Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Status of the Application
The following is a Final Office Action. 

In response to Examiner's communication of 2/19/2021, Claims 11, 18, 21, have been amended by Applicant on 5/12/2021.

Claims 1-23 are now pending in this application and 1-10 are withdrawn from consideration and 11-23 have been rejected below. 


Response to Amendment
Applicant's amendments to claims 11, 18, 21 are not sufficient to overcome the 35 USC 101 rejections set forth in the previous action.

Applicant's amendments to claims 11, 18, 21 are not sufficient to overcome the prior art rejections set forth in the previous action.

Response to Arguments - 35 USC § 101
Applicant’s arguments with respect to the rejections have been fully considered, but they are not persuasive. Therefore, the rejections are maintained. 

Applicant submits, “… Claims are directed to electronic simulated phishing communications that have links which users can click. Such technology cannot be practiced in the mind or with pen and paper as one needs a technical implementation in order to click on a link. Therefore, the Claims do not recite a mental process and thus are not directed to a judicial exception ....The practical application is to integrate into an electronic calendar one or more graphical representations that identify a status of execution of a campaign that sends electronic simulated phishing communications to get users to click on links and the one or more graphical representations are selectable to identify the percentage of users that are phish-prone (e.g., click on links)....” The Examiner respectfully disagrees.

While Applicant’s amendments further prosecution, the amendments are not enough to overcome the previous rejection. The recitation of “click on a link” is reciting an “additional element” beyond the identified abstract ideas under Step 2A Prong 1, however generically reciting an additional element at a high level implementing the abstract idea with a generic computer component does not integrate the identified abstract idea into a practical application under Step 2A Prong 2. Furthermore, “...click on a link...” is extra-solution data gathering activity implemented with generic computing components. 






Response to Arguments – Prior Art
Applicant’s arguments with respect to the rejections have been fully considered, but they are not persuasive. However, Applicant’s arguments are moot in light of new grounds rejection necessitated by Applicant’s amendments.





 Claim Objections
The Claims recite “...users of the entity that are phish-prone...”, these informalities are objected by the Examiner. 

The Examiner recommends reciting “...users of the entity who are phish-prone...”











Claim Rejections - 35 USC § 112(b)

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 11-23, are rejected under is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as failing to set forth the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant(s) regard as their invention.  

Claim 11 recites “...the percentage of users that are phish-prone of the corresponding campaign...", "...the link of the electronic phishing communications....”, these elements lack antecedent basis, therefore it is unclear to what these elements refers. For examination purposes, the limitation will be interpreted under broadest reasonable interpretation.  Appropriate correction is required.

Claims 12-23 depend on claim 11 and do not cure the aforementioned deficiencies of claim 11, and thus, claims 12-23 is rejected for the reasons set forth above regarding claim 11 as a result.






Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 11-23 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 

Claim 11 recite,
“A ... for configuring and executing simulated phishing campaigns, the ... and comprising 
a query module configured to receive attributes of an implementation of a security awareness program for an entity via a questionnaire presented via ...; 
a tool executable ... configured to compare the attributes for the entity to attributes of other entities, responsive to receiving the attributes, and 
determine, based at least on the comparison, a configuration for each of a baseline simulated phishing campaign to be executed to communicate ... simulated phishing communications to users of the entity to get users to ... simulated phishing communications, ... based training for users of the entity for security awareness and one or more simulated phishing campaigns to be executed to communicate ... simulated phishing communications to the users of the entity subsequent to the baseline simulated phishing campaign; and 
a ... configured to: 
execute the baseline simulated phishing campaign to identify a percentage of users of the entity that are phish-prone, wherein the percentage of users of the entity that are phish-prone comprises a number of users of the entity that ... simulated phishing communications;
execute the ... based training to those users identified as phish-prone from the baseline simulated phishing campaign; and
execute the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign and based at least on results of the baseline simulated phishing campaign and the ... based training, and 
wherein the ... is configured to automatically determine a schedule of each of the baseline simulated phishing campaigns, the ... based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, and 
automatically generate in an ... calendar according to the schedule, one or more graphical representations of each of the baseline simulated phishing campaigns, the ... based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, wherein the ... is further configured to identify a status of execution of a corresponding campaign in the one or more graphical representations in the ... calendar that are selectable to identify the percentage of users that are phish-prone of the corresponding campaign.“ 

Analyzing under Step 2A, Prong 1:
The limitations regarding, …a query module configured to receive attributes of an implementation of a security awareness program for an entity via a questionnaire presented via ...; a tool executable ... configured to compare the attributes for the entity to attributes of other entities, responsive to receiving the attributes, and determine, based at least on the comparison, a configuration for each of a baseline simulated phishing campaign to be executed to communicate ... simulated phishing communications to users of the entity to get users to ... simulated phishing communications, ... based training for users of the entity for security awareness and one or more simulated phishing campaigns to be executed to communicate ... simulated phishing communications to the users of the entity subsequent to the baseline simulated phishing campaign;  ... execute the baseline simulated phishing campaign to identify a percentage of users of the entity that are phish-prone, wherein the percentage of users of the entity that are phish-prone comprises a number of users of the entity that ... simulated phishing communications; execute the ... based training to those users identified as phish-prone from the baseline simulated phishing campaign; and execute the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign and based at least on results of the baseline simulated phishing campaign and the ... based training, and  wherein the ... is configured to automatically determine a schedule of each of the baseline simulated phishing campaigns, the ... based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, and automatically generate in an ... calendar according to the schedule, one or more graphical representations of each of the baseline simulated phishing campaigns, the ... based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, wherein the ... is further configured to identify a status of execution of a corresponding campaign in the one or more graphical representations in the ... calendar that are selectable to identify the percentage of users that are phish-prone of the corresponding campaign..., under the broadest reasonable interpretation, may be interpreted to include a human using a pen and paper with the human mind to, …a query module configured to receive attributes of an implementation of a security awareness program for an entity via a questionnaire presented via ...; a tool executable ... configured to compare the attributes for the entity to attributes of other entities, responsive to receiving the attributes, and determine, based at least on the comparison, a configuration for each of a baseline simulated phishing campaign to be executed to communicate ... simulated phishing communications to users of the entity to get users to ... simulated phishing communications, ... based training for users of the entity for security awareness and one or more simulated phishing campaigns to be executed to communicate ... simulated phishing communications to the users of the entity subsequent to the baseline simulated phishing campaign;  ... execute the baseline simulated phishing campaign to identify a percentage of users of the entity that are phish-prone, wherein the percentage of users of the entity that are phish-prone comprises a number of users of the entity that ... simulated phishing communications; execute the ... based training to those users identified as phish-prone from the baseline simulated phishing campaign; and execute the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign and based at least on results of the baseline simulated phishing campaign and the ... based training, and  wherein the ... is configured to automatically determine a schedule of each of the baseline simulated phishing campaigns, the ... based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, and automatically generate in an ... calendar according to the schedule, one or more graphical representations of each of the baseline simulated phishing campaigns, the ... based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, wherein the ... is further configured to identify a status of execution of a corresponding campaign in the one or more graphical representations in the ... calendar that are selectable to identify the percentage of users that are phish-prone of the corresponding campaign.....; therefore, the claims are directed to a mental process. 


