Cyber Security and Privacy Research Institute

Computer Science Department

The George Washington University

Washington, D. C.

202 994-4955


(Last updated July 8, 2016.  A more graphics-friendly version of roughly the same material is at


Lance J. Hoffman, educator and researcher, is Distinguished Research Professor of Computer Science and Director of the Cyber Security and Privacy Research Institute (CSPRI) at The George Washington University (GW) in Washington, D. C.  CSPRI [1] facilitates and executes interdisciplinary research in cyber security.  Inside GW, the Institute bridges discipline barriers to bring together researchers from all of the ten Schools of GW with interests in technological and policy issues related to cybersecurity.


Professor Hoffman developed the first regularly offered course on computer security at the University of California, Berkeley in 1970 after serving on the Advisory Committee to the California Assembly Committee on Statewide Information Policy.  His second book, Modern Methods for Computer Security and Privacy, published in 1977, was a standard textbook in the few computer security courses offered at the time around the world.  His other books, all anthologies, captured the state of cybersecurity and privacy at various times:

a.                     Security and Privacy in Computer Systems in 1973, the year of the first international connections with the ARPANET

b.                    Computers and Privacy in the Next Decade in 1980, after the advent of public-key cryptography

c.                     Rogue Programs: Viruses, Worms, and Trojan Horses in 1990, after viruses and other malware were becoming common problems

d.                    Building in Big Brother: The Encryption Policy Debate in 1995, during cryptographic policy debates related to the proposed Clipper chip.


A Fellow of the Association for Computing Machinery, Dr. Hoffman institutionalized the ACM Conference on Computers, Freedom, and Privacy [2].  He has served on a number of Advisory Committees including those of Federal Trade Commission, the Department of Homeland Security, the Center for Democracy and Technology, and IBM.  He has chaired the Information Security Subcommittee of the IEEE Committee on Communications and Information Policy and is a Member of the Subcommittees on Law, and Security and Privacy of the U. S. Public Policy Council of the ACM.


His research has spanned multiple aspects of cybersecurity, including models and metrics for secure computer systems [3], cryptography policy [4], risk analysis[5], societal vulnerability to computer system failures [6], improved architectures for in-vehicle security systems [7], a smart-card-protected operating system [8], portable security labs [9], medical record security and privacy [10], and statistical inference for data mining [11]. 


His thought leadership has included the organizing of several projects that pushed forward emerging areas of cybersecurity:

a.    a 1987 workshop that was one of the first to explore issues related to Internet voting and personal computer-based voting machine systems, and whose report [12] suggested actions to develop uniform standards, improve testing and audit capabilities and internal controls, clarify responsibilities, improve training, and standardize terminology in election systems

b.   a 1999 study of foreign encryption products that explored the effect of the United States export control regime on American and foreign manufacturers.  It identified 805 hardware and/or software products incorporating cryptography manufactured in 35 countries outside the United States, and identified 512 foreign companies that either manufactured or distributed foreign cryptographic products in at least 67 countries outside the United States [13].  Dr. Hoffman later testified before the U. S. Senate Commerce Committee on the topic, displaying an array of the products purchased at the time.

c.      a 2004 workshop that explored a National Cyber Security Exercise for Universities, issued a report that described types of cyberexercises, proposed a generic structure for them, and enumerated logistical and other considerations, resources and costs required, and governance issues.  This work [14] sparked numerous cybersecurity educational competitions.

d.     a 2010 workshop on information assurance education and workforce Development that examined the challenges of developing the workforce in cybersecurity and articulated steps to insure that universities produce appropriately educated individuals [15]. This led to a broader paper that summarized the workshop and related it to other cybersecurity workforce issues [16]. 

e.      the development and promulgation of new courses as the field of cybersecurity grew, for example on e-commerce security [17], information policy, and cybersecurity and governance.


Dr. Hoffman served as thesis advisor for nine doctoral students, and numerous master’s and bachelor’s students studied under him.  But his reputation in cybersecurity education circles also stems from his work as the initiator and principal investigator for the GW CyberCorps scholarship program [18] that has produced dozens of cybersecurity experts with degrees in at least ten majors [19].  All have had cross-disciplinary instruction that recognizes cybersecurity as a discipline with technology, policy, and management components, often presented by government and industry information security leaders who regularly visit the GW campus to provide timely topical briefings.  These graduates have gone on to work for dozens of different federal organizations.


