CWE - CWE-655: Insufficient Psychological Acceptability (2.1)

Home > CWE List > CWE- Individual Dictionary Definition (2.1)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS
CWRAF
T-Shirt

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Coverage Claims Representation
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-655: Insufficient Psychological Acceptability

Insufficient Psychological Acceptability

Weakness ID: 655 (Weakness Base)

Status: Draft

Description

Description Summary

The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.

Time of Introduction

Architecture and Design
Implementation
Operation

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Access Control	Technical Impact: Bypass protection mechanism By bypassing the security mechanism, a user might leave the system in a less secure state than intended by the administrator, making it more susceptible to compromise.

Demonstrative Examples

Example 1

In "Usability of Security: A Case Study" (see References), the authors consider human factors in a cryptography product. Some of the weakness relevant discoveries of this case study were: users accidentally leaked sensitive information, could not figure out how to perform some tasks, thought they were enabling a security option when they were not, and made improper trust decisions.

Example 2

Enforcing complex and difficult-to-remember passwords that need to be frequently changed for access to trivial resources, e.g., to use a black-and-white printer. Complex password requirements can also cause users to store the passwords in an unsafe manner so they don't have to remember them, such as using a sticky note or saving them in an unencrypted file.

Example 3

Some CAPTCHA utilities produce images that are too difficult for a human to read, causing user frustration.

Potential Mitigations

Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.

Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.

Other Notes

This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	254	Security Features	Development Concepts699
ChildOf	Weakness Class	657	Violation of Secure Design Principles	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Weakness Class	693	Protection Mechanism Failure	Research Concepts1000

Causal Nature

Implicit

References

Jerome H. Saltzer and Michael D. Schroeder. "The Protection of Information in Computer Systems". Proceedings of the IEEE 63. September, 1975. <http://web.mit.edu/Saltzer/www/publications/protection/>.

Sean Barnum and Michael Gegick. "Psychological Acceptability". 2005-09-15. <https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/354.html>.

J. D. Tygar and Alma Whitten. "Usability of Security: A Case Study". SCS Technical Report Collection, CMU-CS-98-155. 1998-12-15. <http://reports-archive.adm.cs.cmu.edu/anon/1998/CMU-CS-98-155.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
2008-01-18	Pascal Meunier	Purdue University	External Submission
2008-01-18
Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Common_Consequences, Relationships, Other_Notes, Weakness_Ordinalities
2009-01-12	CWE Content Team	MITRE	Internal
2009-01-12	updated Description, Name
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Name
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
Previous Entry Names
Change Date	Previous Entry Name
2009-01-12	Design Principle Violation: Failure to Satisfy Psychological Acceptability

2009-05-27	Failure to Satisfy Psychological Acceptability

Page Last Updated: September 12, 2011


	CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us