Breaking "Extends" relationships for use/misuse/mitigation use case refinement

We use refinement to investigate the interplay between functional (use cases) and security requirements (misuse cases and mitigation use case), thus creating a complete set of security-centric requirements that can guide subsequent software development phases. Part of the initial refinement is to identify relationships ("includes" and "extends") among refined cases for each case type (use, misuse, mitigation use). Use case modeling uses the "extends" relationship for optional behaviors or when added functionality to a case is necessary. There is difficulty in using the "extends" relationship among refined cases, because of the inherent ambiguity of the relationship. There is a distinct difference between additional behaviors and optional behaviors. We use the "extends" to model when one refined case provides additional behavior to another decomposed cases or when there are alternative executions among two or more refined cases. These two situations are very different, yet UML 2.0 uses the "extends" relationship for both. To mitigate this ambiguity, we propose adding indicators to the "extends" relationship to differentiate between when it is used for optional behaviors and when it is used for additional behaviors.