Introduction

Purdue University has a history of “firsts” in computing. The computer science department was founded in 1962, making it the oldest degree-granting CS program in the world. Purdue also has a history of research and education in cybersecurity, including the first multidisciplinary research center in the field (1998, CERIAS), and the first regular graduate degree in cybersecurity (2000).

Dorothy Denning completed her Ph.D. in CS at Purdue in 1975. Her dissertation was entitled Secure Information Flow in Computer Systems. After graduation, she joined the computer science faculty. She began offering a regular course in data security, starting in 1981. Matt Bishop was the TA for that course and completed his Ph.D. in security in 1984 with Dorothy as his advisor. Both Dorothy and Matt are well-known in cybersecurity for their many fundamental contributions.

Sam Wagstaff arrived in 1983 and assumed responsibility for teaching the data security course. Gene Spafford joined the faculty in 1997, although he did not teach a core cybersecurity course in his first few years at Purdue; he primarily taught software engineering and distributed systems.

In 1992, Spafford started the COAST Laboratory in the CS department, with initial support from Wagstaff. In 1998, CERIAS was established as a university institute, led by Spafford and supported by faculty in five other university departments. (As of January 2026, there are over 150 affiliated faculty in 20 academic departments. We'll have a more detailed history of CERIAS in a future post.) The first Ph.D. graduate from COAST, advised by Spafford, was Sandeep Kumar in 1995.

In 1997, immediately prior to the founding of CERIAS, Professor Spafford provided testimony before the House Science Committee of the 105th Congress. In that, he described the then-current national production of Ph.D.s in cybersecurity as only 2-3 per year. This was clearly not sufficient for the growing demand. His testimony inspired formation of both the NSF Scholarship for Service and the NSA/DHS Academic Centers of Excellence to encourage more students to pursue degrees. CERIAS leadership also considered it an initial priority to encourage more such degrees.

In the years since then, a number of universities around the world have developed cybersecurity research and education programs. A few thousand Ph.D.s have been graduated since the mid-1990s.

Ph.D. Production from mid 1990s

Rob Morton, a 2024 Ph.D. advised by Spafford, conducted research on degrees produced, augmented by Deep Search in Google Gemini. What follows are results from his research.

1988 was used as a starting point for "modern" academic cybersecurity. Following the Morris Worm (November 1988), the field formalized rapidly: Carnegie Mellon formed the CERT/CC, Purdue formed the COAST Laboratory (precursor to CERIAS), and UC Davis began its dedicated security architecture work.

Since that year, Purdue University and Carnegie Mellon University (CMU) have been the undisputed volume leaders in producing doctoral graduates with security-specific dissertations.

The Historical "Leaderboard" (Covering 1988–2024)

These counts exclude Master's degrees. They represent Doctoral candidates whose dissertations were primarily focused on Information Security, Privacy, or Cryptography. (The CERIAS/COAST numbers have been updated using local Purdue records.)

Detailed Breakdown by Era

• Total US Production: Extremely low (~5–10 per year nationwide).
• Dominant School: Purdue University (COAST Lab).
• Context: In this decade, if you met a PhD in security, they likely came from Purdue or UC Davis.There were almost no dedicated “Security” tracks elsewhere; students had to beg CS advisors to let them study viruses or intrusion detection.
• Notable Alumni: Many of the early leaders of security research graduated in this narrow window from these two schools.

• Total US Production: Growing (~30–50 per year).
• Dominant School: Carnegie Mellon (CMU) and Purdue.
• Context: The NSA started the “Centers of Academic Excellence” (CAE) program in 1999. Funding exploded. CMU’s CyLab began to industrialize the PhD process, adding policy and economics to the mix. Georgia Tech began ramping up network research. Also notable, although smaller, were programs at James Madison University, George Mason University, Idaho State University, Iowa State University, and the University of Idaho.

• Total US Production: High (~100–150+ per year).
• Dominant School: Georgia Tech and Northeastern.
• Context: Security became a standard sub-field of Computer Science.
• Purdue remains the steady "interdisciplinary" leader (averaging ~15–20 PhDs/year recently), mostly in CS.
• Georgia Tech and Northeastern aggressively hired faculty to scale their output.
• Top-Tier Shift: Schools like MIT and Stanford began producing PhDs focused on “Adversarial AI,” blurring the line between Security and Artificial Intelligence.

• Purdue (CERIAS): Their public alum rosters list approximately 360+ PhD graduates associated with the institute since its inception (counting the COAST era). However, the total count across the whole university is known to be higher as affiliation with CERIAS is optional and graduates originate in many disciplines.
• UC Davis: Their Security Lab alum page lists approximately 85+ PhDs specifically from the Computer Security Lab. However, the total count across the whole university is likely higher.