LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are Misuse Cases and Mitigation Cases, and how do they extend a UC Diagram for security?

A Misuse Case is a use case turned inside-out — it models what an attacker wants to happen (and shouldn't); a Mitigation Case is the control you add to stop it.

A use-case diagram extended with black misuse-case ovals and a hostile misactor threatening the legitimate use cases.

* Misuse cases (black ovals) drawn over a normal use-case diagram, driven by a hostile misactor. — Marcel Douwe Dekker, CC BY-SA 3.0, via Wikimedia Commons. *

This is how you bolt security onto a plain functional diagram: for every legitimate use case you ask "how could this be abused?", draw that abuse as a black oval (the MUC), then draw the defence (the Mitigation Case) that cancels it. The payoff is that vague goals like "be secure" become concrete, testable requirements tied to a named attack.

MUC vs UC at a glance:

Aspect Use Case Misuse Case Mitigation Case
Describes Wanted behavior Unwanted/attack behavior Security control
Visual White oval Black/filled oval Oval (often red border)
Actor User/System Misactor (attacker) System
Derives Functional requirements Security requirements Security design

Process to add security to a UC Diagram:

  1. For each UC, identify how it could be attacked → create MUCs
  2. Describe each MUC in detail (using the MUC template)
  3. Design Mitigation Cases that counter the MUCs
  4. MUCs connect to UCs via "threatens" relationships; Mitigations connect via "mitigates"

Why this matters: MUCs turn vague "the system should be secure" into specific, testable security requirements tied to concrete attack scenarios.

Go deeper:

From Quiz: SPRG / Security Review | Updated: Jul 14, 2026