His work on automated risk analysis [20] led to a commercial product, RISKCALC [21], in the mid-1980s.


Beyond his computer science accomplishments, he has envisioned the application of computers in several other fields.  For example, he wrote an early paper in 1973 on computers and commodity trading [22] and ran a computer dating service while a graduate student at Stanford, where he earned his Ph. D. in Computer Science in 1970, after a B.S. in Mathematics from Carnegie Mellon University.  



  1. Cyber Security and Policy Research Institute, The George Washington University,

2. Proceedings of the Second Conference on Computers, Freedom, and Privacy (Editor), Association for Computing Machinery Conferences Office, New York, N. Y., 1993,

3. (with Kim Lawson and Jeremy Blum), Trust Beyond Security: an Expanded Trust Model, Communications of the ACM, July 2006, vol. 9, no. 7, pp. 95-104

4. (with F. Ali, S. Heckler, and A. Huybrechts), Cryptography policy, Communications of the ACM 37, 9 (September 1994)

5. "Risk Analysis and Computer Security: Bridging the Cultural Gaps", Proc. 9th National Computer Security Conference, National Bureau of Standards, Gaithersburg, Md., September 1986.

6. (with L. Moran), "Societal Vulnerability to Computer System Failures", Computers and Security, Vol. 5 (1986), pp. 211_217.

7. Blum, J., Eskandarian, A., and Hoffman, L. (2003) Mobility Management of Inter-Vehicle Networks, Columbus, OH: IEEE IV2003 Symposium, pp. 150-155.

8. (with P. C. Clark) BITS: A Smartcard Protected Operating System, Communications of the ACM 37, 11 (November 1994), 66-70, 94.

9. (with Tim Rosenberg) Taking Networks on the Road: Portable Solutions for Security Educators, IEEE Security & Privacy, January-February 2006, pp. 64-67.

10. "Data Security and Privacy in Health Information Systems", Topics in Emergency Medicine 17, 4 (December 1995).

11. (with W. F. Miller) "Getting a Personal Dossier from a Statistical Data Bank", Datamation, May 1970.

12. Making Every Vote Count: Security and Reliability of Computerized Vote-Counting Systems, Report GWU_IIST_87_17, Department of Electrical Engineering and Computer Science, The George Washington University, Washington, D. C., December 1987.

13. (with David M. Balenson, Karen A. Metivier-Carreiro, Anya Kim, and Matthew G. Mundy), Growing Development of Foreign Encryption Products in the Face of U. S. Export Regulations, The George Washington University Cyberspace Policy Institute, Report GWU-CPI-1999-02, June 1999.

14. (with Ronald Dodge, Timothy Rosenberg, and Dan Ragsdale), Exploring a National Cyber Security Exercise for Universities, IEEE Security & Privacy, vol. 3, no. 5, September/October 2005, pp. 27-33.

15. Lance J. Hoffman, Building the Cyber Security Workforce of the 21st Century: Report of a Workshop on Cyber Security Education and Workforce DevelopmentReport GW-CSPRI-2010-3, December 15, 2010.

16. (with Diana L. Burley and Costis Toregas), Holistically Building the Cybersecurity Workforce, IEEE Security & Privacy, Vol. 10, No. 2 (March/April 2012), pp. 33-39.

17. (with Rachna Dhamija and Rachelle Heller), Teaching E-Commerce to a Multidisciplinary Class, Communications of the ACM, 42, 9 (September 1999), pp. 50-55.

18. GW CyberCorps: Information Assurance Scholarship for Service Program,

19. The majors are computer science, electrical engineering, engineering management, forensic sciences (high technology crime investigation), business administration, and public policy, international science and technology policy, information science, information systems technology , international affairs.

20. "PC Software for Risk Analysis Proves Effective", Government Computer News, Vol. 4, No. 18, September 27, 1985, pp. 58-59.

21. “A General Purpose Shell for Risk Analysis” in L. A. Cox, P. F. Ricci (Editors), New Risks: Issues and Management, Vol. 6 of Advances in Risk Analysis, Springer Science Business Media, September 30, 1990.

22. (with R. Sandor) "Computers and Commodity Trading", Commodities, Vol. 1, No. 1, February/March 1973, pp. 20_23.