Over the last years, videogames have been o ering solutions to educate users in ways that traditional methods cannot a ord, more so in a consequence free environment where players can succeed, being rewarded for solving a problem or completing a task, or fail, and by doing so can re ect, understand, and try again [ 9 ]. So, videogames train a systematic way of thinking that allows players to learn by gaming [ 10 ]. In many traditional settings (e.g., in classrooms) receiving feedback is often a delayed event. Conversely, in videogames, it is possible for the player to receive feedback immediately, by highly reducing the time span between learning and practising. In addition, videogames that challenge players can also result in better learning outcomes [ 4 ], and therefore, improving acquisition of learning content. Videogames and other types of interactive learning experiences can encompass a variety of di erent experiences such as serious games1, gami ed experiences2, and simulations3. In each of these genres, di erent approaches for integrating educational content a ord the possibility for players to not only engage in an enjoyable experience, but also to learn something valuable from it.

Based on the foregoing considerations, we present in this paper the realization of a Virtual Reality (VR) First-Person videogame, called CyberVR, targeted towards educating users in the context of cybersecurity, a research and practical eld that has been attracting considerable interest in recent years [ 1, 2, 3 ]. The player, that acts as an IT technician, explores a ctitious post-apocalyptic world where IT systems are designed as virtual environments, and IT technicians have the possibility to setup them directly from the inside. The player can progress in the game by interacting with an invisible entity, called the \Administrator", which supports the player in the proper execution of tasks, presented to the player in the form of mini-games. Each mini-game covers a relevant and contemporary topic related to cybersecurity, from highlighting the importance of keeping updated a software (SW) system, to requiring the player to handle a communication between two subjects, using the \public-key cryptography".

The rest of the paper is organized as follows. In Section 2, we introduce the technical features related to the development of CyberVR, and we discuss its novelty with respect to state-ofthe-art existing games for learning cybersecurity aspects. Then, in Section 3, we present a walkthrough of CyberVR describing in detail the structure of any cybersecurity-related minigame. Finally, Section 4 concludes the paper. 2

The development of CyberVR was was performed through the Unreal Engine 4 with the use of the Oculus Rift and Leap Motion. The Oculus Rift allowed us to develop an experience that was set in VR, and the Leap Motion allowed players to use their hands to interact with in-game objects and throughout the mini-games. In addition, the player also used an xBox controller for some parts of the interaction, speci cally to advance the dialogue with the Administrator.

To develop a videogame that was speci cally focused on educating users in the context of cybersecurity, we needed the understanding of what was currently available in the research literature. Speci cally, we found (academic) games such as CyberCIEGE [ 5 ], PhishGuru [ 6 ], Anti-Phishing Phil [ 12 ] and Phish Phinder [ 8 ], frameworks like [ 7 ] for designing cybersecurity focused games, and mainstream videogames such as Overwatch and Hacker Evolution Duality.

The development of CyberVR has resulted in many elements and features that di erentiate the game in comparison to those that already exist. First of all, the main di erence is that CyberVR does not just focus on a single cybersecurity issue, but rather on several, thus making it a complete introduction to the most relevant cybersecurity aspects. The second di erence is that CyberVR actively involves the user in every aspect of the game as opposed to traditional participation such as moving a mouse or typing on the keyboard, as found with games such as Anti-Phishing Phil or PhishGuru. Since this experience utilises the Oculus Rift with the Leap Motion device as well as an xBox controller, the player is encouraged to \interact" with the security issues rather than more traditionally and passively by clicking or typing responses. Another important characteristic of CyberVR relies in its contemporary nature, as the game challenges and pushes the barrier of educational game design further with the use of modern technology. In this way, CyberVR is novel in both its approach and representation of cybersecurity topics, raising the bar on educational games and interactive learning experiences, and therefore aligning with more contemporary and relevant technology and interactive design. 3

The game consists of two main levels. The rst one is set outside a building (see Figure 1), which the Administrator refers to be as his non-secure IT system, and is thought as a tutorial that enables the player to learn how to move/interact in/with the environment. Then, the second level takes places inside the building, and consists of six mini-games that the player has to complete (in any order) to secure the IT system.

Before entering into the building, i.e., into the IT system that has to be secured, the player is asked to \scan" the surface of the system (see Figure 2). The rationale for this is to introduce the concept of performing a NMAP4 (network mapper) scan via a terminal command. Once the player has completed the scan, s/he must \ask for permission" from the Administrator of 4Nmap is a open-source network scanner. See https://nmap.org the system to gain access. Once access has been granted to the player, s/he proceeds to enter the building, where the player is immediately confronted with a dark space - a metaphoric \Black Box". Here, the player performs a \Black Box Analysis" through VAPT (Vulnerability Assessment and Penetration Testing). Once the analysis is completed, the player can then proceed to playing the six available mini-games, which are described below.

