DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 3/11/2021.
Claims 8-9 and 17-18 have been canceled.
Claims 1-3, 6, 10, 13, 15 and 19 have been amended.
Claims 1-7, 10-16 and 19-20 are pending for consideration.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/26/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
The rejection under 35 U.S.C. § 101 has been maintained because the amended claims are still directed to an abstract idea.  
Applicant argues on pages 7-9 of the Remarks that the amended claims recite at least the following features that only arise in the realm of computer technologies, in particular, data securities, such as “the user’s visits to malicious websites, malwares allowed to be installed by the user,” “a number of malwares running on the endpoint and a number of security updates to be applied to the endpoint”, and “determining the event as a data security threat.” For example, the “the user’s visits to malicious websites” and the “malwares allowed to be installed by the user” cannot be determined by human mind or by merely observing the user using the computers because some website visits or malware installations may not be explicit (e.g., even the user may not be aware of it).  Examiner respectfully disagrees.  Under broadest reasonable interpretation, the limitations of the claims do not require a machine to determine the number of classified files, data risk value for the data of the endpoint, user risk value for the user, cyber security risk value based on number of malwares, endpoint risk value for the endpoint, channel risk value for the set of channels and the security threat.  A human is able to determine and detect the security threat based on the risk values listed above.  The recitation of endpoint, processors and memory appears to merely be the tool which is being user to perform this determining steps.  MPEP 2106.05(b)(I) clearly states that the use of a general purpose computer that applies to a judicial execution, by use of conventional.  Therefore, the amended claims are directed to computer functions does not qualify as a particular machine. No evidence has been put forth that demonstrates that the claimed computer device is doing more than merely implementing the abstract idea within a computer environment.  Therefore, the 101 rejection has been maintained.
Applicant argues on page 10 of the Remarks that Lieblich fails to teach “determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels and a type of channels within the set of channels”.  Examiner respectfully disagrees.  Lieblich does teach the disputed limitation (Lieblich: see Table 4; and paragraphs 0097, 0112 and 0113, “Concealment Risk reflects the likelihood that an end user will intentionally or maliciously transmit sensitive information to unauthorized parties using secure or encrypted communications channels. This risk level increases as the end user employs potentially covert or secret communications techniques from his computer system with increasing frequency”).  As can be seen in the referenced paragraphs, a risk is calculated based on an end user will intentionally or maliciously transmit sensitive information to unauthorized parties using secure or encrypted communications channels.  Therefore, Lieblich does teach the disputed limitation.  Lieblich further teaches detecting the event as a data security threat in response to the data security risk value being the same as or greater than a threshold (Lieblich: paragraphs 0084-0086 and 0128, “a Security Agent 404 detects an exceptional event (as defined previously), the Security Agent 404 may choose to notify a server 116 of the exceptional”… “After determining whether a given action increases an end user's risk score above a predetermined threshold, the Security Agent may take one or more actions”); and upon determining the event as the security threat, determining one or more remedial measures based on the data risk value, the endpoint risk value, and the channel risk value to reduce corresponding risks (Lieblich: paragraphs 0128-0135, “the Security Agent may take one or more actions, including: [0129] Alerting the end user to the potential security risk created by his actions. [0130] Blocking the end user's actions. [0131] Requesting confirmation that the end user wishes to proceed, despite the risk. [0132] Halting the system. [0133] Logging the end user out of the system. [0134] Disconnecting the computer system from the network. [0135] Warning a server or an administrator of the end user's actions. [0136] Displaying the risk score to the end user.”)
Applicant’s arguments with respect to claim(s) 1-7, 10-16 and 19-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-7, 10-16 and 19-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 

Step 1 Statutory Category:

Claims 1-7 and 10-11 are directed to a machine.


Step 2A Prong 1 Judicial exception:

The claims recite the following limitations which have been identified as reciting a
Mental Process:
Claim 1: A system for evaluating data security risks, the system comprising: … determining a number of classified files within data of the endpoint; determining a data risk value for the data of the endpoint based on the number of classified files within the data; determining a user risk value for a user associated with the event based on one or more the following: the user's location, the user's visits to malicious websites, malwares allowed to be installed by the user, and the user's status in an organization; determining a cyber security risk value based on a number of malwares running on the endpoint and a number of security updates to be applied to the endpoint; determining an endpoint risk value for the endpoint based on the user risk value and the cyber security risk value; determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels and a type of channels within the set of channels; determining a data security risk value based on the data risk value, the endpoint risk value, and the channel risk value detecting the event as a data security threat in response to the data security risk value being the same as or greater than a threshold; and upon determining the event as the security threat, determining one or more remedial measures based on the data risk value, the endpoint risk value, and the channel risk value to reduce corresponding risks..

