Ian Alexander

Scenario Plus, London, UK

AMISUSE Case is the negative form of a Use Case. It documents a negative scenario. Its Actor is a hostile agent, typically but not always a human with hostile intent towards the system under design. The relationships between Use and Misuse Cases document threats and their mitigations. Use/Misuse Case diagrams are therefore valuable in security threat and safety hazard analyses. Mitigation often involves new subsystems, so Misuse Cases also have a role in system design.

Misuse Cases can help elicit requirements for systems, especially where exception cases might otherwise be missed. Their immediate applications are for security and safety requirements—in that order, but they can be useful for other types of requirement, for identifying missing functions, and for generating test cases.


  • Systems in which security is a major concern, for example, distributed and web-based systems, financial systems, government systems.
  • Safety-related systems using new technologies, in which knowledge of hazards in earlier systems may be an insufficient guide to hazards introduced by new system functions and their interactions, for example, control systems in automotive, railway, and aerospace.
  • Systems in which stakeholders may hold conflicting viewpoints that would threaten the project if not addressed, for example, multi-national government projects.
  • More generally, any system in which threats and ...

Get Scenarios, Stories, Use Cases: Through the Systems Development Life-Cycle now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.