Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to preliminary amendment filed on 1/31/2019. Claims 1, 17 and 19 are independents. Claims 1-20 are presented for examination.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/31/2019 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Examiner's Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Applicant’s representative Joseph Ryan Registration No. 37922 on 3/12/2021.

BEGAIN AMENDMENT


16. (Currently Amended) The method of claim 1 further comprising generating a risk score for the enterprise system based at least in part on the generated risk score for the given asset and one or more additional risk scores generated for additional ones of a plurality of assets of the enterprise system, each additional risk score being generated based on a determined likelihood of the corresponding asset becoming compromised responsive to compromise of the given user and a determined importance of the corresponding asset of the enterprise system.

19. (Currently Amended) An apparatus comprising: at least one processing device comprising a processor and a memory, the processor coupled to [[a]] the memory; the at least one processing device being configured to: 
[[to]] obtain information regarding a set of authentication events for an enterprise system, a given authentication event being associated with at least one of a plurality of users of the enterprise system accessing at least one of a plurality of assets of the enterprise system; 
[[to]] determine a likelihood of a given one of the plurality of assets of the enterprise system becoming compromised responsive to compromise of a given one of the plurality of users of the enterprise system, the given asset comprising at least one of a physical computing resource and a virtual computing resource in the enterprise system; 
[[to]] determine an importance of the given asset of the enterprise system based at least in part on a criticality value associated with the given asset; 
[[to]] generate a risk score for the given asset based at least in part on: (i) the determined likelihood of the given asset becoming compromised responsive to compromise of the given user; and (ii) the determined importance of the given asset; 
[[to]] identify one or more remedial actions to reduce the risk score for the given asset; and 
[[to]] implement, prior to detecting compromise of the given user, at least one of the remedial actions to modify a configuration of the given asset.

20. (Currently Amended) The apparatus of claim 19 wherein obtain the information regarding the set of authentication events comprises generating an enterprise risk propagation graph comprising a bipartite graph with a first portion comprising a first plurality of nodes representing respective ones of the plurality of users of the enterprise system and a second portion comprising a second plurality of nodes representing respective ones of the plurality of assets of the enterprise system, the first and second pluralities of nodes being connected by a plurality of edges representing the obtained authentication events.

END AMENDMENT

Allowable Subject Matter
Claims 1-20 are allowed.
The following is an examiner’s statement for allowance:
The closest prior art Brannon et al. (US 20200257784 A1) teaches a method for automatically assessing the level of security and/or privacy risk associated with doing business with a particular vendor or other entity and for generating training material for such vendors. The method comprising: receiving one or more pieces of vendor information associated with the particular vendor; receiving one or more pieces of vendor assessment information associated with the particular vendor; obtaining one or more pieces of publicly available privacy-related information associated with the particular vendor by scanning one or more webpages associated with the particular vendor; calculating a privacy risk score based on: the one or more pieces of vendor information associated with the particular vendor, the one or more pieces of vendor assessment information associated with the particular vendor, the one or more pieces of publicly available privacy-related information associated with the particular vendor, and presenting, by one or more processors on a graphical user interface, the privacy risk score for the particular vendor.
The closest prior art Iyer et al. (US 20200162497 A1) teaches a method for securing a service implemented on a computer network includes identifying network assets in the computer network used by the service. The method further includes identifying vulnerabilities in one or more of the network assets, determining an asset risk score for each of the network assets, and determining a service risk score for the service. The method involves implementing one or more vulnerability remediation 
The closest prior art Wright et al. (US 20180046796A1) teaches a method for identifying compromised credentials and controlling account access, the method comprising: identifying compromised credential data, wherein compromised credential data comprise compromised credentials for one or more compromised accounts that have been exposed to a malicious actor via an illegitimate method, the compromised credentials including credentials that are useable for authentication to or for accessing the one or more compromised accounts; testing the compromised credentials, wherein testing compromised credentials includes using the compromised credentials to determine a usability of the compromised credentials to attack one or more different accounts from the one or more compromised accounts; and modifying account access associated with one or more of (i) the one or more compromised accounts and (ii) the one or more different accounts.
.
None of the prior art of record, teaches or suggests, alone or in combination, the particular combination of steps in claim 6 and 15 as recited below:
“generating a risk score for the given asset based at least in part on: (i) the determined likelihood of the given asset becoming compromised responsive to compromise of the given user; and (ii) the determined importance of the given asset; identifying one or more remedial actions to reduce the risk score for the given asset”, in combination with other features as in claims 1, 17 and 19.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday - Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 

/ALI S ABYANEH/Primary Examiner, Art Unit 2437