Page Content

2022 ISSA Honorees


Cybersecurity and privacy have several notable professional associations associated with them. Some, such as ACM, the IEEE Computer Society, and IFIP are more generally about computing. One of the societies specifically directed to cybersecurity is the ISSA -- the Information Systems Security Association International. ISSA promotes the development and standards of the profession, globally.

Each year, ISSA recognizes individuals who have made significant contributions to the association and to the field overall. In prior years, both Professor Elisa Bertino and Professor Eugene Spafford have been recognized by ISSA: both have been inducted into the ISSA Hall of Fame, and Spaf has been named as a Distinguished Fellow of the organization.

ISSA has announced its 2022 honorees. Our congratulations to all these people for their accomplishments and this recognition!

Of particular note, three of the honorees have spoken in CERIAS seminars and events:

We also note the ISSA Education Foundation, which supports scholarships for students in the field. Two of those scholarships are in memory of individuals who were long-time friends of CERIAS, Howard Schmidt and Gene Schultz. The recent give-away of Spaf's coffee mugs raised over $1000 for those scholarships. We encourage others to consider contributing to the foundation to support worthy students. Also, the ISSAEF is an Amazon Smile participant, so that is a painless way for you to make ongoing donations (see the ISSAEF page for a link).

Get some CERIAS and Spaf Swag!


[This opportunity is now closed. You can still donate to the listed charities, though!]

Want to get some authentic CERIAS and Spaf swag? Read on!

CERIAS offices are moving in a matter of weeks. We don't want to have to box up everything, especially items we aren't likely to use any time soon (if ever) at the new location. Plus, some of these things are items we've heard people might like to have for themselves.

So.... We're going to give some of it away!

What's the catch? Well, we want to encourage people to do something good for others. And, as an institute (CERIAS) at a university (Purdue) and a life-long educator (Spaf), we thought that helping deserving students get cybersecurity education would be the way to do that.


To get some of the swag, as listed below, you need to make a donation to one of these charitable scholarships no later than August 5th, and provide proof of the donation and amount. We'll then package up your gifts and send them (we'll cover shipping inside the United States; if you are outside the U.S. we'll need to negotiate the shipping and any customs).

What charities? Only some of the best for cybersecurity students, and all established in memory of some pioneers in the field:

Rebecca Gurley Bace Scholarship ACSA/SWSIS
You may donate by sending a check to:
Applied Computer Security Associates, Inc.
c/o David Balenson
P.O. Box 1607
Olney, MD 20830-1607
Philippe Courtot/Gene Schultz/Howard Schmidt/Shon Harris Scholarships
These are all administered by the ISSA Educational Foundation.
You can donate online or by check; instructions are posted here.

We'll note here that these are also worthwhile for regular donations. As non-profits, there may be tax advantages to your donations. And be sure to check if your employer has a matching donation program!


We have established the donation. What's the swag? While supplies last:

  • From about 1995-2015, Spaf would collect coffee mugs from places he was invited to speak. This includes mugs from Facebook and Google to the NRO and NSA. The collection includes some from locations outside the U.S.A. as well. Currently, there are over 80 of these in the collection plus about 20 CERIAS coffee mugs, including some of the rare 10th anniversary mugs (from 2008).
  • CERIAS branded items that we obtained to give as speaker gifts. We have only a few of each item left, including luggage tags, T-shirts, portfolios, umbrellas, jackets, and some electronic doo-dads.
  • CERIAS/Spaf challenge coins!
  • Some first-printing, never opened, copies of Web Security, Privacy and Commerce, 2nd Edition. If you get a copy, Spaf will autograph it for you!
image image image image image image

How to Get Some

First, make a qualifying donation to one of the charities. Send proof of the donation, your address, and your shirt/hoodie/jacket size to: <spaf@cerias.purdue.edu>. You'll get the listed items while supplies last. If we run out of an item we will substitute an item of equal or better value.

Minimum donation Items shipped
$150 2 of Spaf's coffee mugs plus a CERIAS challenge coin
$200 An additional item of CERIAS-branded merchandise plus 1 CERIAS mug
$300 A copy of the book in addition to the above, plus an additional CERIAS item.
$500All of the above, plus 2 additional coffee mugs, plus a CERIAS logo fabric briefcase or portfolio.
In the above, items in each line include all the items in the previous rows. So, If you make a donation of $300 you will also get the items listed for $150 and $200.

Remember, these are really all extra gifts. The real value is you making a donation to a worthwhile charity to help some deserving people study cybersecurity!

Surprise Bonus!

While cleaning out the storage closet we found a dozen remaining Spaf bobbleheads. This is the last of this collector's item! image To get one, send us a check for a minimum of $100 made out to "Purdue University" with "Donation to CERIAS" on the memo line. (And, to be clear, Purdue University is also a non-profit entity.) Send the check with your return address to:

Bobblehead c/o Shawn Huddy
CERIAS -- Purdue University
656 Oval Drive
West Lafayette, IN 47907-2086

CERIAS is on the move!


