Eugene Howard Spafford (born 1956), known as Spaf, is an American distinguished

professor Professor (commonly abbreviated as Prof.) is an Academy, academic rank at university, universities and other tertiary education, post-secondary education and research institutions in most countries. Literally, ''professor'' derives from Latin ...

computer science Computer science is the study of computation, information, and automation. Computer science spans Theoretical computer science, theoretical disciplines (such as algorithms, theory of computation, and information theory) to Applied science, ...

Purdue University Purdue University is a Public university#United States, public Land-grant university, land-grant research university in West Lafayette, Indiana, United States, and the flagship campus of the Purdue University system. The university was founded ...

and a

computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

expert. Spafford serves as an advisor to U.S. government agencies and corporations. In 1998, he founded and was the first director of the Center for Education and Research in Information Assurance and Security (

CERIAS The Center for Education and Research in Information Assurance and Security (CERIAS) of Purdue University, United States, is a center for research and education in areas of information security for computing and communication infrastructures. It ...

) at Purdue University.

Biography

Education and early career

Spafford attended the

State University of New York at Brockport State most commonly refers to: * State (polity), a centralized political organization that regulates law and society within a territory **Sovereign state, a sovereign polity in international law, commonly referred to as a country **Nation state, a ...

, graduating with a double major in mathematics and computer science in three years. He then attended the School of Information and Computer Sciences (now the College of Computing) at the

Georgia Institute of Technology The Georgia Institute of Technology (commonly referred to as Georgia Tech, GT, and simply Tech or the Institute) is a public university, public research university and Institute of technology (United States), institute of technology in Atlanta, ...

. He received his

Master of Science A Master of Science (; abbreviated MS, M.S., MSc, M.Sc., SM, S.M., ScM or Sc.M.) is a master's degree. In contrast to the Master of Arts degree, the Master of Science degree is typically granted for studies in sciences, engineering and medici ...

(M.S.) in 1981, and

Doctor of Philosophy A Doctor of Philosophy (PhD, DPhil; or ) is a terminal degree that usually denotes the highest level of academic achievement in a given discipline and is awarded following a course of Postgraduate education, graduate study and original resear ...

(Ph.D.) in 1986, for his design and implementation of the

kernel Kernel may refer to: Computing * Kernel (operating system), the central component of most operating systems * Kernel (image processing), a matrix used for image convolution * Compute kernel, in GPGPU programming * Kernel method, in machine learnin ...

of the original ''Clouds''

distributed operating system A distributed operating system is system software over a collection of independent software, networked, communicating, and physically separate computational nodes. They handle jobs which are serviced by multiple CPUs. Each individual node holds a ...

. During the formative years of the Internet, Spafford made significant contributions to establishing semi-formal processes to organize and manage

Usenet Usenet (), a portmanteau of User's Network, is a worldwide distributed discussion system available on computers. It was developed from the general-purpose UUCP, Unix-to-Unix Copy (UUCP) dial-up network architecture. Tom Truscott and Jim Elli ...

, then the primary channel of communication between users, and to defining the standards of behavior governing its use. Spafford initiated the Phage List as a response to the

Morris Worm The Morris worm or Internet worm of November 2, 1988, is one of the oldest computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It resulted in the first felony conviction in the US under the ...

, one of the earliest

computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will ...

Computer science at Purdue

Spafford has served on the faculty at Purdue University in Indiana since 1987, and is a Distinguished Professor of computer science. He is executive director emeritus of Purdue's ''Center for Education and Research in Information Assurance and Security'' (CERIAS), and founded its predecessor, the ''COAST Laboratory''. He has stated that his research interests have focused on "the prevention, detection, and remediation of information system failures and misuse, with an emphasis on applied

information security Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...

. This has included research in fault tolerance, software testing and debugging, intrusion detection, software forensics, and security policies." Spafford wrote or co-authored four books on computer and computer security, including ''Practical

Unix Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...

and Internet Security'' for

O'Reilly Media O'Reilly Media, Inc. (formerly O'Reilly & Associates) is an American learning company established by Tim O'Reilly that provides technical and professional skills development courses via an online learning platform. O'Reilly also publishes b ...

, and over 150 research papers, chapters, and monographs. In 1996, he received the Award of Distinguished Technical Communication from the Society for Technical Communication for ''Practical Unix and Internet Security''. In 2024, his book ''Cybersecurity Myths and Misconceptions'' for

Addison-Wesley Addison–Wesley is an American publisher of textbooks and computer literature. It is an imprint of Pearson plc, a global publishing and education company. In addition to publishing books, Addison–Wesley also distributes its technical titles ...

was named to the Cybersecurity Canon Hall of Fame. As a PhD advisor, Spafford has advised 27 students to graduation. Among other projects, he designed the

Open Source Tripwire Open Source Tripwire is a free software security and data integrity tool for monitoring and alerting on specific file change(s) on a range of systems originally developed by Eugene H. Spafford and Gene Kim. The project is based on code origina ...

tool coded by his undergraduate student

Gene Kim Tripwire, Inc. is a software company based in Portland, Oregon, that focuses on security and compliance automation. It is a subsidiary of technology company Fortra. History Tripwire's intrusion detection software was created in the 1990s by ...