Further, because,  a security awareness program for an entity via a questionnaire presented via ... to compare the attributes for the entity to attributes of other entities, responsive to receiving the attributes, and determine, based at least on the comparison, a configuration for each of a baseline simulated phishing campaign to be executed to communicate ... simulated phishing communications to users of the entity to get users to ... simulated phishing communications, ... based training for users of the entity for security awareness and one or more simulated phishing campaigns to be executed to communicate ... simulated phishing communications to the users of the entity subsequent to the baseline simulated phishing campaign;  ... execute the baseline simulated phishing campaign to identify a percentage of users of the entity that are phish-prone, wherein the percentage of users of the entity that are phish-prone comprises a number of users of the entity that ... simulated phishing communications; execute the ... based training to those users identified as phish-prone from the baseline simulated phishing campaign; and execute the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign and based at least on results of the baseline simulated phishing campaign and the ... based training, and  wherein the ... is configured to automatically determine a schedule of each of the baseline simulated phishing campaigns, the ... based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, and automatically generate in an ... calendar according to the schedule, one or more graphical representations of each of the baseline simulated phishing campaigns, the ... based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, wherein the ... is further configured to identify a status of execution of a corresponding campaign in the one or more graphical representations in the ... calendar that are selectable to identify the percentage of users that are phish-prone of the corresponding campaign..., under the broadest reasonable interpretation, may be scheduling and managing relationship and behavior of human users in an entity organization in a simulated phishing campaign to raise security awareness, i.e. managing personal behavior or relationships or interactions between people (social activities, teaching, and following rules or instructions). And security awareness, under the broadest reasonable interpretation, is fundamental economic principles or practices (mitigating risk) and commercial or legal interactions (advertising, marketing or sales activities or behaviors). Thus, the claims are directed to certain methods of organizing human activity. 

Accordingly, the claims are directed to a mental process and certain methods of organizing human activities, and thus, the claims are directed to an abstract idea under the first prong of Step 2A.

Analyzing under Step 2A, Prong 2:
This judicial exception is not integrated into a practical application under the second prong of Step 2A. 
In particular, the claims recite the additional elements beyond the recited abstract idea identified under Step 2A, Prong 1, such as:

Claim 11: system, system comprising a device comprising one or more processors, coupled to memory, a display, on the one or more processors and, electronic, server, click on links in the electronic, clicked on the link of the electronic
Claim 12: user interface

and pursuant to the broadest reasonable interpretation, as an ordered combination, each of the additional elements are computing elements recited at high level of generality implementing the abstract idea, and thus, are no more than applying the abstract idea with generic computer components. Further, these additional elements generally link the abstract idea to a technical environment, namely the environment of a computer. 

Additionally, with respect to the,  ...to receive attributes…configured to compare the attributes ...to be executed to communicate...automatically generate..., click on links in the electronic, clicked on the link of the electronic..., elements, these elements do not add a meaningful limitations to integrate the abstract idea into a practical application because they are insignificant extra-solution activity, pre and post solution activity - i.e. data gathering – to receive attributes…configured to compare the attributes…, click on links in the electronic, clicked on the link of the electronic..., data output-to be executed to communicate...automatically generate....

Analyzing under Step 2B:
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under Step 2B. 
As noted above, the aforementioned additional elements beyond the recited abstract idea are not sufficient to amount to significantly more than the recited abstract idea because, as an order combination, the additional elements are no more than mere instructions to implement the idea using generic computer components (i.e. apply it). 
Additionally, as an order combination, the additional elements append the recited abstract idea to well-understood, routine, and conventional activities in the field as individually evinced by the Applicant’s own disclosure in at least  [0083] computing device 100 may include or connect to multiple display devices 124a-124n, which each may be of the same or different type and/or form. As such, any of the I/O devices 130a-130n and/or the I/O controller 123 may include any type and/or form of suitable hardware, software, or combination of hardware and software to support, enable or provide for the connection and use of multiple display devices 124a-124n by the computing device 100 [0092] the communications device 102 (i.e., client device) includes a combination of devices, e.g. a smartphone combined with a digital audio player or portable media player… a smartphone, e.g. the IPHONE family of smartphones manufactured by Apple, Inc.; a Samsung GALAXY family of smartphones manufactured by Samsung, Inc; or a Motorola DROID family of smartphones. In yet another embodiment, the communications device 102 is a laptop or desktop computer equipped with a web browser and a microphone and speaker system, e.g. a telephony headset [0153]-[0158] The client need not own the device for it to be considered a client device 102. The client 102 may be any computing device, such as a desktop computer, a laptop, a mobile device, or any other computing device. In some embodiments, the client 102 may be a server or set of servers accessed by the client…any other code that may facilitate communications between the client 102 and any of the server 106, a third-party server, or any other server…a memory such as any embodiments of main memory 122 described herein or any type and form of storage, such as a database or file system. [0144] may be combined into one or more modules, applications, programs, services, tasks, scripts, libraries, applications, or executable code [0199] Those having skill in the relevant art can effect changes to form and details of the described methods and systems without departing from the broadest scope of the described methods and systems. Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). 
 
Furthermore, as an ordered combination, these elements amount to generic computer components receiving or transmitting data over a network, performing repetitive calculations, electronic record keeping, and storing and retrieving information in memory, which, as held by the courts, are well-understood, routine, and conventional. See MPEP 2106.05(d).

Moreover, the remaining elements of Dependent Claims do not transform the recited abstract idea into a patent eligible invention because these remaining elements merely recite further abstract limitations that provide nothing more than simply a narrowing of the abstract idea recited in the independent claims. 


Claim Rejections – 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
Determining the scope and contents of the prior art.
Ascertaining the differences between the prior art and the claims at issue.
Resolving the level of ordinary skill in the pertinent art.
Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 11-23 is/are rejected under 35 U.S.C. 103 as being unpatentable by US Patent Publication to US20140199663A1 to Sadeh-Koniecpol et al., (hereinafter referred to as “Sadeh-Koniecpol”) in view of US Patent Publication to US20170244746A1 to Hawthorn et al. (hereinafter referred to as “Hawthorn”) in view of US Patent Publication to US20080318197A1 to Dion, (hereinafter referred to as “Dion”) 


