Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1-3, 5-6, 9 and 11-12 have been amended. Claim 4 has been canceled. Claims 13-21 have been newly added. Claims 1-3 and 5-21 have been examined.

Response to Arguments
2.	Applicant's arguments filed 01/05/2021 with respect to the 101 rejection of claims 1-12 have been fully considered but they are not persuasive.
	As noted in the rejection below, the claim amendments fail to overcome the 35 USC 101 rejection of claims 1-12.
	The step of “acting to mitigate the risk” that was discussed in the interview of 12/14/2020 as a integrating the abstract idea into a practical application has been included as an alternative “or” with the step of “measuring the risk”.
	Thus, the final step of method is “measuring the risk…or acting to mitigate the risk”. Therefore, given the broadest, reasonable interpretation of the claims, there exists at least one embodiment where the “acting to mitigate” is not performed. Furthermore, there is nothing in the “acting to mitigate the risk” step that ties the limitation to the “adjusting”, “determining” and “measuring” abstract ideas.
	To overcome the 35 USC 101 rejection, Examiner recommends incorporating subject matter from paragraphs [0035] and [0036] of the Specification by amending claims 1 and 11-12 to recite:
“	…

	f) when the risk exceeds a predetermined threshold value, acting to mitigate the risk.”

	Applicant’s arguments with respect to the 102 and 103 rejections of claim 1 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Interpretation
3.	For claims 1, 3, 5, 7, 11-12, 14-15, 17 and 19-20, the phrases “or” and “one or both” have been given the broadest, reasonable interpretation of only requiring a single element from the given list in order to satisfy the requirements of the limitation.


4.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claim Rejections - 35 USC § 112
5.	Claims 1-3 and 5-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claims 2-3, 5-10 and 13-21 inherit the deficiency of the claims they depend on.


Claim Rejections - 35 USC § 101
6.	Claims 1-3 and 5-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims recite a method for measuring risk. The method steps of “adjusting”, “determining” and “measuring” are concepts performed in the human mind and fall within the “Mental Processes” grouping of abstract ideas. When given the broadest reasonable interpretation of the claims, a user is observing received probabilities and costs and then making mental determinations and calculations to measure the risk of an undesirable event.
This judicial exception is not integrated into a practical application because the additional claimed steps of “obtaining” information are insignificant extra-solution activity and fail to add a meaningful limitation. For claims 11-12, the additional elements merely apply the abstract idea with generic computer functions and do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.

The other additional element (acting to mitigate the risk) is written as an optional “or” limitation. A broadest, reasonable interpretation of the claims would not require this “acting” step. 

7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103
8.	Claims 1-3, 5-9 and 11-21 are rejected under 35 U.S.C. 103 as being unpatentable over Kolishchak (U.S. Patent Application Publication 2012/0210388), and further in view of Takeuchi et al. (U.S. Patent Application Publication 2005/0193250; hereafter “Takeuchi”).
	For claims 1, 11 and 12, Kuroda teaches a method, computer program product (note paragraphs [0221]-[0222], memory and storage) and system (note Fig. 8 and paragraph [0220], digital device with processor) for determining a risk associated with regarding digital data files to cause an undesired event such as data loss or data leakage of the digital files within a secure data environment (note paragraph [0033], system detects data leakage using behavior modeling), the method comprising:
	a) monitoring ongoing transactions with the digital data files (note paragraphs [0038] and [0055], data flow including data blocks of files are monitored by data flow detection module);
	b) obtaining one or more probabilities, each probability associated with a respective potential undesired event associated with the digital data files and each probability being a conditional probability given the behavioral activity (note paragraphs [0065]-[0068], [0097]-[0098],[0140], [0165], [0178], [0185], [0188], [0191], behavior models generate risk probabilities with respect to data leakage event given the file activity detected);
	c) adjusting each of said probabilities by multiplication with a respective probability weighting factor (note paragraphs [0195]-[0196], behavior models are multiplied by a weight); and
	e) acting to mitigate the risk (note paragraph [0210], system acts to mitigate the risk by blocking data flow and denying access).

