The Risk and Rewards of Enterprise Use of Augmented Reality and Virtual Reality

More than 20 years ago, virtual reality (VR) was a simple headset that communicated with video-game consoles and allowed humans to play video games viewed on a four-inch screen housed inside the headset instead of on a television. The only real innovation or change was that the viewing screen was several inches away from the eye instead of four feet away on a television. Today’s, VR is a complete virtual environment that is distinctly separate from the physical world. Users of VR technology typically wear a headset to interact with the virtual environment. Augmented reality (AR) provides a virtual overlay via electronic glasses or goggles that displays additional graphic images onto the physical world for an augmented experience. An example of AR is the Pokémon GO mobile game that uses a player’s smartphone global positioning system (GPS) to search real physical locations to locate graphical items and monsters overlaid onto the real world. Figure  1 shows the differences between AR and VR. Figure 2 shows the relationship among realities.

VR technology is still heavily used in the video-game industry, but it is also taking on new life in many other fields. For example, Walmart Inc. is actively leveraging VR training programs with more than 40 training modules in their employee onboarding process to help associates become familiar with technology that is used on the job, enterprise compliance requirements and customer service soft skills such as empathy. Walmart announced it intends to purchase and deploy 17,000 Oculus Go VR headsets in 2019 and through 2020 to bolster and support this training initiative for its US-based stores.¹ The positive outcomes of the Walmart VR training programs are two-fold: Walmart reported a 30-percent increase in training satisfaction for employees who take VR-based onboarding training, and 70 percent of employees who were trained via VR programs outperformed employees who completed the previous non-VR training programs.²

Other enterprises that use VR training programs include French truck manufacturer Renault Truck, which is integrating Microsoft HoloLens for engine assembly operations at its Lyon, France, facility. Using AR, HoloLens loads engine schematics and assists the assembly engineer with improving quality control processes as engine assembly initiates and completes. Other notable enterprises leveraging AR/VR technology to assist enterprise training and operations activities include Boeing, for avionics wire harness assembly; BAE Systems, for electric propulsion device creation; and Intel, for electrical safety employee training.³

Current and Future Market Forecasts

Like other emerging enterprise technologies such as cloud or artificial intelligence (AI), use of AR/VR technology is positioned for extraordinary growth within the next six years. The total forecasted market value of AR/VR is US$16.8 billion in 2019.⁴ Where the AR/VR market is projected to go from 2019 is incredibly unpredictable due to other factors such as 5G and robotic technology, but current market predictions from market research firms (e.g., BusinessWire, Transparency Market Research, Goldman Sachs Research) have market growth projections ranging between US$34 billion and US$547 billion through 2025, with a minimum compound annual growth rate (CAGR) of 40 percent.⁵ The AR/VR market continues to be geared primarily toward gaming, followed by entertainment (i.e., television, movies), with North America currently dominating sales and usage as of 2018. The Asia Pacific region is expected to become dominant through the forecast period into 2025 as adoption and investment increase.⁶

Who Is Driving the Growth?
This explosion in AR/VR growth is being propelled by some of the usual technology players, such as Microsoft (HoloLens MR), Google (Daydream), Sony Corporation (PlayStation VR) and Facebook (Oculus Go and Quest VR headsets). Some potentially unknown players include HTC (Vive headsets), Upskill (Skylight) and Magic Leap (Magic Leap One).⁷ Sony Corporation is currently dominating the VR device market by number of units,⁸ with 2.2 million units shipped, and overall shipments being placed.⁹ Facebook and HTC currently take second and third place, respectively. As enterprise adoption of AR/VR technology increases over the 2019-25 forecast period, Sony may begin to lose ground to some of its competitors that are seeking to develop and deploy enterprise-based solutions.

