DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Applicant filed an Electronic Terminal Disclaimer, the Electronic Terminal Disclaimer was filed and approved on 2/7/2020.  
The previous 101 rejection has been overcome by the Applicant, because the claim amendments have a practical application and significantly more. 

                                    EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or
additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Stephen A. Terrile (Reg. No.: 32, 946) has agreed and authorized the Examiner to amend claims 1, 7, and 13; cancel claims 4, 10, and 16.
The application has been amended as follows:

                                                            Claims
1. (Currently Amended) A computer-implementable method for enforcing security
policies, comprising:
monitoring electronically-observable user interactions of an entity, the electronically-

the monitoring being performed by a protected endpoint, the protected endpoint comprising an endpoint agent executing on an endpoint device, the endpoint agent comprising an entity-specific security policy feature pack;
converting the electronically-observable user interactions into electronic information
representing the user behavior; and,
applying an organization specific security policy based upon the electronic information
representing the user behavior, the organization specific security policy comprising an automatically generated organization specific rule, the organization specific security policy comprising an aggregation of a plurality of entity specific security policies, each of the plurality of entity specific security policies corresponding to a respective entity, each respective entity having a corresponding user profile, each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor, the mindset factor comprising information used to determine a mental state of a user at a particular point in time, the organization specific security policy comprises a risk-adaptive security policy, the risk-adaptive security policy comprising a security policy implemented to be
revised to adaptively remediate risk associated with a user behavior, the user behavior being represented via a plurality of risk-adaptive behavior factors, the plurality of risk-adaptive behavior factors comprising at least one user behavior factor and a user mindset factor; and, 
using the organization specific security policy to perform a security analytics operation,


4. (Canceled)

7. (Currently Amended) A system comprising:
a processor;
a data bus coupled to the processor; and
a non-transitory, computer-readable storage medium embodying computer program code,
the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for:
	monitoring electronically-observable user interactions of an entity, the electronically-observable user interactions comprising corresponding user behavior of the entity, the monitoring being performed by a protected endpoint, the protected endpoint comprising an endpoint agent executing on an endpoint device, the endpoint agent comprising an entity-specific
security policy feature pack;
converting the electronically-observable user interactions into electronic
information representing the user behavior; and,
applying an organization specific security policy based upon the electronic information representing the user behavior, the organization specific security policy comprising an automatically generated organization specific rule, the organization specific security policy 
information comprising a user profile attribute, a user behavior factor and a user mindset factor, the mindset factor comprising information used to determine a mental state of a user at a particular point in time,the organization specific security policy comprises a risk-adaptive security policy, the risk-adaptive security policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior, the user behavior being represented via a plurality of risk-adaptive behavior factors, the plurality of risk-adaptive behavior factors comprising at least one user behavior factor and a user mindset factor; and,
using the organization specific security policy to perform a security analytics
operation, the security analytics operation identifying anomalous, abnormal, unexpected, or malicious user behavior, the security analytics operation being performed by a security analytics system, the security analytics system communicating with the protected endpoint via a network.

10. (Canceled)

13. (Currently Amended) A non-transitory, computer-readable storage medium
embodying computer program code, the computer program code comprising computer
executable instructions configured for:
monitoring electronically-observable user interactions of an entity, the electronically-

the monitoring being performed by a protected endpoint, the protected endpoint
comprising an endpoint agent executing on an endpoint device, the endpoint agent
comprising an entity-specific security policy feature pack;
converting the electronically-observable user interactions into electronic information
representing the user behavior; and,
applying an organization specific security policy based upon the electronic information
representing the user behavior, the organization specific security policy comprising an automatically generated organization specific rule, the organization specific security policy comprising an aggregation of a plurality of entity specific security policies, each of the plurality of entity specific security policies corresponding to a respective entity, each respective entity having a corresponding user profile, each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor, the mindset factor comprising information used to determine a mental state of a user at a particular point in time, the organization specific security policy comprises a risk-adaptive security policy, the risk-adaptive security policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior, the user behavior being represented via a plurality of risk-adaptive behavior factors, the plurality of risk-adaptive behavior factors comprising at least one user behavior factor and a user mindset factor; and,
using the organization specific security policy to perform a security analytics operation,

16. (Canceled)

