DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 7/27/2021.
Claims 1-20 have been amended.
Claims 1-20 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
The objections of claims 1-20 have been withdrawn as the claims have been amended to correct the informalities.
The rejection under 35 U.S.C.101 of claims 1-20 has been withdrawn as the claims have been amended and claimed invention is not directed to abstract ideas.
The rejection under nonstatutory double patenting has been maintained in view of the amendment filed on 7/27/2021.  Examiner now uses the co-pending application No. 16/106,470 and Bennett (US 20100275263) to teach the map and blocking internet access of the endpoint via a router or a firewall recited in claim 1. 
Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1 and 8 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 12 of copending Application No. 16/106,470 in view of Bennett et al. (US 20100275263) (hereinafter Bennett). 

Instant Application 16/416,018
Copending Application 16/106,470
Claim 1:
A computer-implemented security analysis method, comprising: determining a data risk value for data of an endpoint based on a number of 

scanning software and firmware on the endpoint to determine a cyber security risk value based on a number of malware running on the endpoint and a number of security updates to be applied to the endpoint;
determining an endpoint risk value for the endpoint based on a user risk value and a cyber security risk value; 


determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels and a type of channels within the set of channels; and 


rendering a map showing a security risk level of the endpoint, wherein the security risk level is based on the data risk value, the endpoint risk value, and the channel risk value of the endpoint; and determining, based on the map, actions to reduce risk if one or more of the data risk value, the endpoint risk value, and the channel risk value are greater than corresponding thresholds, 

wherein the actions comprise: in response to the channel risk value being greater than a corresponding threshold, blocking Internet access of the endpoint via a router or a firewall.

A method for evaluating data security risks, the method comprising: determining a data risk value for data of an endpoint; 




scanning the endpoint to determine a number of malwares running on the endpoint and a number of security updates to be applied to the endpoint;


determining an endpoint risk value for the endpoint based on the number of malwares running on the endpoint and the number of security updates to be applied to the endpoint; 
determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels; and determining a data security risk value based on the data risk value, the endpoint risk value, and the channel risk value; 

detecting a data security threat in response to the data security risk value being the same as or greater than a threshold; and upon detecting the data security threat, determining one or more remedial measures based on the data risk value, the endpoint risk value, and the channel risk value to reduce corresponding risks, 



wherein the one or more remedial measures comprise: in response to the channel risk value being greater than a corresponding threshold, reducing a number of one or more of following channels: wired or wireless connections, peripheral connectors, email programs, texting programs, virtual chat programs, and video conferencing programs.


A security analysis system, comprising one or more processors and one or more non- transitory computer-readable memories coupled to the one or more processors and configured with instructions executable by the one or more processors to cause the system to perform operations comprising: 
determining a data risk value for data of an endpoint based on a number of classified files within the data and a type of classified files within the data; 



scanning software and firmware on the endpoint to determine a cyber security risk value based on a number of malware running on the endpoint and a number of security updates to be applied to the endpoint;
determining an endpoint risk value for the endpoint based on a user risk value and the cyber security risk value; 
determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels and a type of channels within the set of channels; and 



displaying on a user interface a map showing a security risk level of the endpoint, wherein the security risk level is based on the data risk value, the endpoint risk value, and the channel risk value, of the endpoint; and 
determining, based on the map, actions to reduce risk if one or more of the data risk value, the endpoint risk value, and the channel risk value are greater blocking Internet access of the endpoint via a router or a firewall.

A system for detecting a data security threat, the system comprising: one or more processors; and a memory storing instructions that, when executed by the one or more processors, cause the system to perform: 


determining a data risk value for data of the endpoint based on a number of classified files within the data; determining a cyber security risk value based on a number of malwares running on the endpoint and a number of security updates to be applied to the endpoint; 
scanning the endpoint to determine a number of malwares running on the endpoint and a number of security updates to be applied to the endpoint;


determining an endpoint risk value for the endpoint based on the user risk value and the cyber security risk value; determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels and a type of channels within the set of channels; determining a data security risk value based on the data risk value, the endpoint risk value, and the channel risk value; 
detecting a data security threat in response to the data security risk value being the same as or greater than a threshold; and upon detecting the data security threat, 


determining one or more remedial measures based on the data risk value, the endpoint risk value, and the channel risk value to reduce corresponding risks, wherein the one or more remedial measures comprise: in response to the channel risk value being greater than a corresponding threshold, reducing a number of one or more of following channels: wired or wireless connections, peripheral connectors, email programs, texting programs, virtual chat programs, and video conferencing programs.


