we split up everything onto three categories Copy and Content, Design and UX and General. From this board we exported each task into Jira and prioritise them with our project manager.


Information Architure

When we had the first draft of the copy we teamed toghether to create a big picture with every piece of copy we had so far


Wireframe Templates

At the end of the project we discussed to have a signed off design templating system that can be scalable in any situation for the other lessons that where about to be added further in the future. Also part of this was to establish a naming convention with the dev team, files where made in sketch and pushed to zeplin with a special section for each component.


Project is schedule to be live in November 2019 available for HSBC employees across the globe mainly in English, Chinese and Arabic.

Thanks to Dan Wilkingson (User Researcher), Niall Maher (Designer), Ashley Manning, James Penfold and Errol Velinor (among all Rehab team!)