In May of 1998, Purdue chartered CERIAS -- the Center of Education and Research In Information Assurance and Security -- as a campus-wide, multidisciplinary center for the new (at the time) field of cybersecurity. CERIAS grew out of the COAST Laboratory in the CS department. Our original core of a half-dozen faculty spanned several of the departments and colleges at Purdue and thus warranted a university-level institute.

The Recitation Building
The Recitation Building

As part of its commitment to the new center, Purdue University renovated most of the 2nd floor of the Recitation Building on the central campus for CERIAS. The 2nd floor was originally classrooms. We moved into the redone space in early 1999. The space involved a conference room, a small library, a small kitchen and lounge, offices for 10 faculty and staff, and a half-dozen shared offices for grad students. We also had two dedicated rooms on the 4th floor -- one as a protected machine room, and one as a lab.

The space in REC has served us well since then. We were located near the CS, ECE, and CNIT departments, in a building with great character, including flooring made from birds-eye maple planks. We also had to cope with some of the idiosyncrasies of an older building, including cranky HVAC and leaky pipes. (Recitation was originally completed in 1923.) CERIAS grew into a world-renowned entity with over 150 associated faculty across campus and many hundreds of their students.

The Convergence Building
The Convergence Center

Over the last few years in particular, Purdue overall has prospered, with increasing prestige and growing enrollment. Last year, Purdue had over 50,000 students enrolled at the main campus! Having frozen tuition for a decade has undoubtedly helped to make a Purdue education even more attractive, despite the increasingly-rigorous admission standards. There has been an associated boom in new buildings -- with over two dozen new dormitories, laboratories, and co-working space for collaborations with companies and national labs. This has included construction of the Discovery Park District.

Last year, as part of a master planning process, university administration decreed some reorganization. Many administrative and academic programs are moving to accomodate growth, move related groups near each other, and make better use of space. That includes CERIAS!

As of August 15, we are bidding adieu to Recitation. For the following 4 months we will be virtual as our new "galactic headquarters" is being finished. Meanwhile, our space in Recitation will be renovated info offices and meeting space for the Dean of Students

In January, we will be moving into our new offices and lab space on the 3rd floor of the Convergence Center on campus. Convergence is part of the public-private partnerships idea that Purdue has been promoting over the last few years. It is a building owned and operated by a private company, located on the university and housing several campus departments as well as industry offices. It was completed in 2020 and presents exciting new possibilities for our next 25 years.

Our new space will be bright and airy, with lots of windows. We'll have more offices, lots of work spaces for students, several labs, and multiple meeting rooms. We'll also have dedicated space for co-location of researchers of some CERIAS partners (with Sandia National Labs the first such partner).

If you want to visit us between August 15 and January 15, let us know and we'll find a room on campus to meet with you. After the 15th, come visit us at our new offices!

Our new address will be:

101 Foundry Dr STE 3000
West Lafayette IN 47906-3446

During and after the transition we expect our phone numbers and email addresses to be unchanged. Our web pages will continue to be active. Our phones will forward to wherever we are during the build-out phase, so you will be able to reach us as always.

While we're at it, mark your calendars for March 28 & 29 --- the annual CERIAS Symposium. We're celebrating our 25th anniversary and you are all invited!

The more things change….


Last week was our 23rd CERIAS Symposium. It was a great event, thanks to great speakers and lots of behind-the-scenes work by the wonderful staff. We have developed a history of some outstanding presentations and interactions. Next year we will be celebrating the 25th anniversary of the founding of CERIAS (it will be the 24th symposium because we didn't have one the first year). I hope we can continue the streak of great presentations and events, but given the tremendous community we have, I'm sure that will be the case.

During the breaks, I ran into several former students, including one who graduated 28 years ago. I heard wonderful stories about what they've been doing in their lives since then, and how their experience at Purdue with COAST and CERIAS helped set them up for success. That is really gratifying to hear; teachers always like some affirmation that they didn't screw up too badly!

I was going to write up a blog post here about that -- no doubt prompted by my last post about the workshop 22 years ago -- then I vaguely recalled having written something like that a while back. After some looking, I found it in my personal blog (it was before we established this blog): Some Thoughts on Lifetime Achievement. That has mostly aged well, and I could make most of the same general comments today. I continue to be pleased that my former students are happy and productive. And although I am still sure I will be forgotten in 100 years (heck, a lot of people try mightily to forget me today), I am confident that what I helped start as education and awareness in this space will continue to make a difference through the good works of those whose lives we touched here at Purdue.

Also, I'm still not done yet. I have 5 Ph.D. students in various phases of completion plus two books underway with ideas for more, and I hope to get all those things finished before I think seriously about voluntary retirement. However, given the state of reality and current events, voluntary may not be the only route....

I may have to spend more time looking through things I wrote over the last 30 years to see how/if some of my thinking has evolved. This makes two items from the archives I had dimly remembered that seem to be relevant now. But I will note that in 11 years I have never found a use for my AARP card that my AAA membership didn't also provide (e.g., hotel discounts).

Who Says You Can’t Predict the Future?


While preparing to introduce today’s keynote (Dr. David McGrew) at the 23rd CERIAS Symposium, I was reminded of an exercise in crystal ball gazing. Every December we have various people publish a list of their top predictions for the coming year. Some are thoughtful, and others simply risable. The track record is often quickly forgotten.

