DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The disclosure is objected to because of the following informalities:
In page 6, line 6, “by to” should read “to”
In page 6, line 20, “utilize” should read “utilized”
In page 13, line 20, “products” should read “produces”  
Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: (FP 7.20.aia)
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4 and 6- 20 are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being unpatentable over Moyle et al.(US 20150334129 A1), hereinafter Moyle in view of Nachenberg et al. (US 10581896 B2), hereinafter Nachenberg. (FP 7.21.aia)
Regarding claim 1, Moyle teaches a method comprising: monitoring user behavior in an enterprise system (Moyle: [0024] provides for the method to monitor user behavior in an enterprise system);

determining a predicted impact of compromise of the given user on the enterprise system (Moyle: [33] provides for the behavioral risk agents which can communicate with and function in connection with one or more tools or modules in a backend security system, such as assessment system, to perform security and risk assessment of user behavior representing the predicted impact of compromise at the devices used by the users);
	generating a risk score for the given user based on the given portion of the monitored user behavior (Moyle: [41] provides for the generation of risk score for the given user based on the risk assessment and the given portion of the monitored user behavior);
	identifying one or more remedial actions to reduce the risk score for the given user (Moyle: [0062] provides for countermeasures which represents for remedial actions for the given user. [0065] provides for the countermeasures (remedial actions) where the countermeasures were employed and counteracted the user’s risky behavior); and
	implementing, prior to detecting compromise of the given user, at least one of the remedial actions to modify a configuration of at least one asset in the enterprise system, the at least one asset comprising at least one of a physical computing resource and a virtual computing resource in the enterprise system (Moyle: [0063] provides for the remedial actions to modify configuration of at least one asset in the enterprise system, for example, disabling use of a CD drive, USB drive, etc. on the device); 

	Moyle does not teach about determining a predicted impact of compromise of the given user on the enterprise system. However, Nachenberg teaches this limitation (Nachenberg: Col. 17 Lines 17-22 provides for security monitoring platform which determines a predicted impact by learning about which users and/or behavior have the largest impact on overall security outcomes.)
	Moyle and Nachenberg are both considered to be analogous to the claimed invention because they are in the same field of assessing risk monitoring user behavior in enterprise system. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Moyle to incorporate the teachings of Nachenberg and provide a method to predict impact of compromise of a given user and generate risk score based on the monitored user behavior and the predicted impact of compromise. Doing so would aid in performing the risk assessment of the given user to determine the criticality, vulnerability and associated overall risk by the user with respect to an enterprise system. 
	Regarding claim 2, Moyle further teaches the method of claim 1 wherein monitoring user behavior utilizes one or more monitoring tools deployed on one or more assets in the enterprise system, the one or more monitoring tools comprising at least one of an endpoint monitoring tool, a network monitoring tool, a cloud services monitoring tool and an Internet of Things (IoT) gateway monitoring tool (Moyle [0026] provides for the monitoring tools deployed on one or more assets in the enterprise system, such as security tool deployment or assessment system).

	Regarding claim 4, Moyle teaches the method of claim 1 wherein monitoring user behavior comprises analyzing network traffic of assets in the enterprise system to determine at least one of: network traffic from a given asset to one or more designated entities; network traffic from the given asset to one or more entities external to the enterprise system; network traffic from the given asset while the given asset is located in one or more designated high risk geographic areas; and network traffic between the given asset and one or more entities located in the one or more designated high risk geographic areas (Moyle: [0057] provides for the behavioral profile which can describe the types or identities of websites (entities)  typically accessed by a user, the average range of email attachment sizes sent (or downloaded) by the user, the system resources (shared drives, files, databases, etc.) typically accessed by the user or group of users, among potentially limitless additional examples)