Claim 2: The system of claim 1, wherein: the data security risk value is a product of the data risk value, the endpoint risk value, and the channel risk value.

Claim 3: A system for evaluating data security risks, the system comprising: … determining an endpoint risk value for the endpoint based on a number of malwares running on the endpoint and a number of security updates to be applied to the endpoint; determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels; determining a data security risk value based on the data risk value, the endpoint risk value, and the channel risk value detecting the event as a data security threat in response to the data security risk value being the same as or greater than a threshold; and upon determining the event as the security threat, determining one or more remedial measures based on the data risk value, the endpoint risk value, and the channel risk value to reduce corresponding risks.

Claim 4: The system of claim 3, wherein the data risk value is determined based on a number of classified files within the data.

Claim 5: The system of claim 4, wherein the data risk value is determined further based on a type of classified files within the data.

Claim 6: The system of claim 3, wherein the endpoint risk value is further determined based on a user risk value.

Claim 7: The system of claim 6, wherein the user risk value is determined based on a user behavior associated with the data or the endpoint.

Claim 10: The system of claim 3, wherein the channel risk value is determined further based on a type of channels within the set of channels.

Claim 11: The system of claim 10, wherein the data security risk value is a product of the data risk value, the endpoint risk value, and the channel risk value.

Claim 12: A method for evaluating data security risks, the method comprising: determining a data risk value for data of an endpoint; determining an endpoint risk value for the endpoint based on a number of malwares running on the endpoint and a number of security updates to be applied to the endpoint; determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels; and determining a data security risk value based on the data risk value, the endpoint risk value, and the channel risk value; detecting the event as a data security threat in response to the data security risk value being the same as or greater than a threshold; and upon determining the event as the security threat, determining one or more remedial measures based on the data risk value, the endpoint risk value, and the channel risk value to reduce corresponding risks..

Claim 13: The method of claim 12, wherein the data risk value is determined based on a number of classified files within the data.

Claim 14: The method of claim 13, wherein the data risk value is determined further based on a type of classified files within the data.

Claim 15: The method of claim 12, wherein the endpoint risk value is further determined based on a user risk value.

Claim 16: The method of claim 15, wherein the user risk value is determined based on a user behavior associated with the data or the endpoint.

Claim 19: The method of claim 12, wherein the channel risk value is determined further based on a type of channels within the set of channels.

Claim 20: The method of claim 19, wherein the data security risk value is a product of the data risk value, the endpoint risk value, and the channel risk value.



Step 2A Prong 2 Integration into a practical application:

The claims recite the following limitations which have been identified as
additional elements:

Claim 1: A system for evaluating data security risks, the system comprising: 
one or more processors; and 
a memory storing instructions that, when executed by the one or more processors, cause the system to perform…the endpoint…classified files…risk value…number of malwares…set of channels…type of channels…remedial measures

Claim 3: A system for evaluating data security risks, the system comprising: 
one or more processors; and 
a memory storing instructions that, when executed by the one or more processors, cause the system to perform…the endpoint…classified files…risk value…number of malwares…set of channels…type of channels…remedial measures
Claim 12: …the endpoint…classified files…risk value…number of malwares…set of channels…type of channels…remedial measures

The above identified claim limitations have been identified as additional claim elements.  The additional claim elements(s) merely add the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea. For example, the elements of the endpoint…classified files…risk value…number of malwares…set of channels…type of channels…remedial measures. These elements are merely an example of data gathering, which has been found to be insignificant extrasolution activity by the courts. See MPEP 2106.05(g).. See MPEP 2106.05(b)(I). When taken individually or viewed as an ordered combination the claims as a whole do not appear to be integrated into a practical application.
A similar analysis can be applied to dependent claims which include additional claim elements that generally link the use of the judicial exception to a particular technological environment or field of use of detecting an event as a data security threat
Under Step 2A Prong Two, the additional claim element(s), considered in combination, do not apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception and in a manner that integrates the exception into a practical application of the exception. The combination of elements is no more than the sum of their parts. Unlike the eligible claims in Diehr and Bascom, in 

Step 2B Significantly more:

Under Step 2B, the additional claim element(s), considered individually and in combination, do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself for similar reasons outlined under Step 2A Prong Two.  Furthermore, the elements of the endpoint…classified files…risk value…number of malwares…set of channels…type of channels…remedial measures are well-understood, routine conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception.
Dependent claims when analyzed as a whole, are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitation(s) fail(s) to establish that the claim(s) is/are not directed to an abstract idea without significantly more for the reasoning given above.

