Abuse case [1] is a specification model for security requirements used in the software development industry. The term Abuse Case is an adaptation of use case. The term was introduced by John McDermott and Chris Fox in 1999, while working at Computer Science Department of the James Madison University.[citation needed] As defined by its authors, an abuse case is a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system. We cannot define completeness just in terms of coherent transactions between actors and the system. Instead, we must define abuse in terms of interactions that result in actual harm. A complete abuse case defines an interaction between an actor and the system that results in harm to a resource associated with one of the actors, one of the stakeholders, or the system itself.

Their notation appears to be similar to Misuse cases, but there are differences reported by Chun Wei in Misuse Cases and Abuse Cases in Eliciting Security Requirements.[2]


Use cases specify required behaviour of software and other products under development, and are essentially structured stories or scenarios detailing the normal behavior and usage of the software. Abuse cases extend the UML notation to model abuse in those systems.

Area of useEdit

Abuse cases are most commonly used in the field of security requirements elicitation.

Basic conceptsEdit

An abuse case diagram is created together with a corresponding use case diagram, but not in the same diagram (different from Misuse case). There is no new terminology or special symbols introduced for abuse case diagrams. They are drawn with the same symbols as a use case diagram. To distinguish between the two, the use case diagram and abuse case diagrams are kept separate, and related. Hence abuse cases do not appear in the use case diagrams and vice versa.

See alsoEdit


  1. ^ John McDermott and Chris Fox (Dec 1999). "Using Abuse Case Models for Security Requirements Analysis" (PDF). Proceedings of the 15th Annual Computer Security Applications Conference, 1999. (ACSAC '99): 55–64.
  2. ^ Chun Wei (Johnny), Sia, Misuse Cases and Abuse Cases in Eliciting Security Requirements, http://www.cs.auckland.ac.nz/compsci725s2c/archive/termpapers/csia.pdf