SoK: Is Sustainable the New Usable? Debunking The Myth of Fundamental Incompatibility Between Security and Sustainability

TL;DR

This paper systematically analyzes the relationship between security and sustainability, finding little inherent conflict and suggesting that lessons from usable security can help integrate sustainability into system design.

Contribution

It provides a comprehensive analysis of 29 papers, distills sustainability guidelines, and compares them with cybersecurity guidance to challenge the myth of incompatibility.

Findings

Little evidence of a fundamental tension between security and sustainability

Tensions can be mitigated through thoughtful design considerations

Sustainable security shares challenges with usable security, such as responsibility shifting

Abstract

Every year, millions of functional systems become e-waste because users are pressured to send their systems to landfills due to a lack of vendor support and difficulty in recycling. Vendors cite ``cybersecurity'' as the driver for short product support periods, leading to a prevalent, but uninterrogated, belief that cybersecurity and environmental sustainability are fundamentally contradictory; i.e., it is difficult, if not impossible, to build products that are secure, long-lasting, and reusable. To understand the nuanced relationship between security and sustainability, we systematically analyze 29 papers and distill 155 sustainability guidelines into 12 sustainability themes. These themes enable us to compare the sustainable HCI and sustainable software engineering guidance with that of cybersecurity, identifying points of alignment and tension. We find little evidence of a fundamental tension between these two domains; the few instances of tension can be mitigated through thoughtful consideration of security and sustainability objectives. We also find that sustainability, like usable security, struggles with the myth of users as the weakest link and the individualization of responsibility. Building on these parallels, we argue that the usable security community is well-positioned to integrate sustainability considerations, as both fields share challenges in shifting responsibility from individuals to systemic design.