The copending application (16/106,470) discloses detecting a data security threat by determining risk values, scanning software and firmware on the endpoint, detecting a data security threat and determining actions to reduce risks but fails to explicitly disclose displaying on a user interface a map showing a security risk level of the endpoint.  However, in an analogous art, Bennett discloses displaying on a user interface a map showing a security risk level of the endpoint (Bennett: see figures 6-8 and 12 
    PNG
    media_image1.png
    597
    896
    media_image1.png
    Greyscale
 
    PNG
    media_image2.png
    646
    865
    media_image2.png
    Greyscale
; and paragraphs 0074, 0076, 0091, 0153 and 0172, “Some examples of assets include servers, files servers, virtual file servers, Web servers, …desktop computers, laptop computers, routers, network devices, modems, personal digital assistants (PDA), tablet computers (e.g., iPad from Apple Inc.), smartphones”…“Assets are classified based on their value or importance to the company. There can be any number of classifications. These classifications can be defined or programmed by the user. In a specific implementation, an asset can be classified as high, medium, or low”… “Here are three levels of likelihood including high, medium, and low. As an example, the likelihood that server A will be infected with malware is medium. In this example, the asset is server A. The event is server A infected with malware”).  It would have been obvious to a person .
This is a provisional nonstatutory double patenting rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lieblich et al. (US 20090178142) (hereinafter Lieblich) in view of Bennett et al. (US 20100275263) (hereinafter Bennett).
Regarding claim 1, Lieblich discloses a computer-implemented security analysis method, comprising: determining a data risk value for data of an endpoint based on a number of classified files within the data and a type of classified files within the data Lieblich: see table 1 below; and paragraphs 0093, 0101 and 0107-0108, “Data Risk reflects the value of sensitive information in a document or other data source and its risk of disclosure, corruption or deletion. In various embodiments, the data may be a 
    PNG
    media_image3.png
    526
    569
    media_image3.png
    Greyscale
; determining an endpoint risk value for the endpoint based on a user risk value and the cyber security risk value (Lieblich: see table 6 below; and paragraphs 0018 and 0114, “assessing asset values for each piece of electronically available information determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels and a type of channels within the set of channels (Lieblich: paragraphs 0112- 0113, “An end user's E-mail Risk characterizes the possible disclosure of sensitive information or attacks upon a computer system through the use of e-mail. This risk level would preferably increase as the end user received increasing amounts of unsolicited e-mail, or spam. It would also increase for a variety of other factors, which, for one embodiment, are disclosed below in Table 5. As before, E-mail Risk may be used to determine the risk score for an end user or a group of end users”); and determining, based on the map, actions to reduce risk if one or more of the data risk value, the endpoint risk value, and the channel risk value are greater than corresponding thresholds, wherein the actions comprise: in response to the channel risk value being greater than a corresponding threshold, blocking Internet access of the endpoint via a router or a firewall (Lieblich: paragraphs 0128-0136 and 0150-0151, “determining whether a given action increases an end user's risk score above a predetermined threshold, the Security Agent may take one or more actions, including: [0129] Alerting the end user to the potential security risk created by his actions. [0130] Blocking the end 
Lieblich discloses wherein the security risk level is based on the data risk value, the endpoint risk value, and the channel risk value (Lieblich: paragraphs 0100 and 0109, “the transitory information will affect values different risk categories, which will be combined in order to form a total end user risk score. Preferably, the risk categories will include, without limitation: [0101] Data Risk; [0102] Application Risk; [0103] Password Risk; [0104] Concealment Risk; [0105] E-mail Risk; and [0106] Asset Risk”).  However, Lieblich does not explicitly disclose the following limitations which are disclosed by Bennett, scanning software and firmware on the endpoint to determine a cyber security risk value based on a number of malware running on the endpoint and a number of security updates to be applied to the endpoint (Bennett: paragraphs 0119 and 0166, “In a specific implementation, the likelihood is determined based on a vulnerability scan. The vulnerability scan is used to detect potential vulnerabilities of the server. For example, the vulnerability scan can check whether or not a specific software patch or update has been implemented or installed on the server, whether or not the server is password protected, the strength of the password protecting the server, and so forth. This information is used to assign a likelihood probability to the server. For example, if no software patches have been installed on server there is a high likelihood of the event occurring. If all the current software patches have been installed there is a low likelihood of the event occurring”); displaying on a user interface a map showing a security risk level of the endpoint (Bennett: see figures 6-8 and 12 
    PNG
    media_image1.png
    597
    896
    media_image1.png
    Greyscale
 
