In his more than three decades as a professor of computer science at Purdue University in West Lafayette, Indiana, Eugene H. Spafford has made pioneering contributions to computer and network security. A member of the Cybersecurity Hall of Fame, he is considered one of the most influential leaders in the field of information security.

But he didn’t pursue a career in cybersecurity. Indeed, the field didn’t really exist when he graduated from the State University of New York at Brockport with a bachelor’s degree in mathematics and computer science in 1979. Spafford then went to Georgia Institute of Technology to complete a master’s degree in information and computer science.


In the early 1980s, the IEEE member recalls, computer security consisted largely of formal verification using mathematical models and methods and mainframe-centric cryptography.

“We didn’t have commercial networks,” Spafford says. “Viruses, malware and other cyber threats have barely emerged. There were no tools, no experts, no jobs—yet.”

However, computer security has become his hobby.

“I read a lot and studied where computers can be used and where they can fail, and I also read science fiction books that explored these possibilities,” he says.

Meanwhile, his undergraduate and postdoctoral work revolved around more traditional areas of computing. “Faculty [at Georgia Tech] made me develop and deliver a course on hardware support for operating systems,” he recalls. “I liked the teaching and research aspects. I ended up staying to get my PhD. in 1986, researching reliable distributed computing.”

His postdoctoral work has been in software development: learning how to write software that does what the developer wants it to do.

Investigation of the first cyber attack

In 1987, Spafford joined the Purdue Computer Science Department. A year later, he was drawn into the investigation of the Morris worm, the first high-profile cyberattack.

The code was created by a college student who allegedly planned to use it as a research experiment. Also known as internet worm, it made headlines when it caused a major denial of service that slowed or crashed a significant number of computers connected to the Internet.

“Demand for cybersecurity professionals has never been higher given people’s growing reliance on computing and data storage.”

Spafford was part of the team tasked with isolating, analyzing, and cleaning up the worm. There was a sense of urgency, he recalls, as no one knew what the worm was doing, who wrote it, or what its ultimate consequences might be. He spent 18 hours a day analyzing the code, documenting its actions and responding to press inquiries.

“Prior to the worm, government security was all about mainframes and privacy,” he says. “Now it also became clear that the availability and even the integrity of systems could be at risk – and that we did not have good tools for protection and analysis. All of a sudden, from hobbyists to Pentagon employees, everyone was concerned about the security of their computers.”

How cybersecurity has evolved

Spafford’s early involvement in combating cybersecurity threats has led him to a successful career as a teacher, researcher, public speaker, author, consultant, and organizer.

He wrote a conference paper Internet worm incident, in 1989, to record what happened and the lessons learned. His other security projects included the development of the COPS and Tripwire open source security tools, as well as early firewalls and intrusion detection systems. He was one of the founders of the field of cyber forensics, which involves the collection and analysis of digital data to conduct investigations and provide legally admissible evidence. Spafford wrote the first papers on the subject.

Member Level: IEEE employee

Employer: Purdue University

Title: Professor of Computer Science

Education: SUNY Brockport, Georgia Institute of Technology

Publications: Spafford is the author or co-author of over 150 books, chapters, articles and other scientific papers. Myths and misconceptions about cybersecurity: how to avoid the dangers and traps that let us down, Addison-Wesley Professional 2023 with Lee Metcalfe and Josiah Dykstra;

State activities: Testified before the US Congress nine times, participated in 10 major amicus curiae briefs before US courts, including the Supreme Court.

In 1998, Spafford founded the Purdue Information Security and Security Education and Research Center, becoming its Executive Director Emeritus in 2016.

Spafford notes that as computing and cybersecurity evolved, so did the teaching of computing and cybersecurity. “When I first started in this field, I could describe and teach courses on how a computing system works, from hardware to networking, and all the things that need to be secure,” he says. “Fast forward to today, and looking at any large system in use, no living person would be able to do the same. Systems have become so big and there are so many variables in them that no one else can understand the whole stack. To excel in security, you need to understand stack overflows and instruction execution times.”

He notes that many computer science programs no longer teach assembly language or machine organization.

Spafford’s work has received many awards, but he is most proud of the Purdue University Morrill Award he received in 2012. The award recognizes faculty who have made an outstanding contribution to the university’s mission of teaching, research, and community service. .

“This was given not only for a scholarship, but also for outstanding achievements as an educator and for my service to the community,” says Spafford. “So it meant being recognized by the community of my peers for accomplishments on many fronts. I appreciate all the other recognitions I have received, but this was recognition that covered the widest range of my work.”

The state of cybersecurity today

How well do companies manage security today? Spafford says some are doing a pretty good job of separating their systems, hiring the right people, and doing the right monitoring. But, he says, others don’t understand what it means to have good security, or don’t want to spend money on securing their systems.

“We’re in a market where fundamental best practices are often overlooked in favor of new add-ons and new features,” he says. “Instead of using sound engineering principles to create robust and fault-tolerant systems, most of the money spent and attention paid to it has gone into adding another layer of fixes and building extensions on top of fundamentally broken technologies.”

Career Tips

Given the wide and still evolving spectrum of cybersecurity—there are currently about 40 specializations in cybersecurity—Spafford advises those considering a career in the field to understand what aspects of security they find interesting and intriguing. Once you do that, he says, what you need to learn depends on what you’ll be doing.

For example, those interested in cybersecurity forensics need to understand operating systems, networks, architecture, compiler design, and software development. “It helps you understand how systems work, how things fit together, how flaws come about and how they are exploited,” he says.

For other areas of cybersecurity, you may need to study psychology and management theory to better understand the people involved, he says. Those who want to learn about politics need to get some legal training because law enforcement requires a very different set of skills.

The demand for cybersecurity professionals has never been higher given people’s growing reliance on computing and data storage, as well as their growing digital connectivity. “All of this has changed the nature of what we do with computers and has increased the number of attack surfaces that can be exploited by those who compromise security,” says Spafford. “Thirty years ago, research centers were connected via the Internet – our houses and cars were not the targets of attacks. Now it’s the Internet of almost everything.”