Abstract
A rich selection of methods for information security risk assessments exist, but few studies evaluate how such
methods are used, their perceived ease-of-use, and whether additional support is needed. Distribution system
operators (DSOs) find it difficult to perform information security risk assessments of Advanced Metering
Infrastructure (AMI).We have performed a case study in order to identify these difficulties and the reasons for
them. Our findings indicate that the risk assessment method in itself is not the main challenge. The difficulties
regard competence; more specifically, insight in possible information security threats and vulnerabilities, being
able to foresee consequences, and making educated guesses about probability. Improved guidelines can be a
valuable aid, but including information security experts as participants in the process is even more important.
methods are used, their perceived ease-of-use, and whether additional support is needed. Distribution system
operators (DSOs) find it difficult to perform information security risk assessments of Advanced Metering
Infrastructure (AMI).We have performed a case study in order to identify these difficulties and the reasons for
them. Our findings indicate that the risk assessment method in itself is not the main challenge. The difficulties
regard competence; more specifically, insight in possible information security threats and vulnerabilities, being
able to foresee consequences, and making educated guesses about probability. Improved guidelines can be a
valuable aid, but including information security experts as participants in the process is even more important.