The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)


Page Content

50 Years, and Lessons (Not) Learned


Recently, I had cause to reflect on some of what I have done in my career. As one result, I posted a blog entry about how many programming languages I have learned.

As I was writing that up, it struck me that this is an anniversary year: I wrote my first computer program 50 years ago!

I don't recall the exact program, but it was in Fortran 66, was punched onto cards, and run on a Burroughs mainframe (as I recall, it was a B5700). I was in high school at the time, and enrolled in the advanced math track, so I was offered the opportunity to take an experimental computer course in place of shop class.

Thus, I don’t think I ever got to build that clunky birdhouse in woodworking shop. However, I did get to experiment with checking my pre-calc homework on the computer, and I kept all my fingers. I suspect my programs were as clunky as the birdhouses, although it wasn’t as obvious to everyone else. Taking the course also helped cement my nerd status, ensuring wedgies and no dates for the remainder of my high school career. (This was a result that extended well beyond high school, unfortunately.)

It was a few years later, in college, that I got to do any programming again, then in BASIC on an HP 3000 and assembly on an Altair 8800. However, the prior experience in Fortran gave me a head start over everyone else in the class and I never really looked back. My first CS advisor was a member of the Fortran 77 standards committee so I also circled back around to Fortran before I got my batchelors degree.

All of that experience (and more) was tumbling around in my head when time came to produce a lecture title and abstract. It resulted in the title and abstract, below. I gave this talk in the University of Maryland-Baltimore County UCYBR Distinguished Lecture Series earlier this week.

If you’re curious, you can view the recorded lecture. (I have some other presentations – including one from 1989 – when I had hair – on my YouTube channel page.)

Cyber Lessons, Learned and Unlearned

Dr. Eugene Spafford is a professor with an appointment in Computer Science at Purdue University, where he has served on the faculty since 1987. He is also a professor of Philosophy (courtesy), a professor of Communication (courtesy), a professor of Electrical and Computer Engineering (courtesy) and a Professor of Political Science (courtesy). He serves on a number of advisory and editorial boards. Spafford's current research interests are primarily in the areas of information security, computer crime investigation and information ethics. He is generally recognized as one of the senior leaders in the field of computing.

Among other things, Spaf (as he is known to his friends, colleagues, and students) is Executive Director Emeritus of the Purdue CERIAS (Center for Education and Research in Information Assurance and Security), and was the founder and director of the (superseded) COAST Laboratory. He is Editor-on-Chief of the Elsevier journal Computers & Security, the oldest journal in the field of information security, and the official outlet of IFIP TC-11.

Spaf has been a student and researcher in computing for over 40 years, 35 of which have been in security-related areas. During that time, computing has evolved from mainframes to the Internet of Things. Of course, along with these changes in computing have been changes in technology, access, and both how we use and misuse computing resources. Who knows what the future holds?

In this UCYBR talk, Spaf will reflect upon this evolution and trends and discuss what he sees as significant "lessons learned" from history. Will we learn from our past? Or are we destined to repeat history (again!) and never break free from the many cybersecurity challenges that continue to impact our world?

Riffing on the Ph.D. Degree


I recenty was having a discussion with someone about the Ph.D. option for a degree here.  The person said “I don’t want a Ph.D. because I don’t ever intend to do research at a university.”  Thus began a conversation about how the Ph.D. may be a requirement for most faculty positions, but it is not a sentence connected to the degree!  Furthermore, not all faculty positions are primarily research positions.

As an example, of the 23 Ph.D. graduates for whom I have been primary (co)advisor to date, 11 have spent some time as faculty members but only four are still full-time faculty.  Six of them currently reside outside the U.S., and six (an overlapping group) have started their own companies. Seven are C-level executives, and another 10 are in senior director/partner-type positions.  It is certainly not the case they are all doing academic research at a university!

The Ph.D. is a way of learning how to focus on a narrow problem, develop a comprehensive plan to solve it, and then present the problem and its solution in a formal, convincing manner. Thus, completing a Ph.D. is a way to hone time management and research skills, dive into an area of interest, and prove one’s capability to manage a big task.  That is useful not only for academic research, but for managing projects, running an agency, and solving problems in “the real world.”

I’m proud of all of these graduates for what they did while completing their degrees and then going on to do interesting and important things in their careers. Here’s a list with mention of their most recent position:

  • Hiralal Agrawal; 1991; Senior Research Scientist, Perspecta Labs.
  • Hsin (Sean) Pan; 1993; Senior Director, Foxconn.
  • Steve J. Chapin; 1993; Lead Cyber Security Researcher, Lawrence Livermore National Laboratories.
  • Chonchanok Viravan; 1994; President of Pathanasomdoon Co, Ltd. (Thailand).
  • Sandeep Kumar; 1995; Staff Engineer, VMware, CA.
  • Christoph Schuba; 1997; Senior Security Architect, Apple Computer.
  • Ivan Krsul; 1998; President, Arte Xacta (La Paz, Bolivia).
  • Diego Zamboni; 2001; Enterprise Architect, Swisscom (Switzerland).
  • Wenliang (Kevin) Du; 2001; Professor, Syracuse University.
  • Thomas Daniels; 2002; Associate Teaching Professor, Iowa State University.
  • Ben Kuperman; 2004; Senior Manager of Software Development, Adobe.
  • Florian Buchholz; 2005; Professor, James Madison University.
  • James Early; 2005; Senior Software Engineer, Good Uncle.
  • Paul D. Williams, 2005; Senior Vice President and Chief Security Officer, Teradata.
  • Brian Carrier; 2006; CTO and Head of Digital Forensics, Basis Technology.
  • Rajeev Gopalakrishna; 2006; independent Consulting Researcher.
  • Serdar Cabuk; 2006; Partner, Deloitte Denmark.
  • Maja Pusara Jankovic, 2007; Senior consultant, Ab Initio.
  • Dannie Stanley, 2014; Associate Professor, Taylor University.
  • Mohammed Almeshekah, 2015; Founder and Managing Partner of Outliers Venture Capital (Saudi Arabia).
  • Kelley Misata, 2016 (INSC); CEO and Founder, Sightline Security Corporation.
  • Jeff Avery, 2017; Senior Principle Cyber Systems Engineer, Northrop Grumman.
  • Christopher Gutierrez, 2017; Research Scientist, Intel Corporation.

I am working with five Ph.D. advisees currently. Four of them are employed outside of academia and intend to stay in those positions after getting their degrees.

If you’re interested in getting a Ph.D. (or an MS) at Purdue related to cyber security, take a look at our information page.

(As a matter of trivia, even though the majority of my former students didn’t go into university positions, there are at least 53 more people who received the Ph.D. with one of the above 23 as primary advisor.  Maybe we should start a “Spaf number” similar to the Erdös Number?)