Insufficient Psychological Acceptability| ID: 655 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software has a protection mechanism that is too difficult
or inconvenient to use, encouraging non-malicious users to disable or bypass the
mechanism, whether by accident or on purpose.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanism | By bypassing the security mechanism, a user might leave the system in
a less secure state than intended by the administrator, making it more
susceptible to compromise. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Testing | | Where possible, perform human factors and usability studies to
identify where your product's security mechanisms are difficult to use,
and why. | | |
| Architecture and Design | | Make the security mechanism as seamless as possible, while also
providing the user with sufficient details when a security decision
produces unexpected results. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-655 ChildOf CWE-906 | Category | CWE-888 | |
Demonstrative Examples (Details)
- Enforcing complex and difficult-to-remember passwords that need to
be frequently changed for access to trivial resources, e.g., to use a
black-and-white printer. Complex password requirements can also cause users
to store the passwords in an unsafe manner so they don't have to remember
them, such as using a sticky note or saving them in an unencrypted
file.
- In "Usability of Security: A Case Study" (see References), the
authors consider human factors in a cryptography product. Some of the
weakness relevant discoveries of this case study were: users accidentally
leaked sensitive information, could not figure out how to perform some
tasks, thought they were enabling a security option when they were not, and
made improper trust decisions.
- Some CAPTCHA utilities produce images that are too difficult for a
human to read, causing user frustration.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- Jerome H. Saltzer Michael D. Schroeder .The Protection of Information in Computer
Systems. Proceedings of the IEEE 63. Published on September, 1975.
- Sean Barnum Michael Gegick .Psychological Acceptability. Published on 2005-09-15.
- J. D. Tygar Alma Whitten .Usability of Security: A Case Study. SCS Technical Report Collection,
CMU-CS-98-155. Published on 1998-12-15.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 14: Poor Usability." Page 217'. Published on 2010.
