Purdue University Cyber Security

Introduction Purdue University has a history of “firsts” in computing. The computer science department was founded in 1962, making it the oldest degree-granting CS program in the world. Purdue also has a history of research and education in cybersecurity, including the first multidisciplinary research center in the field (1998, CERIAS), and the first regular graduate degree in cybersecurity (2000). Dorothy Denning completed her Ph.D. in CS at Purdue in 1975. Her dissertation was entitled Secure Information Flow in Computer Systems. After graduation, she joined the computer science faculty. She began offering a regular course in data security, starting in 1981. Matt Bishop was the TA for that course and completed his Ph.D. in security in 1984 with Dorothy as his advisor. Both Dorothy and Matt are well-known in cybersecurity for their many fundamental contributions. Sam Wagstaff arrived in 1983 and assumed responsibility for teaching the data security course. Gene Spafford joined the faculty in 1997, although he did not teach a core cybersecurity course in his first few years at Purdue; he primarily taught software engineering and distributed systems. In 1992, Spafford started the COAST Laboratory in the CS department, with initial support from Wagstaff. In 1998, CERIAS was established as a university institute, led by Spafford and supported by faculty in five other university departments. (As of January 2026, there are over 150 affiliated faculty in 20 academic departments. We’ll have a more detailed history of CERIAS in a future post.) The first Ph.D. graduate from COAST, advised by Spafford, was Sandeep Kumar in 1995. In 1997, immediately prior to the founding of CERIAS, Professor Spafford provided testimony before the House Science Committee of the 105th Congress. In that, he described the then-current national production of Ph.D.s in cybersecurity as only 2-3 per year. This was clearly not sufficient for the growing demand. His testimony inspired formation of both the NSF Scholarship for Service and the NSA/DHS Academic Centers of Excellence to encourage more students to pursue degrees. CERIAS leadership also considered it an initial priority to encourage more such degrees. In the years since then, a number of universities around the world have developed cybersecurity research and education programs. A few thousand Ph.D.s have been graduated since the mid-1990s. Ph.D. Production from mid 1990s Rob Morton, a 2024 Ph.D. advised by Spafford, conducted research on degrees produced, augmented by Deep Search in Google Gemini. What follows are results from his research. 1988 was used as a starting point for “modern” academic cybersecurity. Following the Morris Worm (November 1988), the field formalized rapidly: Carnegie Mellon formed the CERT/CC, Purdue formed the COAST Laboratory (precursor to CERIAS), and UC Davis began its dedicated security architecture work. Since that year, Purdue University and Carnegie Mellon University (CMU) have been the undisputed volume leaders in producing doctoral graduates with security-specific dissertations. The Historical “Leaderboard” (Covering 1988–2024) These counts exclude Master’s degrees. They represent Doctoral candidates whose dissertations were primarily focused on Information Security, Privacy, or Cryptography. (The CERIAS/COAST numbers have been updated using local Purdue records.) InstitutionLab / CenterEst. Total PhDs (1988–2024)Key Historical Era Purdue UniversityCERIAS/COAST400-500The Pioneer: The COAST lab (founded 1992) produced many of the field’s first PhDs. CERIAS may have produced 20%–35% of all US security PhDs during the 2000s, across several disciplines. Carnegie Mellon (CMU)CyLab / CERT300+The Policy & Systems Hub: CMU scaled rapidly in the 2000s. Their “Societal Computing” and “Engineering & Public Policy” tracks add significant volume beyond pure CS. UC DavisComputer Security Lab120–150The Early Architect: A significant producer in the 90s/00s (e.g., Matt Bishop’s group). Alumni heavily populated the early faculties of other universities. Georgia TechIISP / SCP150–180The Modern Scaler: While starting slightly later in volume than Purdue/Davis, they now produce ~10–15 PhDs/year, catching up rapidly in the last decade. UC BerkeleyTRUST / CLTC~100The Elite Theoretical: Lower volume, but extremely high impact. Focuses heavily on cryptography and formal methods. Johns Hopkins (JHU)ISI~80–100The Crypto Hub: Historically specialized in cryptography and medical privacy. Univ. of MarylandMC2~100The Federal Feeder: High volume due to proximity to NSA/funding; strong focus on applied crypto and programming languages. Detailed Breakdown by Era 1. The “Pioneer” Era (1988–1998) Total US Production: Extremely low (~5–10 per year nationwide). Dominant School: Purdue University (COAST Lab). Context: In this decade, if you met a PhD in security, they likely came from Purdue or UC Davis.There were almost no dedicated “Security” tracks elsewhere; students had to beg CS advisors to let them study viruses or intrusion detection. Notable Alumni: Many of the early leaders of security research graduated in this narrow window from these two schools. 