What is the difference between misuse and abuse cases in security?
The nuance is subtle and not well-defined, but if you really want to make a distinction between misuse and abuse, then I'd say that abuse is "misuse with malicious intent".
E.g. running while carrying a powered chainsaw is misuse; doing so on purpose in a crowded mall is abuse.
Misuse Case:
It describes the process of executing a malicious act against a system, while use case can be used to describe any action taken by the system.
Abuse Case:
A complete abuse case defines an interaction between an actor and the system that results in harm to a resource associated with one of the actors, one of the stakeholders, or the system itself.
Contrary to what most people would naturally conclude, "Misuse Cases" require malicious intent, "Abuse Cases" do not. Misuse Case is the antithesis of the Use Case where users are not doing what they should according to established procedure. Actors are "mis-using" the system. "Abuse Case" seems to draw from the technical etymology of the term "ab-use", meaning "outside of the use".
"Misuse Case" is an intentional violation of the system by a "Mis-Actor". Misuse Cases analyse user/actor threats to the system.
"Abuse Case" does not include intent in its analysis. It is focused on the set of actions that can cause harm. Abuse Cases analyse system vulnerabilities.
But these terms are new and practitioners are defining them as we go.
Further reading on the differences as of 2005