However, what of an effort by real experts and visionaries to make some bold predictions for a decade hence? Many people have repeatedly claimed that such a thing is impossible for cybersecurity – the field moves too quickly, innovation disrupts truisms, and biases complicate the mix.

Here, I present at least one worked example that proves that it could be done – and was.

In 1992, the COAST Laboratory was started. Around 1996, Cisco became a corporate partner with COAST, providing equipment and funds for student scholarships. When CERIAS emerged from COAST in May 1998, Cisco stepped up as a founding sponsor. This included not only continuing financial support, but increasing some researcher involvement.

In 2000, another CERIAS partner at the time, Accenture, agreed to cosponsor a workshop at their St. Charles conference center. The workshop would be organized by CERIAS and was to focus on making some “bold” predictions for the next decade. We were supposed to identify some “visionaries” who could participate and discuss the future.

I (Spaf) identified some personnel I knew were deep thinkers, some of whom were not yet quite widely known in cybersecurity. I invited them, and Accenture added a few of their own senior staff. These people went on to build significant reputations in the field. (I’d like to claim it was because they participated in the workshop.)

The visionaries who attended, and their affiliations at the time:

  • Whit Diffie (Sun Microsystems)
  • Becky Bace (Infidel)
  • Howard Schmidt (Microsoft)
  • Phil Venables (Goldman Sachs)
  • David McGrew (Cisco)
  • Dan Geer (@Stake)
  • John Clark (Accenture)
  • Dan Deganutti (Avanade)
  • Glover Ferguson (Accenture)
  • Anatole Gershman (Accenture)
  • Mike Jacobs (NSA)
  • Fred Piper (University of London/Royal Holloway)
  • John Richardson (Intel)
  • Marv Schaefer (BWAP)
  • Spaf (Purdue CERIAS)

An impressive group, in hindsight; fairly impressive in 2000, too!

I won’t recapitulate the whole workshop report, which you can read if you wish. However, I will summarize what we saw as the top 10 trends for cybersecurity in 2000:

  1. The EverNet: Billions of devices proliferate that are always on and always connected.
  2. Virtual Business: Complex outsourcing relationships extend trust boundaries beyond recognition.
  3. Rules of the Game: Government regulation increases as lawmakers react to real losses that hurt.
  4. Wild Wild West: International criminals exploit lack of cooperation and compatibility in international laws.
  5. No More Secrets: Privacy concerns will continue to compete with convenience and desire for features.
  6. Haste Makes Waste: “Time to Market” increases pressure to sacrifice security and quality of software.
  7. Talent Wars: Lack of security skills will compound weaknesses of delivered solutions.
  8. Yours, Mine or Ours: Identifying intellectual property and information ownership will become key areas of debate.
  9. Web of Trust: Standard security architectures and improved trust will spur eCommerce growth.
  10. Information Pollution: Information exploitation becomes more lucrative than hacking.

I remember when the report came out it was dismissed by some in industry as “too pesimistic.” Perhaps because the “visionaries” weren’t all well known, the conclusions were largely ignored.

Looking back on the list, I’d say we scored at least 90%, especially for the decade that followed. Both #3, and #10 took a little longer to manifest, but we were on target with all ten.

You can apply some hindsight bias now to say they were all obvious, but that really wasn’t the case in fall 2000. The iPhone was 6 years away from introduction and the Motorola StarTac CDMA phone was effectively the state-of-the-art. Wireless was basically defined by the recent release of 802.11a/b. Internet penetration was less than 6% of the world’s population (it is over 66% now, in early 2022). At the time of the workshop, Facebook and Twitter were years away from creation, and Google was a small search engine company less than 3 years old. Ransomware had been described theoretically, but would not become prominent for several years.

Interestingly, the action items the group defined are still relevant, and notable perhaps in how they are still not practiced widely enough:

  • Improve Software Quality Focus on improving the quality and assurance of software. Prevent distribution of weak software with security exposures. Conduct research to find better methods for designing and developing higher quality software.
  • Invest in Training and Awareness Develop a sound educational program that focuses on security and ethics. Focus resources throughout the educational spectrum. Teach respect for electronic boundaries. Develop comprehensive curriculum to educate our next generation.
  • Implement Best Practices Incorporate baseline safeguards and practices. Use best practices to ensure security is done right in development, implementation, testing, business processes, and consumer practices.
  • Initiate Public Debate Initiate public debate on identification, ownership protection, use of personal information, and responsible use of computing.
  • Advocate Holistic Approach Advocate and pursue a well-rounded and pro- active approach to the overall problems: business, social, technical, and government.
  • Package Security Architectures Encourage packaging of a basic security architectures with standard services that integrate with applications and infrastructure.
Group photo (click to enlarge)


One of the workshop participants informs me that the workshop was held in late September 2000. The report is copyrighted 2001, which is why I thought that is when it was held that year. Unfortunately, I no longer have my appointments calendar from that time so my initial posting indicated 2001. His recollection of this is strong, and is likely correct. I have corrected the dates in the entry above to reflect this correction.