A process 23 runs directly on a host operating system 22, until the process 23 attempts an operation which can affect security of the host operating system 22 (such as loading a kernel module or using system privileges). A guest operating system 25 is then provided running as a virtual machine session within a compartment 24 of the host operating system 22 and running of the process 23 continues using the guest operating system. Operations of the process 23 which can affect security of the host operating system 22 are instead performed on the guest operating system 25, giving greater security. The guest operating system 25 is only invoked selectively, leading to greater overall efficiency.