When Security Risk Assessment Meets Advanced Metering Infrastructure: Identifying the Appropriate Method

Mostafa Shokry, Ali Ismail Awad, Mahmoud Khaled Abd-Ellah, Ashraf A.M. Khalaf

Research output: Contribution to journalArticlepeer-review


Leading risk assessment standards such as the NIST SP 800-39 and ISO 27005 state that information security risk assessment (ISRA) is one of the crucial stages in the risk-management process. It pinpoints current weaknesses and potential risks, the likelihood of their materializing, and their potential impact on the functionality of critical information systems such as advanced metering infrastructure (AMI). If the current security controls are insufficient, risk assessment helps with applying countermeasures and choosing risk-mitigation strategies to decrease the risk to a controllable level. Although studies have been conducted on risk assessment for AMI and smart grids, the scientific foundations for selecting and using an appropriate method are lacking, negatively impacting the credibility of the results. The main contribution of this work is identifying an appropriate ISRA method for AMI by aligning the risk assessment criteria for AMI systems with the ISRA methodologies’ characteristics. Consequently, this work makes three main contributions. First, it presents a comprehensive comparison of multiple ISRA methods, including OCTAVE Allegro (OA), CORAS, COBRA, and FAIR, based on a variety of input requirements, tool features, and the type of risk assessment method. Second, it explores the necessary conditions for carrying out a risk assessment for an AMI system. Third, these AMI risk assessment prerequisites are aligned with the capabilities of multiple ISRA approaches to identify the best ISRA method for AMI systems. The OA method is found to be the best-suited risk assessment method for AMI, and this outcome paves the way to standardizing this method for AMI risk assessment.

Original languageEnglish
Article number9812
JournalSustainability (Switzerland)
Issue number12
Publication statusPublished - Jun 2023


  • advanced metering infrastructure
  • information security risk assessment
  • OCTAVE Allegro
  • risk assessment methods
  • smart cities
  • smart grids

ASJC Scopus subject areas

  • Computer Science (miscellaneous)
  • Geography, Planning and Development
  • Renewable Energy, Sustainability and the Environment
  • Environmental Science (miscellaneous)
  • Energy Engineering and Power Technology
  • Hardware and Architecture
  • Computer Networks and Communications
  • Management, Monitoring, Policy and Law


Dive into the research topics of 'When Security Risk Assessment Meets Advanced Metering Infrastructure: Identifying the Appropriate Method'. Together they form a unique fingerprint.

Cite this