Purdue University has a history of “firsts” in computing. The computer science department was founded in 1962, making it the oldest degree-granting CS program in the world. Purdue also has a history of research and education in cybersecurity, including the first multidisciplinary research center in the field (1998, CERIAS), and the first regular graduate degree in cybersecurity (2000).
Dorothy Denning completed her Ph.D. in CS at Purdue in 1975. Her dissertation was entitled Secure Information Flow in Computer Systems. After graduation, she joined the computer science faculty. She began offering a regular course in data security, starting in 1981. Matt Bishop was the TA for that course and completed his Ph.D. in security in 1984 with Dorothy as his advisor. Both Dorothy and Matt are well-known in cybersecurity for their many fundamental contributions.
Sam Wagstaff arrived in 1983 and assumed responsibility for teaching the data security course. Gene Spafford joined the faculty in 1997, although he did not teach a core cybersecurity course in his first few years at Purdue; he primarily taught software engineering and distributed systems.
In 1992, Spafford started the COAST Laboratory in the CS department, with initial support from Wagstaff. In 1998, CERIAS was established as a university institute, led by Spafford and supported by faculty in five other university departments. (As of January 2026, there are over 150 affiliated faculty in 20 academic departments. We'll have a more detailed history of CERIAS in a future post.) The first Ph.D. graduate from COAST, advised by Spafford, was Sandeep Kumar in 1995.
In 1997, immediately prior to the founding of CERIAS, Professor Spafford provided testimony before the House Science Committee of the 105th Congress. In that, he described the then-current national production of Ph.D.s in cybersecurity as only 2-3 per year. This was clearly not sufficient for the growing demand. His testimony inspired formation of both the NSF Scholarship for Service and the NSA/DHS Academic Centers of Excellence to encourage more students to pursue degrees. CERIAS leadership also considered it an initial priority to encourage more such degrees.
In the years since then, a number of universities around the world have developed cybersecurity research and education programs. A few thousand Ph.D.s have been graduated since the mid-1990s.
Rob Morton, a 2024 Ph.D. advised by Spafford, conducted research on degrees produced, augmented by Deep Search in Google Gemini. What follows are results from his research.
1988 was used as a starting point for "modern" academic cybersecurity. Following the Morris Worm (November 1988), the field formalized rapidly: Carnegie Mellon formed the CERT/CC, Purdue formed the COAST Laboratory (precursor to CERIAS), and UC Davis began its dedicated security architecture work.
Since that year, Purdue University and Carnegie Mellon University (CMU) have been the undisputed volume leaders in producing doctoral graduates with security-specific dissertations.
These counts exclude Master's degrees. They represent Doctoral candidates whose dissertations were primarily focused on Information Security, Privacy, or Cryptography. (The CERIAS/COAST numbers have been updated using local Purdue records.)
Tomorrow, July 1, 2025, ushers in two significant changes.
For the first time in over 25 years, our fantastic administrative assistant, Lori Floyd, will not be present to greet us as she has retired. Lori joined the staff of CERIAS in October of 1999 and has done a fantastic job of helping us keep moving forward. Lori was the first person people would meet when visiting us in our original offices in the Recitation Building, and often the first to open the door at our new offices in Convergence. At our symposia, workshops, and events of all kinds, Lori helped ensure we had a proper room, handouts, and (when appropriate) refreshments. She also helped keep all the paperwork and scheduling straight for our visitors and speakers, handled some of our purchasing, and acted as building deputy. We know she quietly and competently did many other things behind the scenes, and we'll undoubtedly learn about them as things begin to fall apart!
We all wish Lori well in her retirement. She plans to spend time with her partner, kids, and grandkids, travel, and garden. She will be missed at CERIAS, but definitely not forgotten.
The second change is in the related INSC Interdisciplinary Information Security graduate program, a spin-off of CERIAS. In 2000, Melissa Dark, Victor Raskin, and Spaf founded the INSC program as the first graduate degree in information/cyber security in the world. The program was explicitly interdisciplinary from the start and supported by faculty across the university. Students were (and still are) required to take technology ethics and policy courses in addition to cybersecurity courses. Starting with MS students supported by one of the very first NSF CyberCorp awards, the program quickly grew and was approved to offer the Ph.D. degree.
INSC was never formally a part of CERIAS, but students and faculty often saw them as related. All INSC students were automatically included in CERIAS events, and they were frequently recruited by CERIAS partners (and still are!). CERIAS faculty volunteer to serve on INSC committees and to advise the students. It is a "win–win" situation that has resulted in some great graduates, many now in some notable positions in industry and government.
The change coming to INSC is in leadership. After 25 years as program head, Spaf is stepping into the role of associate head for a while. Taking on the role of program head is Professor Christopher Yeomans. Chris has been a long-time supporter of the program with experience as the chair of the Philosophy Department.
(If you're interested in a graduate degree through INSC visit the website describing the program and how to apply.)
]]>