As per Claim 11, Sadeh-Koniecpol teaches: (Currently Amended) A system for configuring and executing simulated phishing campaigns, the system comprising a device comprising one or more processors, coupled to memory and comprising ([0067]) 
a query module configured to receive attributes of an implementation of a security awareness program for an entity via a ... presented via a display; (in at least [0008][0033] discloses sense user behavior and activity, such as a user response to mock attacks, to determine user susceptibility to different types of cybersecurity threats and selectively identify training interventions that will be presented to individual users. [0076] discloses The user action process includes detecting an interaction event at 110. When detecting an interaction event at 110 in this embodiment, a sensor detects the interaction event or the system may receive data that is collected by a sensor. The data may correspond to user activities or behaviors or, more generally, other contextual attributes relevant to the training available. Such contextual attributes may include any relevant sensory data as well as information obtained from other relevant sources of information, such as browser history, credit card records, surveillance cameras, electronic doors, employment records, information collected about a person with which the user has interacted, and social networking information. [0117] four training modules (safe social networks, email security, anti-phishing, and passwords) 3007 and has provided responses to the questions or other prompts included in the assigned training modules...the measurement is a percentage of correct answers provided by the user while taking the training provided by a collection of the interactive training modules. [0121] FIG. 13 illustrates an example of a portion of an interface 3403 via which an administrator can enter, upload, or otherwise provide custom content such as the message to be used in a mock SMS attack, involving multiple users…The custom content may include variables that are instantiated by querying relevant sources of information (e.g. first names of targeted users). For example, through this interface the administrator may enter, select, modify and/or verify the user's name, a link (such as a link to a URL or click-to-call functionality), or message text. This interface also may be used to allow the administrator to preview or modify the mock attack or customize mock attack templates.  )
a tool executable on the one or more processors and configured to compare the attributes for the entity to attributes of other entities, responsive to receiving the attributes, and (in at least [0063] User behavior data 15 can be captured and recorded in one or more locations and may include relevant statistics, such as frequency associated with different types of events or situations, trends, and comparisons against relevant baselines. Such user behavior data 15 may help create a unique profile for each individual user that captures this user's activities and behaviors at a particular point in time or over different periods of time. [0118] The system or administrator may also use this information to identify patterns such as correlations in the vulnerability of users to different types of threat scenarios. By comparing these statistics with baseline populations (e.g., employees at other companies, employees in other departments, same group of employees but at other times), the system can calibrate the need to train individual users or groups of users.)
determine, based at least on the comparison, a configuration for each of a baseline simulated phishing campaign to be executed to communicate electronic simulated phishing communications to users of the entity to get users to click on links in the electronic simulated phishing communications, electronic based training for users of the entity for security awareness and one or more simulated phishing campaigns to be executed to communicate electronic simulated phishing communications to the users of the entity subsequent to the baseline simulated phishing campaign; and (in at least [0118] By comparing these statistics with baseline populations (e.g., employees at other companies, employees in other departments, same group of employees but at other times), the system can calibrate the need to train individual users or groups of users. This information may be incorporated in the system's training needs logic, where it can be used to support both automated and semi-automated processes. Statistics can be organized and presented according to taxonomies of training needs and training interventions (e.g. “mock phishing emails with fraudulent phone numbers”, “mock phishing emails with prize offers”, etc.). [0119] FIG. 11 illustrates a screen 3201 of a possible embodiment of an administrator interface in which the system may assign training modules to a user or group of users. For example, for the “new hire assignment” discussed above, the administrator may use the interface to select or review various training interventions 3203 to assign to the user as part of that assignment. Some training interventions may be assigned automatically by the systems policy manager module, others may be selected by a human system administrator via the user interface, or the training interventions may be selected by a combination of the two (such as by displaying the system-selected interventions and giving the administrator the opportunity to modify or accept them). Selection and customization of training intervention may be based on any suitable rules or criteria, including rules or criteria that rely on data obtained from user profiles or other data available such as training history or behavior data (including information about the very mock attack the user just fell for). [0120] templates can be automatically customized by the policy manager or manually configured by a system administrator, where customization may include accessing user profile data to automatically insert the user's first name (possibly using variables that refer to entries in user profiles) and also adding a fake malicious link that points to a webpage responsible for sensing the user's response to the mock attack and for optionally also delivering an appropriately customized training intervention. [0122]  the system may assess user vulnerability to different threat scenarios using sensed user response actions to mock attacks, such as users connecting (or not connecting) to mock rogue Wi-Fi access points, users clicking (or not clicking) on links in mock malicious SMS messages)
a server configured to: ([0078])
execute the baseline simulated phishing campaign to identify a percentage of users of the entity that are phish-prone, wherein the percentage of users of the entity that are phish-prone comprises ... (in at least [0117] FIG. 9 depicts an embodiment of a screen of a system administrator user interface 3001 that displays examples of sensed historical training data collected about a user 3003 (identified as “George Smith”). In this example, user Smith was recently assigned a collection of training modules referred to as the “New Hire Assignment” 3005...The example screen shown in FIG. 10 allows an administrator user to select, view and filter statistics of user activity data according to different criteria. These criteria can include filtering by individual users or groups of users, by training assignment (such as the “new hire assignment” shown in FIG. 9), which can include a collection of training interventions, by specific training intervention, by training campaign, namely a collection of one or more training interventions assigned to a selected group of users. The system or the administrator may use this information 3009 to identify users at risk for different threat scenarios.)
execute the electronic based training to those users identified as phish-prone from the baseline simulated phishing campaign; and (in at least [0117] identifying users with scores below a given threshold for a given threat scenario below. The administrator may then select (or the system may recommend to the administrator to select) training interventions )
execute the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign and based at least on results of the baseline simulated phishing campaign and the electronic based training, and (in at least [0040] The data may further be used in combination with historical user training data 16 which may be stored in one or more data storage devices and may include data related to the training one or more users have taken in the past. Historical user training data 16 may include information including when and how well one or more users performed in prior training or assessments. [0064] Historical user training data 16 may inform the selection of relevant training for a user by capturing the training history of that user. Historical user training data 16 may include information such as: the training modules to which that user has already been exposed, how often and when that user was exposed to training modules, how well the user responded when taking the training modules [0117] FIG. 9 depicts an embodiment of a screen of a system administrator user interface 3001 that displays examples of sensed historical training data collected about a user 3003 (identified as “George Smith”). In this example, user Smith was recently assigned a collection of training modules referred to as the “New Hire Assignment” 3005. The historical training data in this particular case shows that the user was assigned four training modules (safe social networks, email security, anti-phishing, and passwords) 3007 and has provided responses to the questions or other prompts included in the assigned training modules. The interface displays a summary of the type of historical training data collected by the platform, including in this case training relating to the threat scenarios of social network usage, email security, anti-phishing and password security 3009. This sensed data can in turn be used in combination with training needs models that rely on a user's likelihood of being at risk for a threat scenario.  )
wherein the server is configured to automatically determine a schedule of each of the baseline simulated phishing campaigns, the electronic based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, and (in at least [0080] Those policy manager modes include scheduled modes, routine modes, real-time modes, mixed-initiative modes and combinations thereof. In an embodiment of context aware training in which a scheduled mode is utilized, the policy manager 19 regularly assesses the overall training needs of a plurality of individual users and reprioritizes training content to be pushed or delivered to each individual user. [0082] Regular assessment of user training needs may involve running in batch mode, where all users are being reviewed in one batch or where different groups of users are processed in different batches, possibly according to different schedules. Regular assessment of user training needs may also include pushing short security quizzes and creating mock situations aimed at better evaluating the needs of an individual user or a group of users. In a real-time mode, the policy manager 19 may operate in an event-driven manner enabling it to more rapidly detect changes in user behavior or activities and other relevant contextual attributes, and to more quickly push training interventions that reflect the risks to which the user is exposed at a desired time)
automatically generate in ... according to the schedule, one or more graphical representations of each of the baseline simulated phishing campaigns, the electronic based training and the one or more simulated phishing campaigns subsequent to the baseline simulated phishing campaign, wherein the server is further configured to identify a status of execution of a corresponding campaign in the one or more graphical representations in the .... (in at least [0084]  Delivering training interventions may also be performed by updating a schedule indicating when training interventions should be delivered or otherwise exposed to the user, or updating a schedule that will be exposed to the user, possibly with a combination of required and recommended training content for engagement by the user...system may generate a command to send an SMS phishing message to a user at a specific time, and the system may then cause an automated SMS message to be transmitted to the user's mobile device at a determined time. [0117] FIG. 9 depicts an embodiment of a screen of a system administrator user interface 3001 that displays examples of sensed historical training data collected about a user 3003 (identified as “George Smith”). In this example, user Smith was recently assigned a collection of training modules referred to as the “New Hire Assignment” 3005. The historical training data in this particular case shows that the user was assigned four training modules (safe social networks, email security, anti-phishing, and passwords) 3007 and has provided responses to the questions or other prompts included in the assigned training modules. The interface displays a summary of the type of historical training data collected by the platform, including in this case training relating to the threat scenarios of social network usage, email security, anti-phishing and password security 3009...The example screen shown in FIG. 10 allows an administrator user to select, view and filter statistics of user activity data according to different criteria. These criteria can include filtering by individual users or groups of users, by training assignment (such as the “new hire assignment” shown in FIG. 9), which can include a collection of training interventions, by specific training intervention, by training campaign, namely a collection of one or more training interventions assigned to a selected group of users. The system or the administrator may use this information 3009 to identify users at risk for different threat scenarios...The administrator may then select (or the system may recommend to the administrator to select) training interventions using additional administrator features such as those described below. Under some conditions, the console and the policy manager can also be configured to automatically trigger such selection and some conditions may simply have embedded training rules in them. This can be used to provide just-in-time training when a particular situation is detected (e.g. a user falling for a fake malicious SMS attack (FIG. 14), a user connecting to a fake rogue Wi-Fi access point being warned on the spot to not connect to, and to verify the identify of, public Wi-Fi access points), yet allow the administrator and the policy manager to further review the sensed information and assign additional training interventions to further consolidate training (e.g. later assigning that same employee a more in-depth training module covering the risks associated with laptop use outside the office). [0119] FIG. 15 illustrates an embodiment of a scheduling screen 3601 of a user interface that may enable such selection. [0125] Screen 3601 also illustrates how scheduling constraints can also be suggested to administrator, with the administrator having the option to modify them. This can include scheduling parameters such as start times and end times of a mock attack campaign. The system may then launch a process that leads to the customization and deployment of the mock malicious USB devices according to those scheduling constraints. )