. Spafford was the chief external technical advisor to the company

Tripwire A tripwire is a passive triggering mechanism. Typically, a wire or cord is attached to a device for detecting or reacting to physical movement. Military applications Such tripwires may be attached to one or more mines⁠especially fragme ...

during their first few years. He was also an advisor to

Dan Farmer Dan Farmer (born April 5, 1962) is an American computer security researcher and programmer who was a pioneer in the development of vulnerability scanners for Unix operating systems and computer networks. Life and career Farmer developed his ...

who coded the

freeware Freeware is software, often proprietary, that is distributed at no monetary cost to the end user. There is no agreed-upon set of rights, license, or EULA that defines ''freeware'' unambiguously; every publisher defines its own rules for the free ...

Computer Oracle and Password System ( COPS) tool as a Purdue undergraduate. In 2009, Spafford discussed on

C-SPAN Cable-Satellite Public Affairs Network (C-SPAN ) is an American Cable television in the United States, cable and Satellite television in the United States, satellite television network, created in 1979 by the cable television industry as a Non ...

an article in

The New York Times ''The New York Times'' (''NYT'') is an American daily newspaper based in New York City. ''The New York Times'' covers domestic, national, and international news, and publishes opinion pieces, investigative reports, and reviews. As one of ...

that looked at how the Internet had been a conduit for many types of ''

cybercrime Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or Computer network, networks. It has been variously defined as "a crime committed on a computer network, especially the Internet"; Cyberc ...

''. Recent work from Spafford has shown how to deceive adversaries and thus make computing systems more secure, drawing on his multi-disciplinary expertise in information security and psychology. Spafford is on the board of directors of the

Computing Research Association The Computing Research Association (CRA) is a 501(c)3 non-profit association of North American academic departments of computer science, computer engineering, and related fields; laboratories and centers in industry, government, and academia enga ...

and is the former

chairperson The chair, also chairman, chairwoman, or chairperson, is the presiding officer of an organized group such as a Board of directors, board, committee, or deliberative assembly. The person holding the office, who is typically elected or appointed by ...

of the

Association for Computing Machinery The Association for Computing Machinery (ACM) is a US-based international learned society for computing. It was founded in 1947 and is the world's largest scientific and educational computing society. The ACM is a non-profit professional membe ...

's (ACM) US Public Policy Committee. He was a member of the President's Information Technology Advisory Committee from 2003 to 2005 and an advisor to the

National Science Foundation The U.S. National Science Foundation (NSF) is an Independent agencies of the United States government#Examples of independent agencies, independent agency of the Federal government of the United States, United States federal government that su ...

(NSF). Spaf is a Fellow of the

(1997),

American Association for the Advancement of Science The American Association for the Advancement of Science (AAAS) is a United States–based international nonprofit with the stated mission of promoting cooperation among scientists, defending scientific freedom, encouraging scientific responsib ...

(1999),

Institute of Electrical and Electronics Engineers The Institute of Electrical and Electronics Engineers (IEEE) is an American 501(c)(3) public charity professional organization for electrical engineering, electronics engineering, and other related disciplines. The IEEE has a corporate office ...

(2000),

ISC2 International Information System Security Certification Consortium, or ISC2, is a non-profit organization which specializes in training and certifications for cybersecurity professionals. It has been described as the “world's largest IT secur ...

(2008), and the

American Academy of Arts and Sciences The American Academy of Arts and Sciences (The Academy) is one of the oldest learned societies in the United States. It was founded in 1780 during the American Revolution by John Adams, John Hancock, James Bowdoin, Andrew Oliver, and other ...

(2020); he is a Distinguished Fellow of the

Information Systems Security Association Information Systems Security Association (ISSA) is a not-for-profit, international professional organization of information security professionals and practitioners. It was founded in 1984 after work on its establishment started in 1982. ISSA prom ...

(2009).

Selected honors and awards

*1996 Awarded charter membership in the

(IEEE)

IEEE Computer Society IEEE Computer Society (commonly known as the Computer Society or CS) is a technical society of the Institute of Electrical and Electronics Engineers (IEEE) dedicated to computing, namely the major areas of hardware, software, standards and people ...

's Golden Core for distinguished service to the Computer Society during its first 50 years *2000

National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...

(NIST) and

National Computer Security Center The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...

(NCSC) National Computer Systems Security Award *2001 Named to the

(ISSA) Hall of Fame *2003 Awarded

United States Air Force The United States Air Force (USAF) is the Air force, air service branch of the United States Department of Defense. It is one of the six United States Armed Forces and one of the eight uniformed services of the United States. Tracing its ori ...

medal for Meritorious Civilian Service *2007 ACM President's Award *2009

Distinguished Service Award *2012 Named as a

Morrill Award recipient *2013 Elected to the National Cybersecurity Hall of Fame *2013 Received the

Harold F. Tipton Lifetime Achievement Award *2016 Named as a

Sagamore of the Wabash The Governor of Indiana, Governor of the U.S. state of Indiana can bestow five types of awards: the Sagamore of the Wabash, the Circle of Corydon, the Distinguished Hoosier, the Honorary Hoosier, and the Sachem Award. Given at the Governor's dis ...

*2017 Received the

International Federation for Information Processing The International Federation for Information Processing (IFIP) is a global organisation for researchers and professionals working in the field of computing to conduct research, develop standards and promote information sharing. Established in 19 ...

(IFIP) TC-11 Kristian Beckman Award *2020 IEEE Security and Privacy Symposium Test of Time Award *2022 Honorary Professor of the University of Nottingham. *2025 Named as a Distinguished Professor at

References

External links