Information Flow: It requires a player to scan data packets, which are represented by cubes. The aim of this mini-game is to nd out if the data packets are \Sensitive Data" or \Public Data". Once the player has properly identi ed the data packet type, s/he redirects the data packet towards the correct information ow using buttons, as shown in Figure 3.

Code Injection: It requires the player to scan the source code to locate dangerous/malicious pieces of code. Once the player has identi ed the dangerous code, s/he must destroy it using a \ re" gesture, as shown in Figure 4.

Patch Management: It is a mini-game about keeping a SW system (e.g., a program, server, etc.), which is represented by a cube. Speci cally, the system needs to be updated and patched. This is a typical and needed security requirement when it comes to protecting a SW system and the data/applications that it uses to manage. Patches and updates can solve a critical problem of the SW, such as a security aw that may have been introduced during the development phase. The player needs to \scan" all layers of the SW (cube) and apply the correct patch, from the ones that are visually available to her/him, using buttons (marked A, B, C). A screenshot of this mini-game is shown in Figure 5.

Dynamic SW Analysis: It is a testing technique based on observing the behaviour of a SW during its running phase. First of all, this mini-game requires the player to run the SW by pressing a button \Run Code". At this point, the player will notice that several security issues appear in the code in the form of orange poles that protrude out towards the player. Each of the orange poles is provided with a yellow label with the \issue" name, as shown in Figure 6. These are typical and popular issues that may arise for a SW at run-time (e.g., SQL Injection and Bu er Over ow). It is up to the player to then \Reject" these issues by physically pushing them with her/his hands. Once the player has performed this task for ten issues, s/he can destroy them with the re gesture, and the mini-game can be considered as completed.

Privilege Escalation: The system to be secured may have intruders inside it. Therefore, in this mini-game, the player must \scan" the users that acceded into the system to nd out which ones have reached the \Root", i.e., a restricted area of the system that typically requires that the users have speci c privileges or permissions to access to it. In this mini-game, the player will nd that some users (i.e., the intruders) have utilised a aw in the security (e.g., a weak password) to obtain permissions. Hence, to solve the problem, the player must x the security aw by removing permissions to unauthorized users, and therefore implementing stronger passwords. A screenshot of this mini-game is shown in Figure 7.

Public-Key Cryptography: It is a mini-game about two users - Alice and Bob - who want to exchange messages in a secure way, as show in Figure 8. The player achieves this by using \Public key" cryptography. First, the player encrypts the message by using a \Public key", which is known by both the sender and the recipient of the message. Then, on the other side of the communication, the player decrypts the message using a \Private Key", which is known only to the recipient of the message. To encrypt the message, the player needs to physically grab keys from Alice and Bob. Once the player has successfully allowed four messages to be exchanged, the mini-game is complete.

When the player completes one of the six mini-games, s/he is rewarded with a coin, which represents her/his awareness of the analyzed cybersecurity threat. An example of coin can be seen in the top right-hand corner of the screen in Figure 8. Once the player has obtained six coins (i.e., the IT system has been secured), s/he will unlock the last part of the game, which consists of updating the database of threats using the experience/awareness achieved by completing each mini-game. The underlying message is that a proper knowledge of existing cybersecurity threats may allow to prevent future threats and protect better an IT system. After this, the player can return into the starting environment, which has changed in terms of a more positive aesthetic, and it is now possible for the player to conclude the learning experience.

In this paper, we have presented CyberVR, a videogame based on an immersive approach (leveraging VR features) that focuses on making users aware of cybersecurity issues. The videogame consists of six mini-games, whose target is to introduce the player with some of the most relevant existing cybersecurity issues, together with a way to resolve them or at least understand their working and dangerousness in more detail. In this way, the players have the opportunity to extend or consolidate their knowledge of these issues.

Interested readers can also refer to an extended version of this short contribution [ 11 ], which provides more discussion and a large user evaluation demonstrating that CyberVR is equally e ective but more engaging as learning method toward cybersecurity education than traditional textbook learning.

Acknowledgments. This research work has been partly supported by the \Dipartimento di Eccellenza" grant, the H2020 project DESTINI, the Sapienza grants IT-SHIRT and BPBots, the Lazio regional initiative \Centro di eccellenza DTC Lazio" and the project ARCA.