While implied, Sadeh-Koniecpol do no expressly disclose the following features, which however, are taught by Hawthorn:
a query module configured to receive attributes of an implementation of a security awareness program for an entity via a questionnaire presented via a display; (in at least The security system 102 may include hardware and/or software components to build a campaign, transmit campaign data to a user system 104, 106, receive behavioral and/or technical data associated with a campaign from a user system 104, and/or calculate a risk score for each end user, group of end users, and/or organization associated with an end user (e.g., company). Security system 102 may include a risk assessment manager 110 that transmits computing network-based security items and/or training items to end users at user systems 104, 106 to assess security risks posed by the end users to a computing network.[0052] Examples of security items 112 and/or training items 124 may include messages comprising security threats such as phishing messages (e.g., phishing emails, text/SMS/MMS messages, voice messages, instant messages, social network messages, and/or the like), password generation and/or update requests, questionnaires comprising different security-related scenarios such as handling computing devices outside of a work environment, social media interaction, mobile security interaction, social engineering topics, web safety, data protection, email security, computer security, and/or physical security, password generation [0064] Characteristics of training item 124 may be configured to require a user of user device 104, 106 to determine answers and/or responses to a training item 124. [0114] a number of employees that interacted with a security item 112 and/or training item 124 in a way indicative of no or little security risk (e.g., generated a password with a given degree of security, answered a given number of questions in a questionnaire correctly, etc.), a number of employees that interacted with a security item 112 and/or training item 124 in a way indicative of a security risk (e.g., activating malware, spyware, a virus, downloading a file, answering questions incorrectly, etc.), a number of employees that reported a security item 112 and/or training item 124 to an administrator [0184] the agent 142 may collect technical information 138 associated with the user's system and/or user properties 136 (e.g., existing usernames, passwords, security questions, answers, and/or the like) and transmit this information to the risk assessment manager 110.)
..., wherein the percentage of users of the entity that are phish-prone comprises a number of users of the entity that clicked on the link of the electronic simulated phishing communications (in at least [0143] FIG. 11 illustrates an example security item 112 generated to simulate a phishing message. Although not illustrated, other security items 112 and/or training items 124 may be generated and/or transmitted to target users. These additional security items 112 and/or training items 124 may include, for example, data associated with introductory security information, phishing information, social media information, remote and/or travel-related information, password information, social engineering information, web safety information, data protection information, email security information, computer security information, physical security information, simulation data associated with any of the preceding information, and/or any combination of the above.  [0208]  if a user risk calculator 212 determines that the user opened a security-threat-based message in the campaign; clicked on a security-based threat in the campaign; and entered personal and/or confidential information into a simulated security-base threat, the risk score of the recipient user may altered by seventeen (17) according to the metrics in FIG. 14. If the user risk calculator 212 determines that the user completed three (3) training sessions during a campaign based on the user training item data 134, a risk score of the user is altered by 5%. [0222] a table 1512 with the campaigns associated with a client or that match any of the search/filtering criteria entered by a user. Table 1512 may display the title 1514 of the campaign, the number of times 1516 each security item 112 and/or training item 124 in the campaign was sent; the number of times 1518 each of each security item 112 and/or training item 124 included a predefined action (e.g., open a message, click on a link, watch a video, attempt a password generation, and/or the like), a number of detected vulnerabilities 1520 (incorrect answers, incorrect interactions, and/or the like); the number of times 1522 each message resulted in a security compromise (e.g., recipient entered personal and/or confidential information, downloaded an insecure item, clicked on an insecure link, etc.); the number of multiple security compromises 1524 in each security item 112 and/or training item 124 for the same user (e.g., a user clicks on multiple insecure links, a user downloads multiple insecure items, a user answers multiple questions incorrectly, a combination of different security compromising actions, and/or the like); the number of users 1526 considered to have been “trained” during the campaign; the number of times 1528 users reported an applicable security item 112 and/or training item 124 to an administrator, manager, etc.; the starting date 1530 of the campaign the stopping date of the campaign; the status 1532 of the campaign (e.g., pending, running, completed, etc.); the user 1534 who created the campaign; and/or the like. Each campaign may have different reporting items and the reporting items listed above. For example, a campaign may include additional items and/or may not include all of the reporting items described above. [0225] The campaign summary 1602 may also provide campaign statistics to the user in one or more different formats. For example, a campaign summary 1602 may include a graph 1618 displaying the statistics displayed in the table 1514 discussed above with respect to FIG. 15. It should be noted that the campaign statistics are not limited to those shown in FIG. 16. [0226] FIG. 17 shows another example of information that may be displayed to the user of security system 102 as part of the campaign summary and/or report. For example, FIG. 17 illustrates an overall risk score 1702 has been calculated for the client when compared to other clients subscribing to the risk assessment manager 110. A client's overall risk score may be based on the risk score associated with its employees. A client's overall risk score may be calculated based on the metrics discussed above with respect to FIG. 15 (e.g.,open/interactions/vulnerable/trained/reported/compromised). [0229] FIG. 17 illustrates a graph 1706 that may be displayed to show a client's risk score over time. In this example, the user may be able to select a temporal-based filter 1708 to see how a client's risk score changed on a minute, hourly, daily, weekly basis, and/or monthly basis. FIG. 17 also illustrates a time distribution 1710 of user interactions with security items 112 and/or training items 124 during the selected campaign. In this example, a time distribution 1710 may display a year's worth of data, each discrete division representing days and further months. As an example, various graphical features may be used to illustrate campaign reporting. For example, the darker the shading may indicate more interactions with security items 112 and/or training items 124 on a particular day. This may be expanded to view a Month/Week/Day view and allow a viewer to identify when users are more likely to interact with a security item 112 and/or training item 124 such as early morning, late at night, at home vs. at office, etc.  [0230] FIG. 18 illustrates a list/graph 1802 of risk scores for each employees, which may identify a company's riskiest and least risky employees. For example, a user may be able to select one or more of employees to see employee performance, property, and/or technical data with respect to a given campaign, multiple campaigns, and/or all campaigns participated in by the employee. FIG. 18 illustrates a graph 1804 that may be displayed to a user of security system 102 showing the client's risk score compare to other clients within a specific industry selected by the user. Graph 1804 may present the statistics displayed in the table 1514 discussed above for the client and for other clients in the selected industry. A user of security system 102 may be able to select the industry via one or more displayed options 1806 for which these metrics are displayed.)
... that are selectable to identify the percentage of users that are phish-prone of the corresponding campaign  (in at least [0208]  if a user risk calculator 212 determines that the user opened a security-threat-based message in the campaign; clicked on a security-based threat in the campaign; and entered personal and/or confidential information into a simulated security-base threat, the risk score of the recipient user may altered by seventeen (17) according to the metrics in FIG. 14. If the user risk calculator 212 determines that the user completed three (3) training sessions during a campaign based on the user training item data 134, a risk score of the user is altered by 5%. [0222] a table 1512 with the campaigns associated with a client or that match any of the search/filtering criteria entered by a user. Table 1512 may display the title 1514 of the campaign, the number of times 1516 each security item 112 and/or training item 124 in the campaign was sent; the number of times 1518 each of each security item 112 and/or training item 124 included a predefined action (e.g., open a message, click on a link, watch a video, attempt a password generation, and/or the like), a number of detected vulnerabilities 1520 (incorrect answers, incorrect interactions, and/or the like); the number of times 1522 each message resulted in a security compromise (e.g., recipient entered personal and/or confidential information, downloaded an insecure item, clicked on an insecure link, etc.); the number of multiple security compromises 1524 in each security item 112 and/or training item 124 for the same user (e.g., a user clicks on multiple insecure links, a user downloads multiple insecure items, a user answers multiple questions incorrectly, a combination of different security compromising actions, and/or the like); the number of users 1526 considered to have been “trained” during the campaign; the number of times 1528 users reported an applicable security item 112 and/or training item 124 to an administrator, manager, etc.; the starting date 1530 of the campaign the stopping date of the campaign; the status 1532 of the campaign (e.g., pending, running, completed, etc.); the user 1534 who created the campaign; and/or the like. Each campaign may have different reporting items and the reporting items listed above. For example, a campaign may include additional items and/or may not include all of the reporting items described above. [0225] The campaign summary 1602 may also provide campaign statistics to the user in one or more different formats. For example, a campaign summary 1602 may include a graph 1618 displaying the statistics displayed in the table 1514 discussed above with respect to FIG. 15. It should be noted that the campaign statistics are not limited to those shown in FIG. 16 [0226] FIG. 17 shows another example of information that may be displayed to the user of security system 102 as part of the campaign summary and/or report. For example, FIG. 17 illustrates an overall risk score 1702 has been calculated for the client when compared to other clients subscribing to the risk assessment manager 110. A client's overall risk score may be based on the risk score associated with its employees. A client's overall risk score may be calculated based on the metrics discussed above with respect to FIG. 15 (e.g.,open/interactions/vulnerable/trained/reported/compromised). [0229] FIG. 17 illustrates a graph 1706 that may be displayed to show a client's risk score over time. In this example, the user may be able to select a temporal-based filter 1708 to see how a client's risk score changed on a minute, hourly, daily, weekly basis, and/or monthly basis. FIG. 17 also illustrates a time distribution 1710 of user interactions with security items 112 and/or training items 124 during the selected campaign. In this example, a time distribution 1710 may display a year's worth of data, each discrete division representing days and further months. As an example, various graphical features may be used to illustrate campaign reporting. For example, the darker the shading may indicate more interactions with security items 112 and/or training items 124 on a particular day. This may be expanded to view a Month/Week/Day view and allow a viewer to identify when users are more likely to interact with a security item 112 and/or training item 124 such as early morning, late at night, at home vs. at office, etc. [0230] FIG. 18 illustrates a list/graph 1802 of risk scores for each employees, which may identify a company's riskiest and least risky employees. For example, a user may be able to select one or more of employees to see employee performance, property, and/or technical data with respect to a given campaign, multiple campaigns, and/or all campaigns participated in by the employee. FIG. 18 illustrates a graph 1804 that may be displayed to a user of security system 102 showing the client's risk score compare to other clients within a specific industry selected by the user. Graph 1804 may present the statistics displayed in the table 1514 discussed above for the client and for other clients in the selected industry. A user of security system 102 may be able to select the industry via one or more displayed options 1806 for which these metrics are displayed)

