Narrative Bio for Spaf

You can download a brief, 2-page bio. Some short, paragraph-length biosketches are also available.

An expanded, narrative biography follows. A full academic C.V. is available at the link in the left column.

You can find archived video of a number of Spaf's talks, conference addresses, and interviews on YouTube.

Overview

Professional portrait of Eugene H. Spafford (click for larger image)

Eugene H. Spafford — known almost universally as "Spaf" — is a Distinguished Professor of Computer Science at Purdue University, where he has been a faculty member since 1987. He holds courtesy appointments in Philosophy, Communication, Electrical and Computer Engineering, Nuclear Engineering, and Political Science. In 1992 he founded Purdue's COAST Project and Laboratory; in 1998 it was reorganized as the university-wide Center for Education and Research in Information Assurance and Security (CERIAS) — the largest and most broadly structured academic research center in its field. He led CERIAS through 2016 and is now Executive Director Emeritus. He served as Editor-in-Chief of Elsevier's Computers & Security from 2010 to 2025 — the oldest journal in the field — and is now its Editor Emeritus.

For nearly four decades, Spaf has worked concurrently as an academic — researcher, mentor, and teacher — and as a trusted advisor and consultant to industry, federal agencies, the courts, and law enforcement. His contributions span three intertwined areas: research, education, and public policy. He is responsible for several "firsts" in computing — among them the modern security usage of firewall (1990) and Purdue's PCERT (1990), the first academic incident-response team accredited by FIRST.

In research, Spaf and his students have helped shape several foundational areas of cybersecurity. His early analysis of the 1988 Internet Worm and Computer Viruses (1989) — the first English-language technical book on computer viruses and malware — supplied much of the vocabulary and conceptual framework used to analyze malware. With Simson Garfinkel he later co-authored Practical Unix & Internet Security (O'Reilly; three editions, 1991–2003), and with Leigh Metcalf and Josiah Dykstra, Cybersecurity Myths and Misconceptions, inducted into the Cybersecurity Canon Hall of Fame. He is widely credited with originating the field of software forensics — now generally known as digital forensics — which he and his students have continued to develop. With his students, he has been a major contributor to intrusion detection through tools and architectures such as Tripwire, embedded sensors, and autonomous-agent IDS. His work on deception as a defensive technique, begun in the early 1990s and continued with his students, helped seed what is now an active research subfield. He has also been a sustained voice in computing ethics — through often-reprinted papers, contributions to every major rewrite of the ACM Code of Ethics since 1990, and service on ACM and CRA committees on publication and professional ethics.

In education, Spaf has received Purdue's three highest teaching honors — the Charles B. Murphy Outstanding Undergraduate Teaching Award, election to its Book of Great Teachers, and a Fellowship in its Teaching Academy — along with the IEEE Computer Society's Taylor L. Booth Medal in 2004 and the Upsilon Pi Epsilon ABACUS Award in 2009. He has advised scores of students, many of whom now hold senior positions in academia, industry, and government. He co-authored the ACM/IEEE-CS Computing Curricula 1991 — a foundational document for undergraduate computer science programs internationally — and from 2000 to 2025 he founded and led Purdue's multidisciplinary Information Security graduate program (INSC), the first cybersecurity graduate degree program offered anywhere.

In public policy, Spaf has testified before Congress nine times and contributed to 18 briefs filed before U.S. courts, including 11 major amicus curiae briefs, several before the Supreme Court. He has served on the President's Information Technology Advisory Committee (PITAC), the U.S. Air Force Scientific Advisory Board — for which he received the U.S. Air Force Medal for Meritorious Civilian Service — and the GAO Executive Council on Information Management and Technology; he has advised the National Science Foundation, the National Security Agency, the FBI, the Department of Justice, the Department of Energy, and the staffs of two U.S. presidents — one from each major party. He is a past chair of the ACM's U.S. Technology Policy Committee, a multi-term member of the Board of the Computing Research Association, and a member of Verified Voting's Board of Advisors. He has also consulted for major firms (Microsoft, Intel, Tripwire, and Unisys among them), the national laboratories (including Sandia and Los Alamos), and law enforcement agencies at state, federal, and international levels.

Spaf has been elected a Fellow of the ACM, IEEE, AAAS, the American Academy of Arts and Sciences, the (ISC)2, and the ISSA (as a Distinguished Fellow); he is the only person ever to have been named a Fellow of all six. He is also the first — and so far only — recipient of every major individual cybersecurity award, including the NIST/NSA National Computer System Security Award (2000), the (ISC)2 Harold F. Tipton Lifetime Achievement Award (2013), and the IFIP TC-11 Kristian Beckman Award (2017). Other recognitions include the ACM President's Award in 2007, induction into the National Cyber Security Hall of Fame in 2013, designation as a Sagamore of the Wabash — Indiana's highest civilian honor — by the Governor of Indiana in 2016, an honorary D.Sc. from the State University of New York in 2005, and an Honorary Professorship at the University of Nottingham. Purdue named him an inaugural Morrill Award recipient in 2012 and a Distinguished Professor in 2025.

Back to top

Honors & Awards

General

In Security

In Computing & Science

In Education

Other Awards and Recognition

Back to top

Professional Activities

U.S. Government

Dr. Spafford has been consulted by parts of the U.S. government, including delivering formal Congressional testimony nine times. He has contributed to 18 briefs before U.S. courts, including 11 major amicus curiae briefs, several before the Supreme Court. He has acted in an advisory capacity for several agencies and commissions as detailed above.

