Description
The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.
Potential Impact
Access Control
Bypass Protection Mechanism
Mitigations & Prevention
Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.
Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.
Related Weaknesses
Taxonomy Mappings
- ISA/IEC 62443: Part 2-1 — Req 4.3.3.6
- ISA/IEC 62443: Part 4-1 — Req SD-4
Frequently Asked Questions
What is CWE-655?
CWE-655 (Insufficient Psychological Acceptability) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.
How can CWE-655 be exploited?
Attackers can exploit CWE-655 (Insufficient Psychological Acceptability) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-655?
Key mitigations include: Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.
What is the severity of CWE-655?
CWE-655 is classified as a Class-level weakness (High abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.