CWE-655 Detail

The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.

Modes Of Introduction

Architecture and Design

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Potential Mitigations

Phases : Testing
Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.
Phases : Architecture and Design
Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.

Vulnerability Mapping Notes

Justification : This CWE entry is a Class, but it does not have Base-level children.
Comment : This entry is classified in a part of CWE's hierarchy that does not have sufficiently low-level coverage, which might reflect a lack of classification-oriented weakness research in the software security community. Conduct careful root cause analysis to determine the original mistake that led to this weakness. If closer analysis reveals that this weakness is appropriate, then this might be the best available CWE to use for mapping. If no other option is available, then it is acceptable to map to this CWE.

NotesNotes

This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.
The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.

References

REF-196

The Protection of Information in Computer Systems
Jerome H. Saltzer, Michael D. Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/

REF-539

Psychological Acceptability
Sean Barnum, Michael Gegick.
https://web.archive.org/web/20221104163022/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/psychological-acceptability

REF-540

Usability of Security: A Case Study
J. D. Tygar, Alma Whitten.
http://reports-archive.adm.cs.cmu.edu/anon/1998/CMU-CS-98-155.pdf

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

Submission

Modifications