Securing the Metaverse Era: Cybersecurity Risk Gaps in Extended Reality (XR) Systems

Abstract

Extended Reality (XR), which includes Virtual Reality (VR), Augmented Reality (AR), and Mixed Reality (MR), has been increasingly adopted across a wide range of application domains, such as healthcare, education, and enterprise systems, due to its ability to deliver highly immersive user experiences. Nevertheless, XR platforms operate within sensor-rich environments that continuously collect and process sensitive biometric, behavioural, and spatial data. This persistent data acquisition introduces novel cybersecurity and privacy risks that extend beyond those typically encountered in traditional information technology infrastructures. This paper aims to fill the existing gap between the emerging threat scenario affecting XR with by traditional cybersecurity risk management frameworks, such ISO/IEC 27001 and NIST Cybersecurity Framework (NIST CSF). The study methodology adopts a critical review and comparative analysis of these legacy models and frameworks, against an extensive taxonomy of XR-threats such as sensor induced information abuse, impersonation or identity spoofing and immersive social engineering. The most important discoveries are three residual risk areas that less covered by existing solutions namely the incomplete protection for real-time behavioural and biometric data, unreliable control of avatar and identity integrity, adaptive incident response in situations where a physical virtual incident occurs. To conclude, XR tailored risk assessment approach is urgently needed which may inform the design of more advanced threat modelling methodologies and Mitigation Readiness Toolkit for safe and trust-worthy adoption of all immersive technologies.