At the time the invention was filed, it would have been obvious for one of ordinary skill in the art to have modified the teachings of Sadeh-Koniecpol by, …assess security risks of users in computing networks…an interaction item is sent to an end user electronic device. When the end user interacts with the interaction item, the system collects feedback data that includes information about the user's interaction with the interaction item, as well as technical information about the electronic device. The feedback is compared to a plurality of security risk scoring metrics. Based on this comparison, a security risk score for the user with respect to a computing network... the risk scoring metrics may include a set of metrics each assigning a weight to a user action defined for a computing network-based security item, a set of metrics each assigning a weight to a different user action defined for a training item, and/or a third set of metrics each assigning weight to a different technical attribute of the technical data. An example system and method may include hardware and/or software components to calculate a security risk score for a user based on a comparison of input data to security risk scoring metrics. An example system and method may include hardware and/or software components to transmit and/or display a calculated security risk score… recipient at user system 104, 106 performs in a previous campaign such that the user is proficient/trained in a particular security item 112 and/or training item 124, security items 112 and/or training items 124 for a subsequent campaign may selected based on the sophistication level of the previous campaign and/or a current risk score of a user of user system 104, 106 …a delivery rule may include a rule that identifies an initial set of security items 112 and/or training items 124 to be sent to recipients at user systems 104, 106 and a subsequent set of security items 112 and/or training items 124 that are to be sent to the recipients at user systems 104, 106 based on the recipients' performance with respect to the initial set of security items 112 and/or training items 124 and/or a risk score…all of the risk scores of the individuals within a group may be added and/or the averaged to obtain the group's overall risk score 1702. A user of security system 102 may be able to select one or more of these groups to see a performance and/or technical information with respect to a given campaign, multiple campaigns, and/or all campaigns based on the group's employees.…use multiple dimensions to assess and/or quantify the security risk of an entity (e.g., employees, departments, and a company as a whole)…, as taught by Hawthorn, with a reasonable expectation of success if arriving at the claimed invention. One of ordinary skill in the art would have been motivated to make this modification to the teachings of Sadeh-Koniecpol with the motivation of, … Security risks such as these may pose a significant risk to an employer, especially when an end user employee fails to recognize a security risk…Current security risk assessment systems and methods are not preventative and forward-thinking…. This multi-dimensional risk assessment system may allow an organization to better detect and understand the security risks presented by its employees and/or various groups within the organization…make better risk management decisions based on a level of risk each user exposes the organization to… a combination of one or more training interventions that will best mitigate the various risks to which a given user is susceptible at a particular point in time…guides the user of user system 104, 106 in reducing computing network-based security risks…guidance provided within the security item 112 and/or training item 124 on how to reduce computing network-based security risks…A trust indicator may increase the sophistication level of a security item 112 and/or training item 124… increases the likelihood (probability) that the user will perceive the message as being legitimate and/or trustworthy…increases the likelihood that the recipient will interact with the security item 112 and/or training item 124…p.rovide a proper interaction, response, and/or description to the user. Providing proper interactions, responses, and/or descriptions, which may include an audio/video file, may teach a user how to engage in secure behavior.…presentation of the training item 124 to a user to educate the user on proper interactions…., as recited in Hawthorn. 


automatically generate in an electronic calendar according to the schedule, ... in the electronic calendar that are selectable ....  (in at least [0054] FIG. 3 b shows an interface screen for a user specific personal training plan utilizing an education competency and compliance management system. A computer program product delivered to users is represented by a user specific personal training plan screen 149. The feature descriptions that follow illustrate the comprehensive approach to improve the user experience and simplify education compliance tasks. The screen 149 has a navigation option collection on the left of the screen in an area 151. The options in the area 151 are navigation hot spots; a user can just select or click over an options to navigate to the respective screen for the specific option. A brief description of the options available follows; My Dashboard—This is the home page for viewing a snapshot of a user's personal training plan and schedule. My Training Plan—This is the current training plan to maintain up-to-date with a compliance profile with selected on-line and off-line education requirements. My Events—These are the events for which the user is currently registered. My Credentials—This is the users list of certifications and licenses. My Courses in Progress—This is a list of courses (both on-line and off-line education) the user has started but has not completed and passed. Once completed and passed, they will appear in the My Transcript section. My Transcript—This is a list of the courses and tests the user has completed. Event Calendar—These are the events currently planned for the organization. This is where users register for events. My Personal Settings—This is where the user can view their demographic information, personal settings, and manage their “Forgotten Password Question and Answer.” Change Password—Self explanatory.Courses, Tests, and Surveys—Provides a complete list of all courses, tests, and surveys available to the user (additional to the organization training plan). [0061] FIG. 6 shows an event calendar interface screen for scheduling and reviewing events. A computer program product delivered to users and administrators is represented by a calendar/my events interface screen 199. The robustness of the education competency and compliance management method, system, and computer product is exhibited by the user choices for scheduling and tracking calendar events on a my events interface screen 199. The displayed required events are generated from the administrator grouping of an individual, individual specific items by administration, and items desired by the individual for advancement and enrichment. The navigation bar 153 shows the most recent navigation selection to be My Events. Though not shown in this figure the navigation area 151 is included with screen 199. Immediately below bar 153 is a screen title area 201 displaying “Registered Events for: user name here”. The user name has been omitted for discussion purposes. The system will display the events selected for the user name that has logged into the system. Below area 201 is an area 203 with instructions “These are the events for which you are currently registered. To view or register for additional events, go to the Event Calendar”. Further down screen 199 is an area 205 with the instructions “See the note below for information on adding an event to your desktop calendar”. Below area 205 is a collection of option buttons following the instruction “Event types to show”. There are a total of 4 option buttons titled Class, Meeting, Audio Conference, and Webinar. When a user desires to see any or all of these options the user selects the desired options with a mouse click over the option button and the respective Class, Meeting, Audio conference, or Webinar for the period will be displayed. The user selectable display ability to summarize with everything or focus through the clutter with less display further exhibits the comprehensiveness of the education competency and compliance management method, system, and computer product. To the right of area 207 is an update button 209 that allows a user to update the current calendar. Just above button 209 is the spot 157 allows administrators to make changes to the present page instructions. The display metaphor of my events is a calendar 217 the currently selected month is displayed in an area 213, the current example displays “May 2007”. The user has a simple task to review past events by selecting a button 211 titled “<<Prior”. If the user wishes to view future commitments a button 215 titled “Next >>”)

At the time the invention was filed, it would have been obvious for one of ordinary skill in the art to have modified the teachings of Sadeh-Koniecpol in view of Hawthorn by, …FIG. 3 b shows an interface screen for a user specific personal training plan utilizing an education competency and compliance management system. A computer program product delivered to users is represented by a user specific personal training plan screen 149. The feature descriptions that follow illustrate the comprehensive approach to improve the user experience and simplify education compliance tasks. ... My Training Plan—This is the current training plan to maintain up-to-date with a compliance profile with selected on-line and off-line education requirements. My Events—These are the events for which the user is currently registered.... Event Calendar—These are the events currently planned for the organization. ... Courses, Tests, and Surveys—Provides a complete list of all courses, tests, and surveys available to the user (additional to the organization training plan). FIG. 6 shows an event calendar interface screen for scheduling and reviewing events. A computer program product delivered to users and administrators is represented by a calendar/my events interface screen 199. The robustness of the education competency and compliance management method, system, and computer product is exhibited by the user choices for scheduling and tracking calendar events on a my events interface screen 199. The displayed required events are generated from the administrator grouping of an individual, individual specific items by administration, and items desired by the individual for advancement and enrichment. The navigation bar 153 shows the most recent navigation selection to be My Events. Though not shown in this figure the navigation area 151 is included with screen 199. Immediately below bar 153 is a screen title area 201 displaying “Registered Events for: user name here”. The user name has been omitted for discussion purposes. The system will display the events selected for the user name that has logged into the system. Below area 201 is an area 203 with instructions “These are the events for which you are currently registered. To view or register for additional events, go to the Event Calendar”...., as taught by Dion, with a reasonable expectation of success if arriving at the claimed invention. One of ordinary skill in the art would have been motivated to make this modification to the teachings of Sadeh-Koniecpol in view of Hawthorn with the motivation of, …provide secure access to the hosting organizations content delivery for ease of capture, organization of and reporting on the entire educational program ...to direct employees to educational activities required to be completed based on the compliance requirements for their role in the organization...provide the “best value” content for sponsoring organizations. Sponsoring organizations can purchase content from content partners or other third parties for loading the on-line and off-line education competency and compliance management servers, generate reports for internal use and accrediting bodies updates...the need of knowing how well informed employees of institutions and organizations are, if and how current employees are in their techniques accreditation agencies have been established to promulgate requirements that will measure, qualify, and provide a basis for recognition of organizations and institutions for meeting industry standards....employees must be kept current in skills to assure optimal performance at an affordable price...to assure safe and consistent performance... a seamless comprehensive implementation of an educational compliance management system requires additional breath (local content, surveys, and reporting) additionally, adaptation by sponsoring institutions or organizations with comprehensive-role based summary reporting, update alerts, and dynamic assessment adaptability...a need for complete and comprehensive continuing education competency and compliance management system. Such a system would provide ease of use to an institution or organization in content delivery, source flexibility, testing, tracking, and reporting that is compliant to the appropriate accreditation agencies and remain content independent to assure the institution or organization the best value...., as recited in Dion. 


As per Claim 12, Sadeh-Koniecpol teaches: The system of claim 11,
wherein the device comprises a user interface configured to receive the attributes responsive to the …, provided by the user interface, regarding implementation by the entity of the security awareness program (in at least [0117][Fig. 9] discloses a screen of a system administrator user interface 3001 that displays examples of sensed historical training data collected about a user…historical training data in this particular case shows that the user was assigned four training modules (safe social networks, email security, anti-phishing, and passwords) 3007 and has provided responses to the questions or other prompts included in the assigned training modules.)


While implied, Sadeh-Koniecpol do no expressly disclose the following features, which however, are taught by Hawthorn:
wherein the device comprises a user interface configured to receive the attributes responsive to the questionnaire, provided by the user interface, regarding implementation by the entity of the security awareness program (in at least [0051] The security system 102 may include hardware and/or software components to build a campaign, transmit campaign data to a user system 104, 106, receive behavioral and/or technical data associated with a campaign from a user system 104, and/or calculate a risk score for each end user, group of end users, and/or organization associated with an end user (e.g., company). Security system 102 may include a risk assessment manager 110 that transmits computing network-based security items and/or training items to end users at user systems 104, 106 to assess security risks posed by the end users to a computing network.[0052] Examples of security items 112 and/or training items 124 may include messages comprising security threats such as phishing messages (e.g., phishing emails, text/SMS/MMS messages, voice messages, instant messages, social network messages, and/or the like), password generation and/or update requests, questionnaires comprising different security-related scenarios such as handling computing devices outside of a work environment, social media interaction, mobile security interaction, social engineering topics, web safety, data protection, email security, computer security, and/or physical security, password generation)

The reason and rationale to combine Sadeh-Koniecpol and Hawthorn is the same as recited above. 


As per Claim 13, Sadeh-Koniecpol teaches: (Previously Presented) The system of claim 11,
wherein the tool is further configured to compare the attributes for the entity to attributes of other entities that share at least one of the attributes. (in at least [0118] discloses comparing these statistics with baseline populations (e.g., employees at other companies, employees in other departments, same group of employees but at other times) [0122] the system may assess user vulnerability to different threat scenarios using sensed user response actions to mock attacks, such as users connecting (or not connecting) to mock rogue Wi-Fi access points, users clicking (or not clicking) on links in mock malicious SMS messages, or users connecting (or not connecting) mock malicious USB devices to their computers and/or opening (or not opening) mock malware stored on the mock malicious USB devices. The resulting data may be collected through these mock attacks to estimate the vulnerability of individual users, groups of users with similar characteristics (e.g. users reading their email from smartphones, users who use Wi-Fi outside the corporate network), or an entire population of users.)


As per Claim 14, Sadeh-Koniecpol teaches: (Previously Presented)The system of claim 13,
wherein the tool is further configured to determine, based on at least the comparison of the percentage of users of the entity that are phish-prone to one or more other entities that share at least one of the attributes, the configuration of at least one of the baseline simulated phishing campaign, the electronic based training of users of the entity for security awareness or the one or more subsequent simulated phishing campaigns. (in at least [0043] estimated effectiveness of the training intervention (possibly across all users or possibly for a subset of users based on considerations such as level of education, age, gender, prior training to which the users have been exposed) and other relevant considerations [0118][Fig. 10] discloses an administrator interface that may display statistics for a population of users, such as those users who have taken a particular interactive training module or collection of modules, or users who have been subject to particular mock attacks… vulnerability data 3103 that shows a measurement of how many users fell for various types of mock attacks. It may also illustrate statistics 3005 representing user responses to various training modules or interventions…..By comparing these statistics with baseline populations (e.g., employees at other companies, employees in other departments, same group of employees but at other times), the system can calibrate the need to train individual users or groups of users… Statistics can be organized and presented according to taxonomies of training needs and training interventions (e.g. “mock phishing emails with fraudulent phone numbers”, “mock phishing emails with prize offers”, etc.). The interface may include user-selectable options that allow the administrator to have the statistics presented, sorted and/or compiled according to administrator-selected criteria such as particular training interventions, training modules or time windows. [0122] system may assess user vulnerability to different threat scenarios using sensed user response actions to mock attacks, such as users connecting (or not connecting) to mock rogue Wi-Fi access points, users clicking (or not clicking) on links in mock malicious SMS messages, or users connecting (or not connecting) mock malicious USB devices to their computers and/or opening (or not opening) mock malware stored on the mock malicious USB devices. The resulting data may be collected through these mock attacks to estimate the vulnerability of individual users, groups of users with similar characteristics (e.g. users reading their email from smartphones, users who use Wi-Fi outside the corporate network), or an entire population of users.)


As per Claim 15, Sadeh-Koniecpol teaches: (Previously Presented) The system of claim 11,
wherein the tool is further configured to determine the configuration of one of the baseline phishing simulation campaign or the one or more simulated phishing campaigns to include one or more of the following: a schedule, a type of simulated phishing attack, a type of exploit, and type of data to collect. (in at least [0103] FIG. 5 illustrates an embodiment of a partial list of possible threat scenarios 2020 for which a context-aware cybersecurity training system may determine that a user is at risk…sensed data relating to the user actions 2030 and apply rules to determine whether the user is at risk for the associated threat scenario [0119][Fig.15][Fig. 16] discloses a scheduling screen 3601 of a user interface that may enable such selection…can be variably assigned to individual users or entire groups of users as shown in FIG. 16, also further discloses SMS attack and USB phishing attack [0121] discloses selecting the training interventions associated with the mock attack campaign, scheduling the campaign, and confirming all parameters.)


As per Claim 16, Sadeh-Koniecpol teaches: (Previously Presented) The system of claim 11,
wherein the tool is further configured to identify, based on at least the attributes, one or more training modules for the electronic based training of users of the entity for security awareness. (in at least [0032] discloses Sensing activities, behaviors, or other contextual attributes can help enrich the data available to identify and select training needs, resulting in more targeted training, better training outcomes and more effective mitigation of consequences associated with undesirable user behaviors. [0119][Fig. 11] discloses various types of electronic training modules, Selection and customization of training intervention may be based on any suitable rules or criteria, including rules or criteria that rely on data obtained from user profiles or other data available such as training history or behavior data (including information about the very mock attack the user just fell for).)


As per Claim 17, Sadeh-Koniecpol teaches: (Previously Presented) The system of claim 11,
wherein the tool is further configured to identify, responsive to execution of the baseline simulated phishing campaign, the percentage of users of the entity that are phish-prone. (in at least [0118] discloses FIG. 10 illustrates a screen 3101 of an embodiment of an administrator interface that may display statistics for a population of users, such as those users who have taken a particular interactive training module or collection of modules, or users who have been subject to particular mock attacks. The statistics may include, for example, vulnerability data 3103 that shows a measurement of how many users fell for various types of mock attacks; Examiner notes that the measurement displayed in 3103 of fig. 10 is expressed as a percentage, [0041][Fig. 8] discloses The system may include various training needs models that are customized or unique to a user or group of users, or the system may include standard training needs models that it may apply to any user [0108]-[0110][Fig. 7][Fig.8] discloses untrained risk percentage, thereby phish-prone, and risk reduction, thereby responsive to execution of baseline  [0117][Fig. 9] discloses This sensed data can in turn be used in combination with training needs models that rely on a user's likelihood of being at risk for a threat scenario…training campaign, namely a collection of one or more training interventions assigned to a selected group of users. The system or the administrator may use this information 3009 to identify users at risk for different threat scenarios).


As per Claim 18, Sadeh-Koniecpol teaches: (Currently Amended) The system of claim 17,
wherein the percentage of users of the entity that are phish-prone comprise ... clicked on the link of the electronic simulated phishing communications comprising a simulated phishing email. (in at least [0122] As described above, the system may assess user vulnerability to different threat scenarios using sensed user response actions to mock attacks, such as users clicking (or not clicking) on links in mock malicious SMS messages, [0039] discloses data may include relevant statistics relating to the user's activity over a period of time as received from the sensors. Those relevant statistics may include, for example, frequency of certain activities, frequency of certain behaviors, deviations from relevant baselines, and relevant trends. [0063] discloses User behavior data 15 can be captured and recorded in one or more locations and may include relevant statistics, such as frequency associated with different types of events or situations [0086] discloses delivery of SMS phishing messages to a number of users [0092] discloses The user may attempt to access such a program, such as by trying to click a link in an email…or SMS message [0093] discloses a phishing sensor, such as a monitor that receives data indicating whether (and optionally how frequently) a user visits or attempts to visit one or more blacklisted web sites [0103][Fig. 5] discloses  policy manager may require that a threshold plurality of indicative user actions 2030 be sensed, or that a particular user action 2030 be repeated a threshold number of times or achieve a certain frequency…user falling for an SMS phishing threat scenario can benefit from monitoring activities that include how often a user replies to SMS phishing messages [0108]-[0110][Fig. 7][Fig. 8] discloses “Request Blacklisted Website” and Frequency [0115] discloses The user in embodiments of context-aware training could be a human user or, for example, a robot, a cyber entity, an organism, an organization, a trainable entity, or a group or subset of those users. [0118][Fig. 10] discloses  Statistics can be organized and presented according to taxonomies of training needs and training interventions (e.g. “mock phishing emails with fraudulent phone numbers”, “mock phishing emails with prize offers”, etc.). The interface may include user-selectable options that allow the administrator to have the statistics presented, sorted and/or compiled according to administrator-selected criteria such as particular training interventions, training modules or time windows. [0117] FIG. 9 depicts an embodiment of a screen of a system administrator user interface 3001 that displays examples of sensed historical training data collected about a user 3003 (identified as “George Smith”). In this example, user Smith was recently assigned a collection of training modules referred to as the “New Hire Assignment” 3005...The example screen shown in FIG. 10 allows an administrator user to select, view and filter statistics of user activity data according to different criteria. These criteria can include filtering by individual users or groups of users, by training assignment (such as the “new hire assignment” shown in FIG. 9), which can include a collection of training interventions, by specific training intervention, by training campaign, namely a collection of one or more training interventions assigned to a selected group of users. The system or the administrator may use this information 3009 to identify users at risk for different threat scenarios)