2. The “Formalization” Era (1999–2010) Total US Production: Growing (~30–50 per year). Dominant School: Carnegie Mellon (CMU) and Purdue. Context: The NSA started the “Centers of Academic Excellence” (CAE) program in 1999. Funding exploded. CMU’s CyLab began to industrialize the PhD process, adding policy and economics to the mix. Georgia Tech began ramping up network research. Also notable, although smaller, were programs at James Madison University, George Mason University, Idaho State University, Iowa State University, and the University of Idaho. 3. The “AI & Scale” Era (2011–Present) Total US Production: High (~100–150+ per year). Dominant School: Georgia Tech and Northeastern. Context: Security became a standard sub-field of Computer Science. Purdue remains the steady “interdisciplinary” leader (averaging ~15–20 PhDs/year recently), mostly in CS. Georgia Tech and Northeastern aggressively hired faculty to scale their output. Top-Tier Shift: Schools like MIT and Stanford began producing PhDs focused on “Adversarial AI,” blurring the line between Security and Artificial Intelligence. Summary of the “Big Two” (Published Alumni Counts) Purdue (CERIAS): Their public alum rosters list approximately 360+ PhD graduates associated with the institute since its inception (counting the COAST era). However, the total count across the whole university is known to be higher as affiliation with CERIAS is optional and graduates originate in many disciplines. UC Davis: Their Security Lab alum page lists approximately 85+ PhDs specifically from the Computer Security Lab. However, the total count across the whole university is likely higher.

Tomorrow, July 1, 2025, ushers in two significant changes. For the first time in over 25 years, our fantastic administrative assistant, Lori Floyd, will not be present to greet us as she has retired. Lori joined the staff of CERIAS in October of 1999 and has done a fantastic job of helping us keep moving forward. Lori was the first person people would meet when visiting us in our original offices in the Recitation Building, and often the first to open the door at our new offices in Convergence. At our symposia, workshops, and events of all kinds, Lori helped ensure we had a proper room, handouts, and (when appropriate) refreshments. She also helped keep all the paperwork and scheduling straight for our visitors and speakers, handled some of our purchasing, and acted as building deputy. We know she quietly and competently did many other things behind the scenes, and we’ll undoubtedly learn about them as things begin to fall apart! We all wish Lori well in her retirement. She plans to spend time with her partner, kids, and grandkids, travel, and garden. She will be missed at CERIAS, but definitely not forgotten. The second change is in the related INSC Interdisciplinary Information Security graduate program, a spin-off of CERIAS. In 2000, Melissa Dark, Victor Raskin, and Spaf founded the INSC program as the first graduate degree in information/cyber security in the world. The program was explicitly interdisciplinary from the start and supported by faculty across the university. Students were (and still are) required to take technology ethics and policy courses in addition to cybersecurity courses. Starting with MS students supported by one of the very first NSF CyberCorp awards, the program quickly grew and was approved to offer the Ph.D. degree. INSC was never formally a part of CERIAS, but students and faculty often saw them as related. All INSC students were automatically included in CERIAS events, and they were frequently recruited by CERIAS partners (and still are!). CERIAS faculty volunteer to serve on INSC committees and to advise the students. It is a “win–win” situation that has resulted in some great graduates, many now in some notable positions in industry and government. The change coming to INSC is in leadership. After 25 years as program head, Spaf is stepping into the role of associate head for a while. Taking on the role of program head is Professor Christopher Yeomans. Chris has been a long-time supporter of the program with experience as the chair of the Philosophy Department. (If you’re interested in a graduate degree through INSC visit the website describing the program and how to apply.)