	Regarding claim 7, Moyle teaches the method of claim 1 wherein identifying the given user of the enterprise system associated with the given portion of the monitored user behavior comprises associating transactional data to the given user utilizing one or more identifiers in the transactional data, the one or more identifiers comprising at least one of an Internet Protocol (IP) address, a Media Access Control (MAC) address, a user name, an email address, a machine name and a host name (Moyle: [0028] provides for user identifications associated with device identifiers, such as MAC or IP addresses used by the devices in the system).
	Regarding claim 8, Moyle teaches the method of claim 1, wherein identifying the given user of the enterprise system associated with the given portion of the monitored user behavior comprises associating transactional data for a given transaction obtained utilizing two or more different monitoring tools to the given user utilizing at least one of data normalization, document 
	Regarding claim 9, Nachenberg teaches the method of claim 1 wherein determining the impact of compromise of the given user on the enterprise system is based at least in part on at least one of: a placement of the given user on an organizational chart associated with the given enterprise system; and the given user's role within the given enterprise system, the given user's role being determined at least in part based on one or more functions of the given user within the given enterprise system ( Nachenberg: Col. 2 Lines 36-50 provides for the impact of given user which is based on the group the user belongs to within an organization. In some implementation, the method further includes receiving, for each of a plurality of users, user responsibility data describing responsibilities of the user within the organization ).
	Regarding claim 10, Nachenberg further teaches the method of claim 1, wherein determining the impact of compromise of the given user on the enterprise system is based at least in part on at least one of: association of the given user with one or more critical processes of the enterprise system; and association of the given user with one or more assets utilized by the one or more critical processes of the enterprise system (Nachenberg: Col. 9 Lines 32-35 provides for impact of compromise of the given user which is based at least in part on with one or more 
	Regarding claim 11, Nachenberg further teaches the method of claim 1 wherein determining the impact of compromise of the given user on the enterprise system is based at least in part on at least one of: entitlements of the given user to access assets of the enterprise system; and access privileges delegated to the given user to access assets of the enterprise system (Nachenberg: Col. 9 Lines 35-40 provides for impact of compromise of the given user which is based at least in part on whether the user can access information pertaining to other users within the organization or group, for example, whether the user has access to/has transmitted/has possession of user information associated with other users.).
	Regarding claim 12, Moyle teaches the method of claim 1 wherein generating the risk score for the given user utilizes at least one of a heuristic algorithm, a weighted average of two or more of a plurality of risk attributes of the given user, a decision tree based on two or more of the plurality of risk attributes of the given user, and a machine learning algorithm (Moyle: [0034] provides for a database of rule-based, heuristic, and/or behavioral security violations or risk events which can be maintained, for instance, using client-based user risk assessment backend and can be used to generate the score).
	Regarding claim 13, Moyle teaches the method of claim 1 wherein the risk score for the given user is a function of time (Moyle: [0060] provides for a user’s reputation or risk score which can be determined, at least in part, based on the frequency (function of time) of risk events or behavior rule violations by the user).
	Regarding claim 14, Moyle teaches the method of claim 1 wherein generating the risk score for the given user comprises generating a multi-level risk score, the multi-level risk score 
	Regarding claim 15, Moyle teaches the method of claim 14 wherein the two or more lower-level risk scores comprise: an impact risk score based at least in part on the predicted impact of compromise of the given user; and two or more risk attribute scores associated with different types of monitored behavior of the given user (Moyle:  [0051] teaches identifying abnormalities in user behavior which can serve as the basis for predicting that a security or risk event (an impact risk score) is taking place in connection with what appears to be abnormal behavior by the user or behavior of a user. [41] further provides a user's risk score or reputation which can be categorized, with distinct risk scores being generated in each of a variety of categories, from the events detected at the device using behavioral risk agents such as separate scores communicating the user's behavioral reputation in email use, internet use, policy compliance, authentication efforts (e.g., password strength), and so on).
	Regarding claim 16, Moyle teaches the method of claim 15 wherein the two or more risk attribute scores comprise two or more of: a first risk attribute score associated with user behavior monitored on endpoint assets of the enterprise system; a second risk attribute score associated with user behavior monitored via network traffic of the enterprise system; a third risk attribute score associated with user behavior monitored via cloud services; and a fourth risk attribute score associated with user behavior monitored via one or more Internet of Things (IoT) device 
	Regarding claim 17, the claim recites the same limitations as claim 1 for a computer program product comprising a non-transitory processor-readable storage medium, and therefore is rejected under the same rationale. 
	Regarding claim 18, the claim recites the same limitations as claim 14 for a computer program product comprising a non-transitory processor-readable storage medium, and therefore is rejected under the same rationale.
Regarding claim 19, the claim recites the same limitations as claim 1 for an apparatus, and therefore is rejected under the same rationale.
	Regarding claim 20, the claim recites the same limitations as claim 14 for an apparatus, and therefore is rejected under the same rationale.
Claims 5 is rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being unpatentable over Moyle (US 20150334129 A1) and Nachenberg (US 10581896 B2), in view of Chandana et al. (US 10291638 B1), hereinafter Chandana. 
Regarding claim 5, Moyle and Nachenberg render obvious the method of claim 1.  However, they fail to, alone, render obvious claim 5.
Chandana teaches: wherein monitoring user behavior comprises analyzing cloud services utilized by assets in the enterprise system to determine at least one of: types of software-as-a-service applications accessed by one or more users of the given enterprise system; data accessed by the one or more users of the given 
Moyle, Guinta and Chandana are all considered to be analogous to the claimed invention because they are in the same field of assessing risk monitoring user behavior. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Moyle and Guinta to incorporate the teachings of Chandana and provide a method to predict impact of compromise of a given user and generate risk score based on the monitored user behavior and the predicted impact of compromise in cloud services. Doing so would aid in performing the risk assessment of the given user to determine the criticality, vulnerability and associated overall risk by the user with respect to an enterprise system using cloud-based services. 

Citation of Pertinent Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
Guinta et al. (US 20100153156 A1) teaches criticality/vulnerability/risk Logic Analysis Methodology for business enterprise and cyber security.  
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YASMIN JAHIR whose telephone number is (571)272-0346. The examiner can normally be reached Mon-Fri 9:00-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/Y.J./       Examiner, Art Unit 2432