Class weakness

Draft

CWE-655: Insufficient Psychological Acceptability

The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.

Last updated May 1, 2026

0

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

CWE-655 (Insufficient Psychological Acceptability) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Common consequences

What can happen when CWE-655 is exploited.

Bypass Protection Mechanism

Affects: Access Control

By bypassing the security mechanism, a user might leave the system in a less secure state than intended by the administrator, making it more susceptible to compromise.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

How to prevent it

Practical mitigations for CWE-655, grouped by where in the lifecycle they apply.

Testing

Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.

Architecture and Design

Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In "Usability of Security: A Case Study" [REF-540], the authors consider human factors in a cryptography product. Some of the weakness relevant discoveries of this case study were: users accidentally leaked sensitive information, could not figure out how to perform some tasks, thought they were enabling a security option when they were not, and made improper trust decisions.

Enforcing complex and difficult-to-remember passwords that need to be frequently changed for access to trivial resources, e.g., to use a black-and-white printer. Complex password requirements can also cause users to store the passwords in an unsafe manner so they don't have to remember them, such as using a sticky note or saving them in an unencrypted file.

Some CAPTCHA utilities produce images that are too difficult for a human to read, causing user frustration.

Terminology & mappings

Mapped taxonomies

ISA/IEC 62443: Req 4.3.3.6 (Part 2-1)
ISA/IEC 62443: Req SD-4 (Part 4-1)

Frequently asked questions

Common questions about CWE-655.

What is CWE-655?

The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.

How do you prevent CWE-655?

Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.

What are the consequences of CWE-655?

Exploiting CWE-655 can lead to: Bypass Protection Mechanism.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-655

Get alerted the moment a new CWE-655 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing