Geartest.com: Could you tell us about your current work?

Spafford: For the last nine to 10 years I've been working almost exclusively in the area of information security systems and technologies, and integration of that with research in areas related to computing that have an impact on security and reliability of computing systems.

Geartest.com: What do you see as the major challenge in information security today?

Spafford: If it had to be a single challenge, from a societal point of view, it would be getting the everyday user who knows very little about how computers work and what security means -- and what the risks are -- to embrace and use good technology and techniques to protect their systems.

A lot of the attacks that we're seeing now are coming from systems that have been subverted, sometimes by automated agents -- worms, break-in toolkits, massive denial of service tools -- that are taking over home computers [and] small business computers, and are using those as platforms to launch attacks. That's a big threat because those systems are not run by people who really understand anything at all about security, and the systems are also built and sold by companies that haven't found a reason to include better security in their products. So we have to find some way to get all of these people using these systems to effectively use some technologies to protect their systems and to want to embrace it, even if it costs a little bit more.

I would say that's the most encompassing problem.

Geartest.com: What kind of advanced systems that individuals can use are you talking about? Are there any out there right now?

Spafford: Well, the closest that we have to that [is] some of the antivirus tools, some of the personal firewall kits and application of security patches or applying individual security scanners to know that the patches need to be put in place. But most of those really require deeper understanding of what's going on with the system than your average user has the capability to apply. So, we aren't really there yet.

If you think about the typical home system, it's probably a 3/4 of a gigahertz processor, a lot of RAM and disk [space], it's got a network connection, [it] may be connected to an always-on [Internet] connection through a DSL or cable-modem, [it has a] big, general purpose operating system with lots of utilities, a full protocol stack for the network, a debugger, a compiler [and] all of these other kinds of things. And yet, the person at home is using it for potentially three applications: a Web browser, e-mail and a game. That's it.

So we have a big mismatch between the needs and the understanding and the capabilities and what's actually there. We need to understand better how, perhaps, to shape the systems to meet the [user's] needs, and that could also help [improve security]. So instead of layering something on a system, actually replacing it with a better match [is a solution].

Security doesn't work as an add-on. It really needs to be built-in from the beginning.