    PNG
    media_image2.png
    646
    865
    media_image2.png
    Greyscale
; and paragraphs 0074, 0076, 0091, 0153 and 0172, “Some examples of assets include servers, files servers, virtual file servers, Web servers, …desktop computers, laptop computers, routers, network devices, modems, personal digital assistants (PDA), tablet computers (e.g., iPad from Apple Inc.), smartphones”…“Assets are classified based on their value or importance to the company. There can be any number of classifications. These classifications can be defined or programmed by the user. In a specific implementation, an asset can be classified as high, medium, or low”… “Here are three levels of likelihood including high, medium, and low. As an example, the likelihood that server A will be infected with malware is medium. In this example, the asset is server A. The event is server A infected with malware”).  Lieblich and Bennett are analogous art 
Regarding claim 8, claim 8 discloses a system claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 8 and rejected for the same reasons.
Regarding claim 15, claim 15 discloses a medium claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 15 and rejected for the same reasons.
Regarding claims 2, 9 and 16, Lieblich as modified discloses wherein displaying on the user interface the map showing the security risk level of the endpoint comprises: determining a data security risk value based on the data risk value, the endpoint risk value, and the channel risk value (Lieblich: see figure 1; and paragraphs 0068-0069 and 0071, “adjustment of risk may be based on graph models of the files and their environment. Each file may be represented as a node in a graph, with nodes being interconnected when they exhibit a commonality, such as common data, common user, common location, or the like. Importance or risk may flow  and rendering the map based on the data security risk value (Bennett: see figures 6-8 and 12; and paragraphs 0074, 0076, 0091, 0153 and 0172, “Some examples of assets include servers, files servers, virtual file servers, Web servers, …desktop computers, laptop computers, routers, network devices, modems, personal digital assistants (PDA), tablet computers (e.g., iPad from Apple Inc.), smartphones”…“Assets are classified based on their value or importance to the company. There can be any number of classifications. These classifications can be defined or programmed by the user. In a specific implementation, an asset can be classified as high, medium, or low”… “Here are three levels of likelihood including high, medium, and low. As an example, the likelihood that server A will be infected with malware is medium. In this example, the asset is server A. 
Regarding claims 3 and 10, Lieblich as modified discloses wherein: the security risk level is based on the data risk value, the endpoint risk value, the channel risk value, and an amount of data accessible by the endpoint (Lieblich: paragraphs 0100 and 0109, “the transitory information will affect values different risk categories, which will be combined in order to form a total end user risk score. Preferably, the risk categories will include, without limitation: [0101] Data Risk; [0102] Application Risk; [0103] Password Risk; [0104] Concealment Risk; [0105] E-mail Risk; and [0106] Asset Risk”).
Regarding claims 4, 11 and 17, Lieblich as modified discloses wherein: the endpoint comprises a computing device (Bennett: paragraphs 0074, 0076, 0091, 0153 and 0172); and displaying the map showing the security risk level of the endpoint comprises: rendering the map showing the endpoint and its connection with one or more other endpoints in a network and showing one or more risk levels of the one or more other endpoints (Bennett: paragraphs 0074, 0076, 0091, 0153 and 0172, “Some examples of assets include servers, files servers, virtual file servers, Web servers, …desktop computers, laptop computers, routers, network devices, modems, personal digital assistants (PDA), tablet computers (e.g., iPad from Apple Inc.), smartphones”…“Assets are classified based on their value or importance to the company. There can be any number of classifications. These classifications can be defined or programmed by the user. In a specific implementation, an asset can be classified as high, medium, or low”… “Here are three levels of likelihood including high, 
Regarding claims 5, 12 and 18, Lieblich as modified discloses wherein: the security risk level is represented by an icon with at least one of an associated color, size, or shape (Bennett: paragraphs 0161 and 0163-0164, “The grid includes various colored regions. This grid includes three colored regions which are indicated by the different fill patterns in the figure. A grid can include any number of colored regions. In this specific implementation, the colored regions indicate areas of high, medium, or low likelihoods. For example, a first colored region colored a first color (e.g., red) indicates an area of high likelihood. A second colored region colored a second color (e.g., yellow) indicates an area of medium likelihood. A third colored region colored a third color (e.g., green) indicates an area of low likelihood. In another implementation, the colored regions indicate areas of high, medium, or low risk.”).  The same motivation to modify Lieblich in view of Bennett, as applied in claim 1 above, applies here.
Regarding claims 6, 13 and 19, Lieblich as modified discloses wherein: the user risk value is determined based on a user behavior associated with the data or the endpoint (Lieblich: paragraphs 0013, 0018 and 0114, “assessing asset values for each piece of electronically available information to which the end user has access; (b) monitoring the end user's interactions with a computer system through which the end user accesses the electronically available information; (c) determining a risk score in real time for the end user based upon the asset values and the end user's interactions, 
Regarding claims 7, 14 and 20, Lieblich as modified discloses wherein: the cyber security risk value is determined based on a number of vulnerabilities of the endpoint (Lieblich: see table 6
    PNG
    media_image4.png
    889
    418
    media_image4.png
    Greyscale
; and paragraphs 0115 and 0164, “an end user's overall Asset Risk will preferably include Peripheral Risk, Configuration Risk, Account Risk and Mobility Risk”).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form, e.g., Qiu (US 20190205926) discloses identifying fraudulent content provider-user device pairs; and Zhang (US 20180144138) discloses A risk ranking tool includes a retrieval engine, a data risk engine, an operational risk engine, and a data security engine.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRANG T DOAN/Primary Examiner, Art Unit 2431