AR/VR Security Concerns and Approaches

Enterprise adoption and market growth of AR and VR are set to explode in the near term. The challenge that this growth presents to security professionals is how to secure these devices and data after they are introduced onto their network environments. As of 2019, comprehensive and commonly known security frameworks have not been developed and documented for enterprise AR/VR solutions. Some organizations, such as Augmented Reality for Enterprise Alliance (AREA), are attempting to standardize product and security requirements for AR/VR enterprise-level devices, but currently do not have a direct security focus and are not mainstream.¹⁰ The solution to the security challenge lies in applying a pioneer-based approach to assess the risk and capabilities offered by AR/VR devices, changing internal processes to accommodate this new technology and applying security principles with which enterprises are familiar to properly secure AR/VR devices on the network. There are AR/VR risk and security management strategies that enterprises can adopt as assessment and implementation of AR/VR solutions occur.

Governance, Device Management and Vendor Risk
Before AR/VR solutions are purchased, integrated and functional on the network, a well-thought-out governance framework should be developed and adopted by the enterprise. Key AR/VR governance controls include:

• Integrating existing vendor management practices or creating stand-alone AR/VR vendor management practices
• Documenting concise business use cases and tangible business goals that the AR/VR solution is expected to deliver for the enterprise
• Documenting key performance indicators (KPIs) that inform stakeholders about relative performance

An example use case is the transition away from in-person and learning-management-system-based employee security and compliance training to a virtual training program that allows employees to directly practice necessary concepts and skills for their roles. An associated business goal may be to achieve a higher level of user satisfaction with the enterprise security training program or facilitate more direct user interaction with the training by leveraging virtual exercises. Example KPIs include 90-percent or higher first-pass rate on final course assessments and 90-percent or higher rating on user satisfaction surveys following completion of the training. The enterprise should formally and routinely assess the ongoing use of AR/VR solutions against the original business goals to ensure that they remain aligned. Development and maintenance of relevant KPIs informs the enterprise about the extent to which original business goals are being met.

Management should further define clear roles and responsibilities for the use of AR/VR solutions. Roles include enterprise sponsors and/or product owners who directly manage high-level decisions about AR/VR solution use, adoption, education and board communications. Additional roles and responsibilities should focus on enterprise security, operations and AR/VR integration with existing security policy, operational procedures and internal support functions. The enterprise must determine how to completely and accurately integrate AR/VR solutions into the environment in a secure fashion. The data that are produced by AR/VR devices compared to the enterprise expectations need to be understood and set up for logging. Final control considerations about how AR/VR data are used and the users who have permission to access those data should be fully mapped, communicated and restricted via logical and device access controls.

Additional risk and controls related to AR/VR governance include developing processes to acquire, inventory and track possession and use of AR/VR devices that the enterprise intends to use. Individual AR/VR devices can be very costly and rival enterprise laptop purchases. The price of Microsoft HoloLens 2 enterprise edition is US$3,500, and the cost of Google Glass Enterprise Edition 2 is in the US$999 range. (Costs vary based on enterprise contracts with suppliers and manufacturers.)¹¹ AR/VR devices (i.e., a headset or pair of glasses) are generally smaller than a laptop and can easily be slipped into a shirt or pants pocket. Therefore, proper inventory management is important to ensure that these expensive assets are not stolen or lost. The enterprise should conduct formalized and routine assessments of vendors that are associated with AR/VR solutions to determine:

• History of security breaches with products
• Fiscal responsibility
• Patch-release cadence
• Available security features
• Support offerings
• Any limitations and ownership concerns with enterprise applications or data created with the vendor solution

Privacy Risk
AR/VR technologies present tremendous privacy risk. The devices that provide individuals with VR or AR experiences in video games or immersive training contain several sensors that collect and transmit telemetry data of the wearer, such as body and eye movements. Functional AR/VR technology is inherently dependent on the device tracking a wearer’s body movement using a collection of sensors to track close to 90 movements per second.¹² This equates to documenting approximately two-million body-movement recordings during a 20-minute VR session. This tremendous amount of information can be very valuable to those who want to target advertising to certain demographic classes. Data indicating the items that users look at or interact with during the VR experience and the duration of interaction can correlate to potential product interests.

