In the era of the information society, it is important to secure systems against security breaches. To understand and model such security breaches, the concept of abuse cases has been introduced. While the extant research on abuse cases offer important insights into secure systems design, these approaches do not offer (a) empirical evidence on their usefulness and relevance in practice, (b) means to prioritize security requirements, (c) explicit support for designing countermeasures, and (d) explicit support for integrating a risk management process into abuse cases. In this paper, we refine an extended abuse case model developed in our earlier research to address these four issues. This approach is then tested in practice with action research. The action research experience demonstrates that the refined approach was useful and easy to embed into information systems development methods in practice.