Abuse cases: a description of the method
Dec 8th, 2008 by Jesper Kråkhede
Four years ago I stumbled into a discussion regarding how security was handled in RUP. As the discussion went on the voices rose and in the end the poor bastard yelled at me: “You are abusing my use cases” and by that the Abuse Case was born.
Just to set the context: An abuse case is not a type of use case. It is something completely different.
An abuse case consists of four parts:
*An Abuser, that does the attacks
*A process/solution, that is attacked/exploited
*An Endlooser, whose identity is used or who is abused
*An Asset, that what is lost or in other ways tampered with
(and yes, I actually uses these words, both for fun and to get the right mindset). 
The abuse case is small and granular to its nature and the purpose is to connect several of those into one or more attack scenarios that are modular and flexible. By combining different abusers and assets together with the defined attack ways against a solution it is possible to create far more complex attacks that to a bigger extent mimics the real complexity of real world attacks.
To able to create abuse cases you must have something that could be attacked. On this process/solution you map out the possible attack ways and from those you start mapping out all possible abusers. After this you look at the different parts of your attack area to find what parts different abusers attack. In those parts you then map in the asset that could be lost and the possible end looser that actually either is losing the information or who is to take the blame.
Last in this process is to include the mitigating solutions you have that actually prevent a certain abuse case. It is important to do this last in the process to not hinder the creativity in the workshop. You should always take into account that a certain layer can and will fail so if any protective layer is administered by the same person it would be rather easy to bribe that person into making an error just the exact time as you are inserting a trojan.
Abuse cases may sound as a joke (and the naming certainly is) but I have used them successfully in too many workshops to just neglect them. Please feel free to ask questions on how to use them in your work shopping.