                                    Examiner’s Statement of Reasons for Allowance

Claims 1-3, 5-9, 11-15, and 17-20 are allowable.
The following is an Examiner’s statement of reasons for allowance:
A system and method for directing to users interact with physical, system, data, and services resources of all kinds, as well as each other, on a daily basis. Each of these interactions, whether accidental or intended, poses some degree of security risk, depending on the behavior of the user. In particular, the actions of a formerly trusted user may become malicious as a result of
being subverted, compromised or radicalized due to any number of internal or external factors or stressors. However, not all user behaviors pose the same risk. A user accessing an organization’s proprietary resources poses a higher risk than the same user perusing an online website during working hours. Consequently, indiscriminately applying the same policy to all user behavior instead of adjusting security oversight accordingly may result in inefficient utilization of security system resources. However, identifying what may be anomalous, abnormal, unexpected, or malicious user behavior can often prove challenging, as such behavior may not be readily apparent when employing typical security monitoring approaches.  Thus, the system and method uses entity-specific security policies to adaptively respond to entity user behavior.  
The closest prior art is Hutson (2008/0168453).  Hutson discloses the security and/or monitoring software and devices may communicate with the system to indicate when a software or security policy is violated. More specifically, a software or security policy may be a keyword, format, sequence, and/or other search function that is actively or passively searched for by security and/or monitoring software and devices. In some circumstances, a software or security policy may represent a rule or communication standard observed by an organization. Consequently, a violation of a software or security policy may indicate that improper behavior has occurred within an organization and/or between the organization and others.  An organization may have a rule that social security numbers are not communicated electronically. To enforce this rule, the organization may provide their security and/or monitoring software and devices with a software or security policy that looks for any condition where nine numbers are found within eleven contiguous spaces. This software or security policy may generate a large number of false positives by determining that phone numbers provided in electronic communications are work tasks that require further review and potentially investigation. As used herein, work tasks include incidents that may be reviewed and potentially investigated. 
The prior art of Hutson (2008/0168453) does not disclose or suggest, “each of the plurality of entity specific security policies corresponding to a respective entity, each respective entity having a corresponding user profile, each corresponding user profile comprising a
collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor, the mindset factor comprising information used to determine a mental state of a user at a particular point in time; the organization specific security policy comprises a risk-adaptive security policy, the risk-adaptive security policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior, the user
behavior being represented via a plurality of risk-adaptive behavior factors, the plurality of risk-adaptive behavior factors comprising at least one user behavior factor and a user mindset factor”.
The closest prior art is Kaufmann et al. (2009/0300712) discloses delegates the ability to check a policy, and more preferably also to enforce the policy, to the file itself. The file preferably automatically identifies its contents and context, and applies the appropriate policy, more preferably dynamically and flexibly enforcing the policy. The policy may optionally be applied and enforced to enforce access and usage rights of the information held by this file. Preferably, the file and policy are co-maintained independently, without reference to an external entity, such that the policy is maintained and more preferably enforced even if the file is lost, stolen or moved from its secure place. Such co-maintenance permits the organization to share data resources with other organizations while maintaining the same level and type of policy enforcement as if these data resources were located within the organization boundaries (whether physical or electronic) and/or control.
The closest prior art is Kaufmann et al. (2009/0300712) does not disclose or suggest, “each of the plurality of entity specific security policies corresponding to a respective entity, each respective entity having a corresponding user profile, each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor, the mindset factor comprising information used to determine a mental state of a user at a particular point in time; the organization specific security policy comprises a risk-adaptive security policy, the risk-adaptive security policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior, the user behavior being represented via a plurality of risk-adaptive behavior factors, the plurality of risk-adaptive behavior factors comprising at least one user behavior factor and a user mindset factor”.
The Non-patent literature of Fathy (Title: Security Access Control Research Trends) teaches security risk, risk adaptable access control incorporates a real time, probabilistic determination of security risk into the access control decision rather than just using a hard comparison of the attributes of the subject and object as in traditional models. Situational factors, such as the conditions under which the access decision is being made, an indication of the threat level may dictate whether operational need can outweigh security risk, regardless of the severity of the security risk. Access control policy, specifies the rules for access control for various classes of information objects under different conditions. It allows the enterprise to describe the degree of operational need required to "override" acceptable or normal security risk, and to set acceptable levels of risk. The policy might specify the relative weighting of personnel risk, IT component risk, and environmental risk in computing a composite risk. Knowledge of past access controls decisions will be used in making each subsequent decision. Such knowledge can be used to develop better algorithms for determining risk and operational need, and with minimum interruption of the user’s session. Also, for RiskAdaptive Access Control (RAdAC) more research is needed in real time calculation of security risk for each access decision. In addition to quantifying trust in people other than through a security clearance and accuracy in determining operational need.
each of the plurality of entity specific security policies corresponding to a respective entity, each respective entity having a corresponding user profile, each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor, the mindset factor comprising information used to determine a mental state of a user at a particular point in time; the organization specific security policy comprises a risk-adaptive security policy, the risk-adaptive security policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior, the user behavior being represented via a plurality of risk-adaptive behavior factors, the plurality of risk-adaptive behavior factors comprising at least one user behavior factor and a user mindset factor”.

Any comments considered necessary by applicant must be submitted no later than the
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue
fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for
Allowance."

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791. The examiner can normally be reached M-F 8:00am-4:30pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




AU 2439
3/17/2022
/JJ/



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439