Abuse case[1] is a specification model for security requirements used in the software development industry. The term Abuse Case is an adaptation ofuse case. The term was introduced by John McDermott and Chris Fox in 1999, while working at Computer Science Department of the James Madison University.[1] As defined by its authors, an abuse case is atype of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system. We cannot define completeness just in terms of coherent transactions between actors and the system. Instead, we must define abuse in terms of interactions that result in actual harm. A complete abuse case defines an interaction between an actor and the system that results in harm to a resource associated with one of the actors, one of the stakeholders, or the system itself.
Their notation appears to be similar toMisuse cases, but there are differences reported by Chun Wei in Misuse Cases and Abuse Cases in Eliciting Security Requirements.[2]
Use cases specify required behaviour of software and other products under development, and are essentially structured stories orscenarios detailing the normal behavior and usage of the software. Abuse cases extend theUML notation to model abuse in those systems.
Abuse cases are most commonly used in the field of security requirements elicitation.
An abuse case diagram is created together with a corresponding use case diagram, but not in the same diagram (different fromMisuse case). There is no new terminology or special symbols introduced for abuse case diagrams. They are drawn with the same symbols as a use case diagram.To distinguish between the two, the use case diagram and abuse case diagrams are kept separate, and related. Hence abuse cases do not appear in the use case diagrams and vice versa.