Media

Spaf has over four decades of history as a resource for, and quoted in, news media. This has included video appearances on ABC News, CNN, Fox News, and the BBC. He has been interviewed and quoted numerous times in the NY Times, Wall St Journal, Newsweek, the Washington Post, USA Today, the Chronicle of Higher Education, Consumer Reports, Wired, and other international, national, and regional outlets.

Writing & Editing

Professor Spafford is currently on the advisory and editorial boards of the journals

He has written extensively in the field of computer security, including coauthoring an award-winning book on UNIX Security, Practical Unix & Internet Security ( O'Reilly and Associates, 1991; 2nd edition 1996; 3rd edition 2003) and a widely-cited book on computer viruses, Computer Viruses (ADAPSO, 1989). He has also served as a contributing editor to Computer Crime: A Crime-Fighter's Handbook ( O'Reilly and Associates, 1995), and Web Security, Privacy, and Commerce, ( O'Reilly and Associates, 1997; 2nd edition 2002). He has published well over 150 papers and reports on his research. He has also spoken internationally at panels, conferences, symposia, and colloquia on these issues.

Spaf's most recent book with Leigh Metcalf and Josiah Dykstra, entitled Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us, was inducted into the Cybersecurity Canon Hall of Fame.

Selected Memberships and Chairmanships

Professor Spafford has also served as chairman of ACM's Self-Assessment Committee and of its ISEF Awards Committee, as well as served as a charter member of the Technical Standards Committee. He was co-chair of the ACM's Advisory Committee on Security and Privacy, now defunct. He has served as a member of ACM Council (the board of directors) 2012–2020. He was chair of ACM's Publications Plagiarism and Ethics Committee 2017–2022, and vice-chair 2022–2023.

Over the past few years, Professor Spafford has served in an advisory or consulting capacity on information security and computer crime with several U.S. government agencies and their contractors, including the NSF's CISE division, FBI, National Security Agency, U.S. Attorney's Office, the Secret Service, and the U.S. Air Force. He has also been an advisor to several Fortune 500 companies, law firms, and state and national law enforcement agencies around the world. Spaf was a member of the Defense Science Study Group V and was a member of the science study group supporting the U.S. Government's Infosec Research Council. He is a past member of the Board of Directors of the National Colloquium on Information Systems Security Education, was a member of the board of directors of the Network Time Foundation and of the Sun User Group (now defunct).

Incident Response

Spaf has been involved with security incident response both as an educator and as a practitioner. He has served as a member of the advisory boards of both CERT/CC and the FIRST (FIRST is the Forum of Incident Response and Security Teams). He was the founder and co-director of the Purdue Computer Emergency Response Team until 2001.

Back to top

At Purdue

Teaching

In 1987, Professor Spafford joined the academic faculty of the Department of Computer Science at Purdue University. At Purdue, he has taught courses in operating systems, compiler and language design, computer security, computer architecture, software engineering, networking and data communications, and issues of ethics and professional responsibility. Over the last few years Professor Spafford has been recognized with the top three awards for teaching at Purdue University.

Research

Dr. Spafford's primary research is on issues relating to information security, with a secondary interest in the reliability of computer systems, and the consequences of computer failures. In addition to work in computer and network security, this involves research into issues of computer crime, and issues of liability and professional ethics. His work in security has resulted in several oft-cited papers and a number of books, as well as the development of the COPS and Tripwire security programs for Unix — tools used world-wide for assistance in the management of system security.

Spaf's involvement in information security led, in early 1992, to his formation at Purdue of the COAST Project and Laboratory, of which he was the director. This was an effort to develop workable security technology and practical tools. In May of 1998, Purdue University formed the Center for Education and Research in Information Assurance and Security ( CERIAS ) and appointed Spaf as its first Director. This university-wide center is addressing the broader issues of information security and information assurance, and draws on expertise and research across all of the academic disciplines at Purdue. Because of its structure, and the incorporation of the COAST group in its activities, the CERIAS is the largest and most broadly-structured academic research center in the world in its field. In 2003, Spafford was promoted to Executive Director of CERIAS, which he held until summer 2016, when he was given the title Executive Director Emeritus.

In addition to his security research, Spaf has been an active researcher with the Software Engineering Research Center (SERC) — an NSF University/Industry Cooperative Research Center, located jointly at several universities including Purdue. His research in the SERC included continuing work with testing technology, including the Mothra II testing environment; and with investigation of new approaches to software debugging, including development of the Spyder debugging tool.

Dr. Spafford has also conducted research on issues relating to increasing the reliability of computer systems, and the consequences of computer failures. This includes work with distributed computing systems (the Messiahs project).

Back to top

Background

Dr. Spafford received his B.A. degree with a double major in Mathematics and Computer Science from the State University of New York Brockport (1979, NY). Upon graduation, he was honored with a SUNY College President's Citation. He then attended the School of Information and Computer Science (now the College of Computing ) at Georgia Institute of Technology, holding both a Georgia Tech President's Fellowship and a National Science Foundation Graduate Fellowship.

Spaf received his M.S. in 1981, and the Ph.D. in 1986 for his design and implementation of the original Clouds reliable, distributed operating system kernel, and for his contributions as one of the original members of the Clouds design team. Next, Dr. Spafford spent a year and a half as a research scientist (postdoc) with the Software Engineering Center at Georgia Tech. His duties there included serving as a principal software engineer with the Mothra software testing project.

Back to top

Other Information

Spaf is also responsible for a number of "firsts" in computer science; a selection of these is available.

Spaf's full curriculum vitae is online.

Someone created a Wikipedia page on Spaf; it looks mostly accurate.

A print-quality photo of Spaf is available.