What are Misuse Cases and Mitigation Cases, and how do they extend a UC Diagram for security?
A Misuse Case is a use case turned inside-out — it models what an attacker wants to happen (and shouldn't); a Mitigation Case is the control you add to stop it.
* Misuse cases (black ovals) drawn over a normal use-case diagram, driven by a hostile misactor. — Marcel Douwe Dekker, CC BY-SA 3.0, via Wikimedia Commons. *
This is how you bolt security onto a plain functional diagram: for every legitimate use case you ask "how could this be abused?", draw that abuse as a black oval (the MUC), then draw the defence (the Mitigation Case) that cancels it. The payoff is that vague goals like "be secure" become concrete, testable requirements tied to a named attack.
MUC vs UC at a glance:
| Aspect | Use Case | Misuse Case | Mitigation Case |
|---|---|---|---|
| Describes | Wanted behavior | Unwanted/attack behavior | Security control |
| Visual | White oval | Black/filled oval | Oval (often red border) |
| Actor | User/System | Misactor (attacker) | System |
| Derives | Functional requirements | Security requirements | Security design |
Process to add security to a UC Diagram:
- For each UC, identify how it could be attacked → create MUCs
- Describe each MUC in detail (using the MUC template)
- Design Mitigation Cases that counter the MUCs
- MUCs connect to UCs via "threatens" relationships; Mitigations connect via "mitigates"
Why this matters: MUCs turn vague "the system should be secure" into specific, testable security requirements tied to concrete attack scenarios.
Go deeper:
Misuse case (Wikipedia) — the misuser actor and the threatens / mitigates relationships.
OWASP — Threat Modeling — the "what can go wrong?" framework misuse cases operationalize.