A Cybersecurity Risk Assessment for Enhanced Security in Virtual Reality

Our society is becoming increasingly dependent on technology, with immersive virtual worlds such as Extended Reality (XR) transforming how we connect and interact. XR technologies enhance communication and operational efficiency. They have been adopted in sectors such as manufacturing, education, and healthcare. However, the immersive and interconnected nature of XR introduces security risks that span from technical and human to psychological vulnerabilities. In this study, we examined security threats in XR environments through a scenario-driven risk assessment, using a hybrid approach combining Common Vulnerability Scoring System (CVSS) metrics and a custom likelihood model to quantify risks. This methodology provides a comprehensive risk evaluation method, identifying critical vulnerabilities such as Remote Code Execution (RCE), social engineering, excessive permission exploitation, unauthorized access, and data exfiltration. The findings reveal that human vulnerabilities, including users’ susceptibility to deception and excessive trust in familiar interfaces and system prompts, significantly increase attack success rates. Additionally, developer mode, once enabled, remains continuously active, and the lack of authentication requirements for installing applications from unknown sources, coupled with poor permission management on the part of the users, creates security gaps that attackers can exploit. Furthermore, permission management in XR devices is often broad and persistent and lacks real-time notifications, allowing malicious applications to exploit microphone, camera, and location access without the users knowing. By leveraging CVSS scores and a structured likelihood-based risk assessment, we quantified the severity of these threats, with RCE, social engineering, and insecure app installation emerging as the greatest risks. This study highlights the necessity of implementing granular permission controls, formalized developer mode restrictions, and structured user education programs to mitigate XR-specific threats.