HSBC is one of the global bank leaders and it employs around 2 million customers wordlwide. As growing concerns about data breaches are real, HSBC started to add data learning courses for their employees. The theme of their courses should be fun, interactive but also encouraging to learn and make people aware.
- Improvers (High risk users) , specifically HSBC employees who failed the phishing test and need to complete ‘compulsory remediation training’, which needs to be tracked and recorded for compliance. High-risk users require the most training and need to sit all modules
- New starters at HSBC , who require general training to know how to spot and avoid social engineering attacks. New starters require an intermediate / general level of training, perhaps skipping some lessons / modules which we categorise as basic (unless they self-diagnose as being in need of a deeper level of training, in which case they would be classified as high-risk users)
- Ad-hoc learners with a specific just-in-time (JIT) learning need around social engineering, which they can access without having to complete a whole course / module JIT learners can pick and choose the training they do, according to their specific needs
How empliyees go over time
New employees will go through the diagnostic tool and get a custom array of preset lessons, and after 2 months they will start receiving custom lessons over their profile
JIT Learners will be profile and get taylored lessons straight away
Here we've layered out three user personas and the stories behind them
Say hello to your cyber self
The journey started with a quiz that created persona based on your answers, there is no good or bad persona, just something that will define you and taylor your experience along.
Based of the profile quiz (diagnostic tool) we can then taylor the content over the user needs in order to ballance and focus on their potential wekneses and what they need to learn more.
Following the profile quiz (diagnostic tool) users will have different
Mandatory learners vs Recomended learners vs Newcommers
We have a couple of segmented user groups that are flagged by HSBC's internal systems so we proposed a route for each individual over a timespan of 4-6 months. We know that constant checks are done every 2 - 3 months, so we created a time flow of how people will be looped in and how the diagnostic tool will select taylored courses over time in each case.
We have Jake here that was flagged by the system as a high risk user, he gets through the diagnostic tool in order to be profiled, but he first receives the modules assigned to him as a 'High Risk' user by the system. After two months when he will get back to do some JIT or Ad-Hoc training, he will receive taylored modules accourding to his profile.
Marie is a regular user, she was not flagged by any security system and has maintain a consistent level on all checkups. Now she is interested to explore more and pottentially learn a few things. She will represent most of our users, they will do the diagnostic tool (the profile quiz) and then will received taylored lessons over their specific persona.
Steve just joined HSBC, he had a similar training at his previous employer. He needs to get to speed starting with the newcomers modules. He goes through the diagnostic tool in order to create his persona but the first two months he deals only with the pre-defined modules, following with the tailored modules tailored over his profile.
The old system
We analised the old system and asked a couple of HSBC SME's to get feedback.
What we've discovered about the old system
- People where likely to scroll though without reading the content
- Employees found this plain and boring, lack of interactive experiences
- Content was too long to read, people often got lost or could not determine how much time it would take to read
- The left list was confusing and didn't resemble a checklist, users may be mislead and click to dive into each section
Experimenting with templates
In order to figure it out what elements we will use we started creating mockup animation concepts that can be scalable
Documenting the templates over text and imagery requirements
Here are the four personas so far, before we have validated them with SMEs.
