Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Journey into the Immersive Frontier: Preliminary NIST Research on Cybersecurity and Privacy Standards for Immersive Technologies

Words like “metaverse” and “augmented reality” may conjure up thoughts of friends in headsets wielding virtual sabers or folks roaming the streets at night in search of PokéStops. Virtual, augmented, and mixed reality technologies (“immersive technologies”) have entered the popular conscience thanks in part to the success of games, but their applications go well beyond new experiences in entertainment. They are already being utilized to increase access to education, improve manufacturing, bolster accessibility, and train workforces in healthcare and retail.

Immersive technologies have the potential to transform the way we interact with each other and the world. In the future, electrical utilities workers could use augmented reality technologies linked into smart cities infrastructure to identify the location of faulty grid equipment, while family and friends could use immersive technologies to virtually explore a new city, see a natural wonder, or just get together more often.

Immersive Tech Image Collage
Credit: Shutterstock

With these exciting potential benefits may come new vulnerabilities for cybersecurity and privacy that, if ignored, could create economic and societal harms.

In cybersecurity, digital technologies that bridge into new domains via novel interfaces, protocols, etc. can increase attack surface and break existing trust balances (i.e., balance of risk mitigations). These new technologies also have a distinctly human element and so will bring a host of human factors considerations related to cybersecurity. Consider that a phishing email can cripple you today, but the access afforded by similar attacks using something like a QR code with AR glasses could conceivably wreak havoc for individuals that rely on the technology. Immersive technologies may also enhance cybersecurity controls and mitigations. For example, private displays like those utilized in AR and VR headsets can help preserve data confidentiality during display of sensitive information compared to handheld or desktop displays, which are more susceptible to attacks, such as “shoulder surfing.”

To function, these technologies rely on spatial and body-based data about individuals, which can create significant privacy risks. This includes integration of behavioral data about emotional/psychological states with biometric data used beyond identity verification (e.g., eye tracking). Immersive technologies can also create limitations for the application of traditional privacy principles. For example, physical data necessary for functionality may be generated involuntarily and is measured using complex techniques. This limits individuals’ ability to understand and control how their data is collected and used. Further, integration with other emergent technologies, like Artificial Intelligence, adds complexity to the unique context in which cybersecurity and privacy risks can arise and will need to be managed.

In the coming months, NIST will research the current state of immersive technologies, gathering insights and feedback on cybersecurity and privacy considerations from our stakeholder community. This work will include soliciting stakeholder feedback through a call for input and comments, holding a workshop, and issuing a final report outlining findings and recommendations for next steps.

Process for NIST'S immersive tech project
Credit: NIST

We hope you will contribute your expertise as we engage with the community to learn more about these technologies. We welcome all feedback from interested parties. Comments, feedback, and questions can be sent to immersivetech [at] (immersivetech[at]nist[dot]gov). Please keep an eye out for more from NIST on immersive technologies!

About the author

Dylan Gilbert

Dylan Gilbert is a Privacy Policy Advisor with the Privacy Engineering Program at the National Institute of Standards and Technology, U.S. Department of Commerce. In this role, he advances the development of privacy engineering and risk management processes with a focus on the Privacy Framework and emerging technologies.

Prior to joining NIST, he was Policy Counsel at Public Knowledge where he led and developed all aspects of the organization’s privacy advocacy. This included engagement with civil society coalitions, federal and state lawmakers, and a broad cross-section of external stakeholders on issues ranging from consumer IoT security to the development of comprehensive federal privacy legislation. He spent the early part of his career as a working musician and freelance writer in his native southern California.

Dylan holds a B.A. in English from the College of William and Mary and a J.D. from the George Washington University Law School.

Michael Fagan

Mike Fagan is a computer scientist working with the Cybersecurity for IoT Program, which aims to develop guidance toward improving the cybersecurity of IoT devices and systems. Mike holds a Ph.D. in computer science and engineering from the University of Connecticut and a bachelor’s degree in history and computer science from Vanderbilt University. Born and raised in Brooklyn, New York, Mike now lives in West Virginia with his wife, sons, dog, cats, fish and voice assistant.

Related posts


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.