Information security and safety for risk management – Application to Information System

The safety of a system corresponds to the non-occurrence of events that could diminish or damage the integrity of the system and its environment, throughout the duration of the system's activity, whether successful, degraded or failed. Security covers both random (danger) and deliberate (threat) events.

Nowadays, virtually all sectors of activity, whether industrial or service, require high-level safety systems. These systems - particularly autonomous systems, which are increasingly entrusted with tasks for which humans are no longer in the loop - are highly constrained. They have to be developed at the lowest possible cost, are often at the frontiers of technological knowledge, and have little feedback from experience. Achieving these sometimes contradictory performances requires not only the use of specific tools, but also the rigorous implementation of an organization adapted to the objectives sought.

Nowadays, software plays a key role in embedded systems and in so-called control systems: it's software that starts or brakes cars, it's software that regulates the distribution of electricity on the national grid, it's software that dispatches telephone calls, and it's software that controls automated manufacturing in factories. It drives drones, and there are plans to entrust it with the driving of autonomous vehicles in the near future.

Since the advent of office automation, software has also been at the heart of the information system that no company can do without today. Today, this system enables companies to harmoniously manage customers, purchasing, production, accounting, personnel, and so on. In recent years, the need for widespread teleworking has further accentuated and complicated this relationship of dependence between the company and its information system.

Whether their main function is administrative or technical, programmed systems can, if they malfunction or are inadequately protected, cause human, material or economic disasters of varying scale. As computer technology is quite different from other technologies, it soon became clear that specific techniques were needed to manage the risks associated with these systems.

This article presents IT risks in general, then reviews the differences to be taken into account when managing the security of information systems and that of scientific and technical systems. It then looks more specifically at the techniques used for information systems, with aspects relating to scientific and technical systems covered in a second article