- Often seen as a leader or ‘type A’ personality, the dominant driver is hard-working and objective-focused. Determined, decisive and confident, they get to the point and can sometimes appear to be insensitive and harsh
- With plenty of energy, they generally don’t like being micro-managed and work most effectively if given the freedom to find the best path for meeting goals
- Being confident and objective-focused can result in carelessness, which makes you vulnerable to social engineering as a whole, and phishing in particular
- If they use their company mobile phone a lot they could be vulnerable to vishing or smishing
- A danger of being overly objective-focused can be a willingness to cut corners (and breach security policy) if it’s the only way of completing a task in time
- This could make them vulnerable to quid pro quo, if they believe they’re getting something they need
- Optimistic, competitive, charismatic and full of energy, expressive pioneers make natural salespeople or marketeers. They’re generally enthusiastic and humorous, but can also sometimes be undisciplined and disorganised
- Good at establishing relationships, they’re often risk-takers and are always ready for the next challenge
- Risk-takers, occasionally undisciplined and disorganised, expressive pioneers are busy people often thinking about the next task ahead
- This makes them somewhat vulnerable to social engineering as a whole, and phishing in particular, just like the dominant drivers
- Spotting phishing attacks takes focus and concentration, areas the expressive pioneer may not be the strongest on
- If they spend a lot of time away from the office, meeting clients / suppliers, they could be vulnerable to baiting
- If they use their company mobile phone a lot they could be vulnerable to vishing or smishing
- Thoughtful, serious and purposeful, analytical introverts are realists, driven by facts and data, not emotion. Generally neat and tidy and self-disciplined, their tendency to over-analyse can lead to indecision. They respond well to encouragement and time to think, less well to pressure
- They tend to act rationally, minimising risk, but can sometimes be seen as pessimistic
- Maybe quid pro quo? They might think an offer of something for something makes sense, without considering it could be a form of social engineering
- Analytical introverts don’t respond well to pressure, and can be indecisive
- This could make them vulnerable to vishing or smishing attacks, where the attacker will often try to pressure the victim to take action immediately
- Alternatively, perhaps they are well placed to withstand this pressure, and their indecisiveness means they don’t do what the attacker is pressuring them to do
- Generally easygoing, patient and sympathetic, they tend to avoid conflict but can sometimes be stubborn or selfish. Diplomatic and calm, collaborative but prone to indecision, they’re best dealt with gently
- They tend to work well in group situations and generally put the team / group first, and benefit from being encouraged to take more risks
- Tailgating - amiable integrators tend to avoid conflict, so they’ll find it hard to have to turn around and tell an apparently friendly person behind them that they won't leave the door open for them
Every module will feature multiple lessons. at the end of each chapter the user can see the key takeaways from the content. Little bits of concentrated content that will make people learn much easy.
We run a couple of user interviews with our SME's from HSBC. These are people who are currently running the training at the company and they where a mix from security experts, IT engineers and training managers.
Copy of Copy of HSBC_Social Engineering_discovery_debrief_presentation // Shared //
Last modified by Felix Hornoiu 4 years ago
Working side by side with copywriters may turn into a chicken and egg kind of a situation so in order to avoid that loop every side needs to make a first step. We created templates wires for each section In order to preview the about of text needed and help the copy team out.
While content was prepared we created a design system that will not only help this project but can be scalable to others by reusing the same component in different structures.
Each modules have been arange to create templates for the web version,
Figma Link (in case the embed does not work)
In Principle app we mocked up the interactions used on the projects, things like the drag and drop lessons — for example in the one bellow it shows how easy is to build a webpage by a hacker using a website builder like tool. Second visual is how the hide and seek menu will reveal itself on hover.
For testing we used an invision link as our stakeholders where spread all across the
We had the pleasure to work with a broad range of HSBC employees, cyber security people from London. We layered out notebook notes and post it notes to cover each screen section of the journey.
Besides recording video footage of our testing via Webex, we also recorded with Otter.ai, a tool that records audio, transcribes speack to text and also extracts keywords and ability to add anotations.
We gathered all our (virtual) post it notes in Miro as great tool to gahther around teams. As part our team was remote we encouraged solutions that can make collaboration easy and transparent.
Soon we split up everything onto three categories Copy and Content, Design and UX and General. From this board we exported each task into Jira and prioritise them with our project manager.
When we had the first draft of the copy we teamed toghether to create a big picture with every piece of copy we had so far
At the end of the project we discussed to have a signed off design templating system that can be scalable in any situation for the other lessons that where about to be added further in the future. Also part of this was to establish a naming convention with the dev team, files where made in sketch and pushed to zeplin with a special section for each component.
Project is schedule to be live in November 2019 available for HSBC employees across the globe mainly in English, Chinese and Arabic.