DATA INDICATING THE ITEMS THAT USERS LOOK AT OR INTERACT WITH DURING THE VR EXPERIENCE AND THE DURATION OF INTERACTION CAN CORRELATE TO POTENTIAL PRODUCT INTERESTS.

Additional review of privacy policies offered by some AR/VR manufacturers clearly suggests that aggregate data collected by the device, such as the wearer’s financial state, transaction history and movement data, are shared with the manufacturer’s business affiliates without further consent from the wearer.¹³ Another data privacy risk is the availability of telemetry data to malicious actors who use the data to footprint enterprise facilities. These data can include the user’s physical movements recorded by the headset, camera video feeds and sounds that AR/VR devices are actively or passively capturing. Privacy control considerations that may provide users and enterprises with optimal privacy protections are purchasing AR/VR solutions from a manufacturer that is bound by strong privacy law, such as the EU General Data Protection Regulation (GDPR), and solutions that allow the wearer to control how data, whether telemetry or financial, are shared externally and where these data can be stored.

Enterprises also need to fully explore potential internal privacy impacts and establish processes on how AR/VR data from the employee are gathered, used and inform management of employee behavior.¹⁴ The active flow of AR/VR data may allow enterprise management to legally know the amount of time that an employee spent completing certain tasks and if an employee is taking unapproved breaks or unauthorized actions while using AR/VR devices. Enterprises should validate that employees receive the proper disclosures and that internal policies and procedures are aligned. Organizations must manage potential legal risk if AR/VR data are used for internal employee or user monitoring.

Physical Risk
Physical risk varies widely with even brief uses of AR/VR devices and is possibly more impactful than security because of the potential legal ramifications from physical and mental injuries or failure to act responsibly. Sensory conflict risk occurs when the eyes tell the wearer that one experience is happening (navigating a virtual world) while the body is experiencing the opposite or a reduced sensation (not actually moving at all). This sensory conflict can cause the wearer to become dizzy or ill, or experience more extreme sensory conflict, such as a seizure that leads to serious physical injury (e.g., wearer falls and receives a head injury).¹⁵ The enterprise should ensure that users are medically cleared to use AR/VR technology prior to allowing initial and/or unsupervised use. Management should also implement onboarding and management programs that limit total session time and provide acclimation training that allows wearers to become used to wearing devices and interacting with virtual or augmented realities, prior to allowing extended or ongoing use of the devices.

Additional AR/VR physical risk includes:

• Immersion distraction—Users become so engrossed in the virtual experience that they are fully unaware of what is occurring in their physical surroundings (e.g., theft or vandalism is occurring).¹⁶
• Loss of spatial awareness—Users are unaware that they are about to experience potential injury by walking into a wall, sharp object or off a ledge.¹⁷
• Undesired/unrecognized physical trauma—Depending on the virtual content in which the device wearers are immersing themselves, hearing loss, damage to eyesight and behavioral changes are possible.¹⁸ Health and safety documentation provided by Google Daydream indicates that the realistic experiences offered by a virtual environment can cause the body to believe that the experience is real, leading to differences in how users internally process the experience. Some users may internally process the experience in a way that can cause psychological reactions including anxiety, fear or even post-traumatic stress disorder (PTSD).¹⁹

Physical controls that enterprises should consider include allocating a single or limited number of dedicated physical spaces for AR/VR use with access protected by electronic badge. The space (room) should be large enough to allow the AR/VR device wearer to freely roam without constraint and free of physical hazards, such as ledges, desks, sharp corners and tripping hazards. Ideally, this dedicated room is located near the security or reception desk, requires check in and check out, implements session limits, provides access to storage lockers to place personal belongings, and is directly supervised (i.e., another person in the room) or indirectly supervised (i.e., closed-circuit television [CCTV] monitored). To control undesired physical trauma, AR/VR programs or experiences that are presented to users should be routinely assessed to ensure eye-strain factors, noise levels and events have their potential level of trauma minimized, where possible, through programming and/or session limitations. When not in use, AR/VR devices should be placed in a physically restricted container or locker that prevents theft and restricts the device’s onboard cameras or other sensors from seeing, hearing and recording.

