First Steps to Improve Cybersecurity Behaviour – a Virtual Reality Experience

Abstract

Internet is completely integrated and absorbed in our life. Facilitating transfer of files across the world or wiring money from the couch, we could not imagine a world without it anymore. With these benefits, as with any new technology, there is also the introduction of risks and threats, for internet primarily in the form of cybercrime and online fraud. To reduce victimisation of this cybercrime, interventions are used to teach people to not perform risky behaviour. To overcome criticisms of current training materials, such as being tedious and boring, we created an Immersive Virtual Reality experience. By using a 4-step design process (i.e. ideation, specification, realisation, and evaluation), we designed a playful VR environment with simplistic non player characters to train the user to perform basic cybersecurity tasks in the right way. In the simulation, the participants are exposed to the challenge of creating a new password and a potential ransomware attack using USB storage device. The program allows for monitoring the user’s cybersecurity knowledge and behaviour and provides feedback. An evaluation of the VR environment among 16 respondents using a pretest-posttest evaluation with the Human Aspect Information Security Questionnaire (HAIS-Q) showed a statistically significant increase in scores after exposure to the VR environment. The system showed an above average SUS score. These initial findings indicate that a VR environment can be an alternative to consider for future development of cybersecurity interventions. Future research could expand our social VR environment with additional cybersecurity challenges, real-time actors, and running simulations among a broader audience to also investigate the retention of knowledge and skills.