Conclusion:

Based on the above rational the claims 1-7, 10-16 and 19-20 have been deemed to ineligible subject matter under 35 USC 101.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 10-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lieblich et al. (US 20090178142) (hereinafter Lieblich) in view of Dobrila et al. (US 20180060591) (hereinafter Dobrila).
Regarding claim 1, Lieblich discloses a system for evaluating data security risks, the system comprising: one or more processors (Lieblich: see figure 2); and a memory storing instructions that, when executed by the one or more processors (Lieblich: see figure 2), cause the system to perform: 
determining a number of classified files within data of the endpoint (Lieblich: paragraphs 0100 and 0107, “Data Risk is assessed for each document or data source to which a given end user has access. A data source is preferably assigned a Data Risk score based upon its attributes”);
determining a data risk value for the data of the endpoint based on the number of classified files within the data (Lieblich: see table 1 below; and paragraphs 0093, 0101 and 0107-0108, “Data Risk reflects the value of sensitive information in a document or other data source and its risk of disclosure, corruption or deletion. In various embodiments, the data may be a word processing document, a spreadsheet, source code, or any other form of 
    PNG
    media_image1.png
    526
    569
    media_image1.png
    Greyscale

determining a user risk value for a user associated with the event based on one or more the following: the user's location, the user's visits to malicious websites, malwares allowed to be installed by the user, and the user's status in an organization (Lieblich: paragraphs 0041, 0064 and 0076, “the Security Agent monitors the interaction between the end user 302, the computer system 304, and the applications that run on the computer system 304 and preferably, generates a risk score for that end user 302.’); (Lieblich: see table 6 below; and paragraphs 0018 and 0114, “assessing asset values for each piece of electronically available information to which the end user has access; (b) monitoring the end user's interactions with a computer system through which the end user accesses the electronically available information; (c) determining a risk score in real time for the end user based upon the asset values and the end user's interactions, the risk score indicative of the risk that the end user poses to the electronically available information”); 