ENTERPRISES SHOULD SEEK TO PURCHASE AR/VR SOLUTIONS THAT PROVIDE FEDERATED ACCESS CAPABILITIES TO CENTRALIZE AND EASILY CONTROL USER ACCESS AND PERMISSION LEVELS ASSOCIATED WITH INDIVIDUAL AR/VR DEVICES.

Logical and Data Security Risk
AR/VR-device logical security risk covers many areas, from the individuals who are allowed to activate and access AR/VR devices to the types of memory devices that can be inserted into the headset and then used to extract or upload data to the network. Enterprises should seek to purchase AR/VR solutions that provide federated access capabilities to centralize and easily control user access and permission levels associated with individual AR/VR devices.

Enterprises may also be at risk of VR-headset remote activation while the devices are in use or during nonbusiness hours. Controls that enterprises should consider implementing include:

• Multifactor authentication—Requires user permission for remote activation
• Native features, such as PIN entry—Reduces risk of unauthorized remote access
• Group policy—Enforces restrictions on the times that AR/VR devices may be activated on the network, whether remotely or in person

Logical risk for enterprises also includes providing inappropriate internal access to external users in public locations. Examples include virtual customer experiences, such as virtual facility tours and product orientations, in public office locations. Enterprises should ensure that the AR/VR devices that are provided to external users, such as visiting customers and business partners, use a kiosk function that heavily restricts the user interaction with the enterprise network, users and internally stored data. Risk scenarios include external visitors anonymously harassing employees in other virtual environments and external users virtually vandalizing (e.g., virtual graffiti) internal virtual spaces.²⁰ Enterprises should also verify that if a publicly accessible headset comes out of kiosk mode, appropriate personnel are promptly alerted and positioned to swiftly disable the device until kiosk mode can be restored.

Data-risk controls should concentrate on formally developed data retention policies and procedures that detail:

• Roles and responsibilities (e.g., data owner and custodian)
• Classification of data that are produced by the AR/VR solution (e.g., sensitive, not sensitive and public)
• Storage location of data, based on their classification
• Length of time that data are to be retained
• Steps to purge data
• Validation processes for purging data after their useful lifetime has expired

Enterprises should also ensure that strong encryption is used for data at rest and in transit. A minimum of Advance Encryption Standard (AES) 256-bit encryption should be used for enterprise-level solutions that store and transmit data.

THE ENTERPRISE SHOULD SPEND TIME DURING THE PILOTING PHASE OF THE AR/VR SOLUTION INTEGRATION TO ENSURE THAT A COMPLETE INVENTORY OF EVENTS THAT ARE PRODUCED BY AR/VR DEVICES CAN BE CAPTURED WITH SUFFICIENT DETAIL.

Additional logical security risk factors for AR/VR devices include dissimilar application of security configurations or policies, use of headsets as a data exfiltration vector, and vulnerability exploitation by malicious actors. Controls that enterprises should consider adopting include security policy enforcement and compliance tools, such as IBM MaaS360²¹; scheduled patching; and routine vulnerability assessments against AR/VR devices for potential security gaps.

Monitoring Risk
Monitoring risk and controls are concerned primarily with completeness, accuracy, integrity, correlation to other network events and logging storage capacity for events generated from AR/VR devices. The enterprise should spend time during the piloting phase of the AR/VR solution integration to ensure that a complete inventory of events that are produced by AR/VR devices can be captured with sufficient detail, such as:

• Event date
• Event time
• Event user
• Event device name
• Event device IP address
• Event data sources that are being manipulated

THE STORAGE REQUIREMENTS FOR DATA THAT VR APPLICATIONS PRODUCE ARE AN ONGOING COST-AND-GROWTH CHALLENGE FOR ENTERPRISE CTOS AND CIOS.

