WithSecure Sustainability UX study report

Introduction

At WithSecure, we are committed to continuing to reduce our environmental footprint. As a technology company, our primary focus is on our software products. We fully acknowledge that technology, and more specifically, software, plays a significant role in energy consumption and, consequently, contributes to greenhouse gas emissions.

Software products can be used in various ways, incorporating different settings and usage patterns. The way in which a software product is used plays an important role in determining the number of operations and calculations it performs, consequently influencing the overall energy consumption. In other words, the settings that are applied to a software program can have a substantial impact on the energy consumption of the device running that software.

As an example, let’s consider streaming media services. The resolution preference of a user is a tradeoff between the viewing experience and the number of operations that are required to transmit and display the content. In this way, user choices and settings directly contribute to the energy efficiency of the software and its impact on the device's power consumption.

We face a similar challenge with cybersecurity products, where specific settings are more resource-intensive than others. Moreover, each IT environment is inherently unique, with diverse requirements. This is why we provide users with an extensive array of settings, referred to as profiles. Thus, we enable them to fine-tune protection parameters to align with the specific needs of their environments.

Goals

Our Profile editor is a tool within the product that allows users to configure security settings for subsequent application on protected devices.

In principle, our goal is to develop an “energy dashboard” within Elements that shows the cumulative impact of all the settings on the overall energy consumption of the protection features. We believe that by visualizing the energy impact of certain settings in a profile that is applied to a protected end device, we empower security administrators to make more informed decisions when striking balance between security features and energy efficiency.

We aim for the information to have a meaningful impact, but we also recognize that users might be tempted to disable critical security settings to minimize the use of energy and adopt an eco-friendly approach. To better comprehend the likelihood of such behavior, we have conducted research into customer behavior analyzing the impact of environmental data on users’ decision-making.

WithSecure remains committed to providing the best security, but we will take sustainability into account while doing so.

A key aspect of our research involved a UX experiment, where respondents were presented with a hypothetical situation related to a specific setting in the Profile editor in WithSecure Elements software. They were asked to formulate their decision, while simultaneously considering two dimensions – security concerns and visualized energy sensitivity. Different respondent groups were exposed to three distinct versions of the same user interface setting.

The question asked was “Assuming you are configuring a profile to be assigned to all office users in the organization, knowing many of them tend to browse the internet for private matter from the same machine, would you enable this setting visible on the screenshot?”. The surveyed user was then shown a distinct variant of the user interface:

Default (no information about the energy usage impact) – serving as our control group.

Variant A

Variant B

In each variant, we asked the respondents how likely they are to enable the setting in a given situation, with responses ranging from ‘Definitely not‘ to ‘Definitely yes‘. Importantly, the feature used for the study was not security-critical and relatively unfamiliar. We believe that this choice enhanced the representativeness of the experiment eliminating a clear “right answer”. Respondents were randomly assigned the experimental question.

The results suggest that visualizing the energy consumption factor does influence users’ decisions, although the impact is not dramatic.

We view this as a positive sign and an encouragement for our company to continue investing in sustainable software, for two key reasons. Firstly, had the results shown no effect of visualizing energy impact on the decisions, it would have rendered the implementation of such features into the product useless. Secondly, had the results demonstrated a dramatic shift in decisions, it would have validated our concerns that users might “overreact” to energy usage information, leading to drastic decisions that could compromise their cybersecurity posture.

What emerged from the results is a subtle influence. The control group tended more toward a “Definitely yes” response, while the groups exposed to energy impact leaned more toward a “Probably yes”.

While the sample size may not meet the criteria for statistical significance in academic terms, it serves our specific purposes and provides important guidance for WithSecure. The research results indicate that, in line with our expectations, WithSecure Elements Security Center users and their organizations consider the sustainability effects of their choices, while at the same time they exhibit a heightened awareness of cybersecurity risks.

The responses to experimental questions also exhibit an anticipated trend. It is evident that visualizing the energy impact of a setting influenced users to a degree, resulting in fewer respondents choosing to enable the setting when they were aware of its energy intensity. However, the impact was not drastic, which gives us confidence that our users, when shown the energy impact, will have a cautious approach in deciding whether to enable a specific option.

When implementing the new version of the Elements Profile Editor, we will make sure to warn users before disabling or changing the most security-sensitive settings, regardless of their energy impact. With this, we aim to further reduce the risk of inadvertently lowering the protection level.