All hazard Internet security

One of the issues I've been discussing as part of various
critical infrastructure protection forums is the need
for "all hazard" outage information. Treating Internet
security as just a law-enforcement issue can warp your
perception. Unless you have a good view into all the
other things which can wreck Internet availability, it is
difficult to gauge the impact of a malicious activity
versus "normal" outages.

BoyHowdy! Bingo! I'll say. Also difficult to "sell" to
managment--the notion of "normal" outages (I like the terms "risk
assessment" and "business continuation preparation" here).

I don't completely understand the data. The impact of the
Baltimore train wreck shows up very clearly. Traffic
returns to nearly normal by 6am the next morning. But then
degrades again the following the day (i.e. "Worm day"). I
don't have access to the raw data, so I can't tell if there
are differences between carriers with fiber in the Howard
tunnel and other carriers. Did congestion increase the following
day due to the reduced bandwith the following day, or was it
consumed by the worms propagation.

I think you have left out the "rubberneck effect" (I may have just
coined a new term).

I often notice in our traffic graphs that certain events and certain
rumored events, as well as (in the instant case) certain "predictions"
Will cause dramatic increases in traffic in our network.

I think a sociologist would be helpful in understanding that, but my
very informal and anecdote-ridden "study" indicates to me that when
we make a major upgrade in facilities, there is a jump in traffic
as people ping stuff all over, try the MS web page (and its speedometer
doodad), and so on. There was a jump last evening at about 1930 local
and there was one the night before at about the same time--people
checking to see if the 'net was dead?