Events to monitor include creating and modifying applications, creating and modifying users, and requesting specific representational state transfer (REST) APIs. The enterprise should further ensure that access to AR/VR-device log data is restricted to appropriate individuals and routinely reviewed for appropriateness, and that AR/VR devices cannot directly purge, access or manipulate the monitoring data. If possible, enterprises should integrate AR/VR devices with their security information and event monitoring (SIEM) tools to ensure prompt identification of and response to potential security breaches, suspicious network events and inappropriate use.

The storage requirements for data that VR applications produce are an ongoing cost-and-growth challenge for enterprise chief technology officers (CTOs) and chief information officers (CIOs). AR/VR applications can produce one terabyte of data per hour, based on the number and pixel density capacity of cameras that are used in the individual device.²² These data do not include audio data that the AR/VR device collects. Storage-capacity controls include:

• Creating intelligent VR data storage approaches that balance cost
• Tiered storage solutions, such as network access storage
• Enterprise accessibility
• Low-cost, long-term archive solutions, such as electronic tapes that are either controlled by the enterprise directly or vaulted offsite

The enterprise should consider performing a data pilot with valid business use cases and activity to determine the amount of data that AR/VR devices are creating per hour. The data pilot should allow the enterprise to forecast for future demand, determine storage impacts when adding AR/VR devices, and identify the best storage solutions and requirements for enterprise AR/VR use.

Conclusion

The prospects that AR and VR offer enterprises are tremendous, but they also present new and complex operational challenges (e.g., effects on employee health). The technology promises new experiences and innovative approaches to training employees, building and marketing products, customer interactions, and analyzing and solving business problems quickly and efficiently. The security challenges, technology risk and assurance concerns of AR/VR relate to the nonexistence of mainstream security frameworks for enterprises to adopt, too much variety of AR/VR products, and haphazard security configuration options available in vendor products (e.g., mobile device management [MDM], encryption options, remote wipe and access controls). Enterprises may have financial constraints with implementing AR/VR technology due to its significant upfront and ongoing costs, not only for purchasing devices, but also for storing and securing the vast amount of data that AR/VR technology can produce.

As enterprises initially explore and adopt AR/VR technology to solve their business challenges, complete understanding of how the enterprise and its users will create, consume and share AR/VR content, and creating a governance function that oversees the life cycle of AR/VR products and its data, will allow enterprises to develop an initial governance framework. The framework can be matured over time, while the enterprise waits for recognized security standards to emerge or the framework to become the standard. The ability of the enterprise to realize operational goals depends on its ability to secure the AR/VR solution by executing standard IT general controls (e.g., data encryption, restricted remote administrative capabilities, configuration management), understand the short- and long-term physical and mental effects of AR/VR technology on its users, and focus on the uses and size of data created by the AR/VR solution. Navigating and remediating these risk factors early enables the enterprise to focus on executing its mission and vision while assisting its users securely.

