First Steps to Improve Cybersecurity Behaviour – a Virtual Reality Experience


  • Lara Klooster
  • Robby van Delden Human Media Interaction, University of Twente
  • Jan-Willem Bullée Industrial Engineering and Business Information Systems - Faculty of Behavioural, Management and Social sciences (BMS) University of Twente, Enschede, The Netherlands



Cybersecurity, Design, Immersive Virtual Reality, Intervention, Prototyping, USB drop


 Internet is completely integrated and absorbed in our life. Facilitating transfer of files across the world or wiring money from the couch, we could not imagine a world without it anymore. With these benefits, as with any new technology, there is also the introduction of risks and threats, for internet primarily in the form of cybercrime and online fraud. To reduce victimisation of this cybercrime, interventions are used to teach people to not perform risky behaviour. To overcome criticisms of current training materials, such as being tedious and boring, we created an Immersive Virtual Reality experience. By using a 4-step design process (i.e. ideation, specification, realisation, and evaluation), we designed a playful VR environment with simplistic non player characters to train the user to perform basic cybersecurity tasks in the right way. In the simulation, the participants are exposed to the challenge of creating a new password and a potential ransomware attack using USB storage device. The program allows for monitoring the user’s cybersecurity knowledge and behaviour and provides feedback. An evaluation of the VR environment among 16 respondents using a pretest-posttest evaluation with the Human Aspect Information Security Questionnaire (HAIS-Q) showed a statistically significant increase in scores after exposure to the VR environment. The system showed an above average SUS score. These initial findings indicate that a VR environment can be an alternative to consider for future development of cybersecurity interventions. Future research could expand our social VR environment with additional cybersecurity challenges, real-time actors, and running simulations among a broader audience to also investigate the retention of knowledge and skills.

Author Biographies

Robby van Delden, Human Media Interaction, University of Twente

Robby van Delden Dr. is an assistant professor at HMI at the University of Twente. He received an MSc in HMI and IDE. His PhD was on "(Steering) Interactive Play Behavior". His research combines embodied interaction with entertainment computing including sportification, co-design, sports, health, and learning; teaches Game Design, Interactive Media, Experience Design and HCI. 

Jan-Willem Bullée, Industrial Engineering and Business Information Systems - Faculty of Behavioural, Management and Social sciences (BMS) University of Twente, Enschede, The Netherlands

Jan-Willem Bullée is an Assistant Professor of Evidence-Based Cybersecurity at the University of Twente. With a background in both psychology (MSc) and computer science (MSc), he focuses on reducing cybercrime victimization. Jan-Willem's research revolves around the human element's impact, and on evaluating countermeasures such as interactive lessons programs for young learners, games for organisational staff members and easy implementable nudges