	Kolishchak differs from the claimed invention in that they fail to teach:
	for each potential undesired event associated with the digital data files, obtaining one or more entity costs, each entity cost representative of a contribution to said risk associated with a given type of entity associated with the behavioral activity;
d) for each potential undesired event associated with the digital data files, determining a resultant cost as a function of said entity costs; and
	e) measuring the risk as an expectation over the one or more resultant costs distributed over the associated probabilities of potential undesired events associated with the digital data files 

	Takeuchi teaches:
	for each potential undesired event associated with the digital data files, obtaining one or more entity costs, each entity cost representative of a contribution to said risk associated with a given type of entity associated with the behavioral activity (note paragraphs [0076]-[0079], the initial file asset value, i.e. cost of data leakage, is determined);
	d) for each potential undesired event associated with the digital data files, determining a resultant cost as a function of said entity costs (note paragraphs [0080]-[0081], current asset value is determined for the point in time of the potential data leakage event); and
	e) measuring the risk as an expectation over the one or more resultant costs distributed over the associated probabilities of potential undesired events associated with the digital data files or acting to mitigate the risk (note paragraphs [0083]-[0086], risk value is measured over asset value) or acting to mitigate the risk (note paragraph [0113], administrator is instructed about countermeasures to prevent leaks)




	For claims 2, 13 and 18, the combination of Kolishchak and Takeuchi teaches claims 1 and 11-12, wherein a single nonzero event risk value is determined and a single corresponding conditional probability of said undesired event associated with the digital data files given the behavioral activity is obtained (note paragraph [0195] of Kolishchak, threat level probability score is obtained).

	For claims 3, 14 and 19, the combination of Kolishchak and Takeuchi teaches claim claims 1 and 11-12, wherein the probability weighting factor is associated with one or both of the behavioral activity and the undesired event associated with the digital data files corresponding to the conditional probability being adjusted by multiplication with said probability weighting factor (note paragraph [0196] of Kolishchak, weights are based on operational risk model, i.e. undesired event and file size, destination, etc., i.e. behavioral activity).

undesired event associated with the digital data files is a weighted or an unweighted average of entity costs associated with said undesired event associated with the digital data files (note paragraphs [0105]-[0107] of Takeuchi, value of folder, i.e. entity cost, is averaged of values of files in folder).

	For claims 6, 16 and 21, the combination of Kolishchak and Takeuchi teaches claims 1 and 11-12, wherein an average of said entity costs is a weighted average, and wherein each weighting factor associated with the weighted average is bounded between zero and one, inclusive (note paragraphs [0079]-[0082] of Takeuchi, asset value weighting for fluctuation rate and danger level is between 0 and 1).

	For claims 7 and 17, the combination of Kolishchak and Takeuchi teaches claims 1 and 11, wherein said probability weighting factor is defined automatically, defined via user input, or a combination thereof (note paragraphs [0049] and [0096] of Kolishchak, policy is administrator defined or automatically calculated).

	For claim 8, the combination of Kolishchak and Takeuchi teaches claim 1, wherein the given type of entity corresponds to a set of persons interacting with data to potentially be leaked (note paragraph [0066] of Kolishchak, behavior models determine whether a risk of data leakage exists; paragraphs [0082], [0131] and [0137] of Kolishchak, user trustworthiness are assigned integer values as parameters in the 

	For claim 9, the combination of Kolishchak and Takeuchi teaches claim 1, wherein determining at least one of the entity costs comprises:
	a) obtaining a set of entities of the given type of entity, each of said set of entities associated with the behavioral activity (note paragraphs [0105]-[0107] of Takeuchi, folder contains files);
	b) obtaining a set of sub-costs, each sub-cost associated with a member of the set of entities (note paragraphs [0083]-[0086] of Takeuchi, value of each file, i.e. sub-cost, is obtained); and
	c) determining a weighted sum of the set of sub-costs (note paragraphs [0105]-[0107] of Takeuchi, value of folder, i.e. entity cost, is averaged of values of files in folder). 





Conclusion
9.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
	Kauffman et al. (U.S. Patent 8,677,448) teaches risk score calculation for data objects (note Fig. 3).

10.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID J PEARSON whose telephone number is (571)272-0711.  The examiner can normally be reached on 6:00 - 5:30 pm; Monday through Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/David J Pearson/Primary Examiner, Art Unit 2438