Endnotes

¹ Gagliordi, N.; “Walmart Deploys 17,000 Oculus Go Headsets to Train its Employees,” ZDNet, 30 September 2018, http://www.zdnet.com/article/walmart-deploys-17000-oculus-go-headsets-to-train-its-employees/
² Rogers, S.; “How VR, AR and MR Are Making a Positive Impact on Enterprise,” Forbes, 9 May 2019, www.forbes.com/sites/solrogers/2019/05/09/how-vr-ar-and-mr-are-making-apositive-impact-on-enterprise/#602aa5895253
³ Ibid.
⁴ Liu, S.; “Forecast Augmented (AR) and Virtual Reality (VR) Market Size Worldwide From 2016 to 2023 (in Billion U.S. Dollars),” Statista, 9 August 2019, www.statista.com/statistics/591181/global-augmented-virtual-reality-market-size/
⁵ Gallagher, C.; “End of Year Summary of Augmented Reality and Virtual Reality Market Size Predictions,” 18 November 2018, http://medium.com/vr-first/a-summary-of-augmented-reality-and-virtual-reality-market-size-predictions-4b51ea5e2509
⁶ Modor Intelligence, “Virtual Reality (VR) Market—Growth, Trends, and Forecast (2019 - 2024),” www.mordorintelligence.com/industry-reports/virtual-reality-market
⁷ DeNisco Rayome, A.; “These Companies Will Propel the AR and VR Markets to $95B by 2023,” TechRepublic, 5 March 2018, www.techrepublic.com/article/these-companies-will-propel-the-ar-and-vr-markets-to-95b-by-2023/
⁸ Liu, S.; “Unit Shipments of Virtual Reality (VR) Devices Worldwide From 2017 to 2019 (in Millions), by Vendor,” Statista, 9 August 2019, www.statista.com/statistics/671403/global-virtual-reality-device-shipments-by-vendor/
⁹ Liu, S.; “Estimated VR Device Shipment Share by Vendor Worldwide in 2018,” Statista, 9 August 2019, www.statista.com/statistics/755645/global-vr-device-market-share-by-vendor/
¹⁰ AREA, “Augmented Reality Functional Requirements,” http://thearea.org/area-resources/augmented-reality-functional-requirements/
¹¹ Haselton, T.; “Google Unveils New $999 Smart Glasses for Businesses, Undercutting Microsoft’s HoloLens on Price,” CNBC, 20 May 2019, www.cnbc.com/2019/05/20/google-glass-enterprise-edition-2-announced-price.html
¹² Ballenson, J.; “Protecting Nonverbal Data Tracked in Virtual Reality,” JAMA Pediatrics, 6 August 2018, http://vhil.stanford.edu/mm/2018/08/bailenson-jamap-protecting-nonverbal.pdf
¹³ Morrow, S.; “Is the Security of Virtual Reality (and Augmented Reality) Virtual Insanity?” Infosec, 16 April 2019, http://resources.infosecinstitute.com/virtual-reality-vr-security-concerns/#gref
¹⁴ Widman, J.; “How IT Can Prepare for VR, AR and MR in the Enterprise,” CIO, 14 August 2017, www.cio.com.au/article/625986/how-it-can-prepare-vr-ar-mr-enterprise/
¹⁵ Lewis, C.; “The Negative Side Effects of Virtual Reality,” Resource, 7 March 2018, http://resourcemagonline.com/2018/03/the-negative-side-effects-of-virtual-reality/87052/
¹⁶ LaMotte, S.; “The Very Real Health Dangers of Virtual Reality,” CNNhealth, 13 December 2017, www.cnn.com/2017/12/13/health/virtual-reality-vr-dangers-safety/index.html
¹⁷ Ibid.
¹⁸ Ibid.
¹⁹ Google, “Daydream View Health and Safety Information,” Daydream Help, 10 November 2016, http://support.google.com/daydream/answer/7185037?visit_id=1-636162973848457164-2214380425&p=safetywarrantyreq&rd=1
²⁰ Fineman, B.; N. Lewis; “Securing Your Reality: Addressing Security and Privacy in Virtual and Augmented Reality Applications,” EDUCAUSE Review, 21 May 2018, http://er.educause.edu/ articles/2018/5/securing-your-reality-addressing-security-and-privacy-in-virtual-and-augmented-reality-applications
²¹ IBM, “Microsoft HoloLens Integration With MaaS360,” IBM Knowledge Center
²² Ross, A.; “Solving the Virtual Reality Storage Challenge,” Information Age, 9 July 2018, www.information-age.com/virtual-reality-storage-challenge-123473300/