Abuse Cases: Use cases for Threat modeling

Inspired by @ryanc@infosec.exchange toot and long discussion it triggered. Ryan Castellucci wrote:

Developers should make “abuser stories” a thing.

 As a Stalker,
   I want to track my ex's every move,
 So that,
  I can 'coincidentally' run into them at any time.
As a Thief,
  I want to be able to reset passwords using SMS verification,
So that,
  I can compromise any account by bribing a telco employee.

Various terminology is discussed. I like “Abuse Case” better than “abuser story”, indicating an anti-use case to defend against, part of Threat modeling.

Other terminology coined was “Miscreant”, which I like as an alternative to Threat Actor…

Free dictionary: miscreant


  1. One who behaves badly, often by breaking rules of conduct or the law.

The Design Under Pressure page by SimplySecure defines a range of Miscreant “persona non grata”.