Insufficient Psychological Acceptability

Draft Class

Structure: Simple

Description

This weakness occurs when security features are so cumbersome or confusing that well-intentioned users feel forced to turn them off or find workarounds, defeating their purpose entirely.

Extended Description

At its core, this is a design failure that prioritizes theoretical security over real-world usability. When features like complex password rules, frequent re-authentication prompts, or convoluted privacy settings create significant friction, users will naturally seek the path of least resistance. This often means disabling the protection altogether, using weak passwords to meet requirements, or sharing credentials to avoid login hassles—actions that introduce far greater risk than the feature was meant to prevent. To avoid this, security must be baked into the user experience, not bolted on as an obstacle. Developers should design controls that are intuitive, context-aware, and minimally invasive. For example, offering biometric authentication alongside passwords, using risk-based authentication to reduce unnecessary prompts, or providing clear, immediate value for security actions. The goal is to make the secure choice the easiest and most obvious one, aligning security objectives with natural user behavior rather than fighting against it.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

By bypassing the security mechanism, a user might leave the system in a less secure state than intended by the administrator, making it more susceptible to compromise.

Potential Mitigations 2

Phase: Testing

Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.

Phase: Architecture and Design

Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.

Demonstrative Examples 3

In "Usability of Security: A Case Study" [REF-540], the authors consider human factors in a cryptography product. Some of the weakness relevant discoveries of this case study were: users accidentally leaked sensitive information, could not figure out how to perform some tasks, thought they were enabling a security option when they were not, and made improper trust decisions.

Enforcing complex and difficult-to-remember passwords that need to be frequently changed for access to trivial resources, e.g., to use a black-and-white printer. Complex password requirements can also cause users to store the passwords in an unsafe manner so they don't have to remember them, such as using a sticky note or saving them in an unencrypted file.

Some CAPTCHA utilities produce images that are too difficult for a human to read, causing user frustration.

References 4

The Protection of Information in Computer Systems

Jerome H. Saltzer and Michael D. Schroeder

Proceedings of the IEEE 63

09-1975

http://web.mit.edu/Saltzer/www/publications/protection/

ID: REF-196

Psychological Acceptability

Sean Barnum and Michael Gegick

15-09-2005

https://web.archive.org/web/20221104163022/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/psychological-acceptability(2023-04-07)

ID: REF-539

Usability of Security: A Case Study

J. D. Tygar and Alma Whitten

SCS Technical Report Collection, CMU-CS-98-155

15-12-1998

http://reports-archive.adm.cs.cmu.edu/anon/1998/CMU-CS-98-155.pdf

ID: REF-540

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Weaknesses

ChildOf:

Violation of Secure Design Principles (CWE-657)

ChildOf:

Protection Mechanism Failure (CWE-693)

Taxonomy Mapping

ISA/IEC 62443
ISA/IEC 62443

Notes

OtherThis weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.

MaintenanceThe Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.