Psychology and neuroscience literature shows the existance of up - per bounds on the human capacity for executing cognitive. Tasks and for information processing. These bounds, are where demon - strably people start, experiencing cognitive strain. And consequently committing errors in the tasks execution. We argue that the usable security discipline should scientifically. Understand such bounds in order to have realistic expectations about what people can or can - not attain when coping with. Security tasks. This may shed light on whether Johnny will be ever be able to encrypt. We propose a conceptual framework. For evaluation of human capacities in secu - rity that also assigns systems to complexity categories according to their security. And usability. From what we have initiated in this paper we ultimately, aim at providing designers of security mech - anisms. And policies with the ability to say: "This feature of the security mechanism X or this security policy element Y is inappro -. Priate because this, evidence shows that it is beyond the capacity of its target community.