What is the difference between misuse and abuse cases in security?

Question

I know that misuse cases are use cases which help identify security requirements as they highlight the user's goal in misusing the system, but what exactly is abuse cases and what is the difference or these very similar to each other?

Answer 1

The nuance is subtle and not well-defined, but if you really want to make a distinction between misuse and abuse, then I'd say that abuse is "misuse with malicious intent".

E.g. running while carrying a powered chainsaw is misuse; doing so on purpose in a crowded mall is abuse.

Answer 2

Misuse Case:

It describes the process of executing a malicious act against a system, while use case can be used to describe any action taken by the system.

Abuse Case:

A complete abuse case defines an interaction between an actor and the system that results in harm to a resource associated with one of the actors, one of the stakeholders, or the system itself.

Contrary to what most people would naturally conclude, "Misuse Cases" require malicious intent, "Abuse Cases" do not. Misuse Case is the antithesis of the Use Case where users are not doing what they should according to established procedure. Actors are "mis-using" the system. "Abuse Case" seems to draw from the technical etymology of the term "ab-use", meaning "outside of the use".

"Misuse Case" is an intentional violation of the system by a "Mis-Actor". Misuse Cases analyse user/actor threats to the system.

"Abuse Case" does not include intent in its analysis. It is focused on the set of actions that can cause harm. Abuse Cases analyse system vulnerabilities.

But these terms are new and practitioners are defining them as we go.

Further reading on the differences as of 2005

Answer 3

Misuse may be accidental, and implies that you are using the system in a way not designed.

• e.g., run rm -rf on your filesystem

Abuse is usually premeditated and purposeful; you can abuse a system without misusing it by doing legitimate activities in an unauthorized manner.

• e.g., DDoS attack using legitimate requests to load a page

---

You may be interested to read the legal text of Computer Fraud and Abuse Act (CFAA) [USA].

---

Edit:

I found a formal definition of "computer abuse" from NIST in their Glossary of Key Information Security Terms :

Computer Abuse – Intentional or reckless misuse, alteration, disruption, or destruction of information processing resources.

However, whereas the US has an "abuse" act, the UK has a "misuse" act (Computer Misuse Act 1990) (another ref), as does Signapore (Computer Misuse and Cybersecurity Act (CHAPTER 50A)) which sounds closer to the definition of abuse.

Answer 4

In non-technical English, misuse and abuse have near-identical connotation. I'd encourage the contemporary analyst to avoid using these terms. We have much more understandable terminology: insider threats, external threats, and usability defects.

But... if for some reason you really want to use these terms... here are the definitions developed within my security group sometime during the period 2004-6, when we were considering how we might extend use-case diagrams so that they'd handle a full range of security, functionality and usability requirements. .
Consider:

• someone who causes a system to perform some action either gains the (significant) results they were intending, or else there are some (significant) unintended consequences. Note: we ignore actions which have no major consequences.
• someone who accesses a system in some way may be authorised to access it in this way, or else they are unauthorised.
• someone who accesses a system may be intending to cause harm, or else their motives are beneficial. Note: we understand that an unauthorised user may believe themselves to be acting in a way that is beneficial to the system's owner, or in a way that is beneficial to parties other than the owner of the system; but (as is customary in security analyses) we define system requirements from the perspective of the primary stakeholder in the system (which we call its "owner", for convenience), and we leave it to the owner of the system to decide who is authorised to perform beneficial acts using their system, and who is unauthorised.

Although three Boolean variables have eight possibilities, half are unimportant (or have been defined-away, as in the case of an unauthorised user who intends a beneficial use). This leaves us with just four major types of cases to consider, when defining system requirements -- and we chose "cute" names (???use) for these three extensions to the good-old use case:

() [Use Case:]

A beneficial result from an authorised user.

() [Confuse Case:]

A harmful but unintentional result from an authorised user, that is, the harmful consequences of a usability defect in a use-case.

() [Misuse Case:]

Harm intentionally caused by an authorised user, that is, an insider threat of a use-case that is exercised with harmful intent.

() [Abuse Case:]

Harm intentionally caused by an unauthorised user, that is, an outsider threat of a system with inadequate access control.

AFAIK nobody in our group has ever published these definitions. I recall Mike Stay as making the key insight, in discussions with Jas Nagra, Stephen Drape, and myself. We were definitely guided by a very nicely-researched report written by a student in the 2005 offering of my COMPSCI 725 course. And I'm almost certain that Mike's naming of the "confuse case" was a linguistic reference to the confused deputy problem.

I believe there is still no general agreement, among scholars, on how misuse cases and abuse cases "should" be defined. But -- no matter how they are named, or exactly how they are defined, the underlying concepts of insider threat, external threat, and the threats posted by usability defects are important to all security practitioners. And some practitioners do use these terms, e.g. Vector offers deliverables which include "Pentest misuse, abuse and confuse scenarios".