Another possibility is to align misuse cases with traditional
fault-tree analysis methods from the safety area,
such as threat trees [49] or attack trees [50, 51]. Adapted
for security analysis, these trees would decompose
security threats using AND and OR nodes, where OR
nodes correspond directly to misuse case generalization—
such as when a password can be obtained in several
ways [28]—and where AND nodes are not explicitly
covered in our notation (but may be implicit in misuse case
inclusion and preconditions). Extending the misuse
case notation with AND nodes, e.g., using the UML's
aggregation symbol, may be straightforward, and a
natural next step would be to align the misuse cases with
the NFR framework [52] for analyzing non-functional
requirements.

cited from
Guttorm Sindre, Andreas L. Opdahl: Eliciting security requirements with misuse cases. Requir. Eng. 10(1): 34-44 (2005)