    PNG
    media_image2.png
    889
    418
    media_image2.png
    Greyscale

determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels and a type of channels within the set of channels (Lieblich: see Table 4; and paragraphs 0097, 0112 and 0113, “Concealment Risk reflects the likelihood that an end user will intentionally or maliciously transmit sensitive information to unauthorized parties using secure or encrypted determining a data security risk value based on the data risk value, the endpoint risk value, and the channel risk value (Lieblich: paragraphs 0100 and 0109, “the transitory information will affect values different risk categories, which will be combined in order to form a total end user risk score. Preferably, the risk categories will include, without limitation: [0101] Data Risk; [0102] Application Risk; [0103] Password Risk; [0104] Concealment Risk; [0105] E-mail Risk; and [0106] Asset Risk”); detecting the event as a data security threat in response to the data security risk value being the same as or greater than a threshold (Lieblich: paragraphs 0084-0086 and 0128, “a Security Agent 404 detects an exceptional event (as defined previously), the Security Agent 404 may choose to notify a server 116 of the exceptional”… “After determining whether a given action increases an end user's risk score above a predetermined threshold, the Security Agent may take one or more actions”); and upon determining the event as the security threat, determining one or more remedial measures based on the data risk value, the endpoint risk value, and the channel risk value to reduce corresponding risks (Lieblich: paragraphs 0128-0135, “the Security Agent may take one or more actions, including: [0129] Alerting the end user to the potential security risk created by his actions. [0130] Blocking the end user's actions. [0131] Requesting confirmation that the end user wishes to proceed, despite the risk. [0132] Halting the system. [0133] Logging the end user out of the system. [0134] 
Lieblich does not explicitly disclose the following limitation which is disclosed by Dobrila, determining a cyber security risk value based on a number of malwares running on the endpoint and a number of security updates to be applied to the endpoint (Dobrila: paragraphs 0013 and 0048, “This risk factor is a rating or value indicating the probability or likelihood of the computing device”… “the malware determination module 208 can provide an instruction to an anti-malware program running on the computing device 102 to collect files or other content more aggressively for analysis by the risk determination system 104 (e.g., for computing device that are categorized as risky, such as having at least a threshold risk factor), an indication for an anti-malware program running on the computing device 102 to perform a quick and/or full system scan, an indication for the computing device 102 to enforce operating system and/or anti-malware program update settings, an indication for an anti-malware program running on the computing device 102”).  Lieblich and Dobrila are analogous art because they are from the same field of endeavor, risk assessment.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Lieblich and Dobrila before him or her, to modify the system of Lieblich 
Regarding claim 3, claim 3 discloses a system claim that is substantially equivalent to the system of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 3 and rejected for the same reasons.
Regarding claim 12, claim 12 discloses a method claim that is substantially equivalent to the system of claims 1 and 3. Therefore, the arguments set forth above with respect to claims 1 and 3 are equally applicable to claim 12 and rejected for the same reasons.
Regarding claim 2, Lieblich as modified further discloses wherein: the data security risk value is a product of the data risk value, the endpoint risk value, and the channel risk value (Lieblich: paragraphs 0100 and 0109, “the transitory information will affect values different risk categories, which will be combined in order to form a total end user risk score. Preferably, the risk categories will include, without limitation: [0101] Data Risk; [0102] Application Risk; [0103] Password Risk; [0104] Concealment Risk; [0105] E-mail Risk; and [0106] Asset Risk”).
Regarding claims 4 and 13, Lieblich as modified further discloses wherein the data risk value is determined based on a number of classified files within the data (Lieblich: see table 1 below; and paragraphs 0093, 0101 and 0107-0108, “Data Risk reflects the value of sensitive information in a document or other data source and its risk of disclosure, corruption or deletion. In various embodiments, the data may be a word processing document, a spreadsheet, source code, or any other form of computer-readable data such as may exist in a database or on an intranet website. Preferably, Data Risk is assessed for each document or data source to which a given end user has access. A data source is preferably assigned a Data Risk score based upon its 
Regarding claims 5 and 14, Lieblich as modified further discloses wherein the data risk value is determined further based on a type of classified files within the data (Lieblich: see table 1, “classified data source type”).

    PNG
    media_image1.png
    526
    569
    media_image1.png
    Greyscale

Regarding claims 6 and 15, Lieblich as modified further discloses wherein the endpoint risk value is further determined based on a user risk value (Lieblich: see table 6 below; and paragraphs 0018 and 0114, “assessing asset values for each piece of electronically available information to which the end user has access; (b) monitoring 
Regarding claims 7 and 16, Lieblich as modified further discloses wherein the user risk value is determined based on a user behavior associated with the data or the endpoint (Lieblich: paragraph 0107, “Data Risk is assessed for each document or data source to which a given end user has access. A data source is preferably assigned a Data Risk score based upon its attributes. The Data Risk score may then be used to determine an end user's risk score, or even the total risk score for a group of end users or documents.”).
Regarding claims 10 and 19, Lieblich as modified further discloses wherein the channel risk value is determined further based on a type of channels within the set of channels (Lieblich: paragraphs 0112- 0113, “An end user's E-mail Risk characterizes the possible disclosure of sensitive information or attacks upon a computer system through the use of e-mail. This risk level would preferably increase as the end user received increasing amounts of unsolicited e-mail, or spam. It would also increase for a variety of other factors, which, for one embodiment, are disclosed below in Table 5. As before, E-mail Risk may be used to determine the risk score for an end user or a group of end users”).
Regarding claims 11 and 20, Lieblich as modified further discloses wherein the data security risk value is a product of the data risk value, the endpoint risk value, and the channel risk value (Lieblich: paragraphs 0100 and 0109, “the transitory information will affect values different risk categories, which will be combined in order to form a total end user risk score. Preferably, the risk categories will include, without limitation: [0101] Data Risk; [0102] Application Risk; [0103] Password Risk; [0104] Concealment Risk; [0105] E-mail Risk; and [0106] Asset Risk”).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form, e.g., Lotem (US 20160156655) discloses log based analysis systems and methods for protecting computers and networks from malicious communications and malware attacks by analyzing log data obtained from client networks having network entities representing business units or customers; and Jou (US 20150205954) discloses a method, system and computer program product for analyzing risks, for example associated with potential data leakage. Risk for activities may be measured as a function of risk components related to: persons involved in the activity; sensitivity of data at risk; endpoint receiving data at risk; and type the activity.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.