While implied, Sadeh-Koniecpol do no expressly disclose the following features, which however, are taught by Hawthorn:
...comprise the number of users of the entity that clicked on the link of the electronic simulated phishing communications comprising a simulated phishing email... (in at least [0143] FIG. 11 illustrates an example security item 112 generated to simulate a phishing message. Although not illustrated, other security items 112 and/or training items 124 may be generated and/or transmitted to target users. These additional security items 112 and/or training items 124 may include, for example, data associated with introductory security information, phishing information, social media information, remote and/or travel-related information, password information, social engineering information, web safety information, data protection information, email security information, computer security information, physical security information, simulation data associated with any of the preceding information, and/or any combination of the above.  [0208]  if a user risk calculator 212 determines that the user opened a security-threat-based message in the campaign; clicked on a security-based threat in the campaign; and entered personal and/or confidential information into a simulated security-base threat, the risk score of the recipient user may altered by seventeen (17) according to the metrics in FIG. 14. If the user risk calculator 212 determines that the user completed three (3) training sessions during a campaign based on the user training item data 134, a risk score of the user is altered by 5%. [0222] a table 1512 with the campaigns associated with a client or that match any of the search/filtering criteria entered by a user. Table 1512 may display the title 1514 of the campaign, the number of times 1516 each security item 112 and/or training item 124 in the campaign was sent; the number of times 1518 each of each security item 112 and/or training item 124 included a predefined action (e.g., open a message, click on a link, watch a video, attempt a password generation, and/or the like), a number of detected vulnerabilities 1520 (incorrect answers, incorrect interactions, and/or the like); the number of times 1522 each message resulted in a security compromise (e.g., recipient entered personal and/or confidential information, downloaded an insecure item, clicked on an insecure link, etc.); the number of multiple security compromises 1524 in each security item 112 and/or training item 124 for the same user (e.g., a user clicks on multiple insecure links, a user downloads multiple insecure items, a user answers multiple questions incorrectly, a combination of different security compromising actions, and/or the like); the number of users 1526 considered to have been “trained” during the campaign; the number of times 1528 users reported an applicable security item 112 and/or training item 124 to an administrator, manager, etc.; the starting date 1530 of the campaign the stopping date of the campaign; the status 1532 of the campaign (e.g., pending, running, completed, etc.); the user 1534 who created the campaign; and/or the like. Each campaign may have different reporting items and the reporting items listed above. For example, a campaign may include additional items and/or may not include all of the reporting items described above. [0225] The campaign summary 1602 may also provide campaign statistics to the user in one or more different formats. For example, a campaign summary 1602 may include a graph 1618 displaying the statistics displayed in the table 1514 discussed above with respect to FIG. 15. It should be noted that the campaign statistics are not limited to those shown in FIG. 16. [0226] FIG. 17 shows another example of information that may be displayed to the user of security system 102 as part of the campaign summary and/or report. For example, FIG. 17 illustrates an overall risk score 1702 has been calculated for the client when compared to other clients subscribing to the risk assessment manager 110. A client's overall risk score may be based on the risk score associated with its employees. A client's overall risk score may be calculated based on the metrics discussed above with respect to FIG. 15 (e.g.,open/interactions/vulnerable/trained/reported/compromised). [0229] FIG. 17 illustrates a graph 1706 that may be displayed to show a client's risk score over time. In this example, the user may be able to select a temporal-based filter 1708 to see how a client's risk score changed on a minute, hourly, daily, weekly basis, and/or monthly basis. FIG. 17 also illustrates a time distribution 1710 of user interactions with security items 112 and/or training items 124 during the selected campaign. In this example, a time distribution 1710 may display a year's worth of data, each discrete division representing days and further months. As an example, various graphical features may be used to illustrate campaign reporting. For example, the darker the shading may indicate more interactions with security items 112 and/or training items 124 on a particular day. This may be expanded to view a Month/Week/Day view and allow a viewer to identify when users are more likely to interact with a security item 112 and/or training item 124 such as early morning, late at night, at home vs. at office, etc.  [0230] FIG. 18 illustrates a list/graph 1802 of risk scores for each employees, which may identify a company's riskiest and least risky employees. For example, a user may be able to select one or more of employees to see employee performance, property, and/or technical data with respect to a given campaign, multiple campaigns, and/or all campaigns participated in by the employee. FIG. 18 illustrates a graph 1804 that may be displayed to a user of security system 102 showing the client's risk score compare to other clients within a specific industry selected by the user. Graph 1804 may present the statistics displayed in the table 1514 discussed above for the client and for other clients in the selected industry. A user of security system 102 may be able to select the industry via one or more displayed options 1806 for which these metrics are displayed.)

The reason and rationale to combine Sadeh-Koniecpol and Hawthorn is the same as recited above. 



As per Claim 19, Sadeh-Koniecpol teaches: The system of claim 12,
wherein the server is further configured to execute the electronic based training to at least those users of the entity identified as phish-prone. (in at least [0118] discloses interface that may display statistics for a population of users, such as those users who have taken a particular interactive training module or collection of modules, or users who have been subject to particular mock attacks…shows a measurement of how many users fell for various types of mock attacks… system may use this information, which can be stored with historical training data or behavioral data, to benchmark individual users or groups of users and help determine which training interventions to direct to them later on based on training needs models)


As per Claim 20, Sadeh-Koniecpol teaches: The system of claim 11,
wherein the server is further configured to execute the one or more simulated phishing campaigns based on at least a result of one of the baseline simulated phishing campaign or the electronic based training of users of the entity for security awareness. (in at least [0032] discloses Sensing activities, behaviors, or other contextual attributes can help enrich the data available to identify and select training needs, resulting in more targeted training, better training outcomes and more effective mitigation of consequences associated with undesirable user behaviors. [0044] discloses review results of the analysis conducted by the policy manager 19 and select one or more training interventions to address those training needs for which one or more users are at a particularly high risk [0080] discloses Based on the analysis results produced by the policy manager 19, the system administrator may further select or prioritize training interventions that will be delivered to one or more users [0117] discloses filtering by individual users or groups of users, by training assignment (such as the “new hire assignment” shown in FIG. 9), which can include a collection of training interventions, by specific training intervention, by training campaign, namely a collection of one or more training interventions assigned to a selected group of users…may use this information 3009 to identify users at risk for different threat scenarios. An example can be as simple as identifying users with scores below a given threshold for a given threat scenario below. The administrator may then select (or the system may recommend to the administrator to select) training interventions [0121] discloses The interface also displays a workflow 3405 that the system may follow when walking the administrator through the setup of a mock attack campaign, including specifying and/or reviewing the recipients of the mock attack campaign, selecting and/or modifying a message to be used in the scenario, reviewing or selecting the training interventions associated with the mock attack campaign, scheduling the campaign, and confirming all parameters. [0122] discloses The resulting data may be collected through these mock attacks to estimate the vulnerability of individual users, groups of users with similar characteristics (e.g. users reading their email from smartphones, users who use Wi-Fi outside the corporate network), or an entire population of users. [0123] discloses the mock attack campaigns can be directed at individual users, entire groups of users organized by department, location, role or some other combination of available parameters, where mock campaigns can be subject to customizable scheduling constraints, and user training data and activity/behavior data can be accessed by the system administrator to review the campaign while in progress or after it has been completed…links in an mock malicious SMS message; messaging clients to be used in a particular mock messaging campaign; particular interventions to be used for users falling for a particular mock attack scenario; an administrator-selected link to be inserted in an SMS message such as a click-to-call link or a URL link;) 


As per Claim 21, Sadeh-Koniecpol teaches: (Currently Amended) The system of claim 11, 
wherein the one or more graphical representations are organized into one or more metrics for the corresponding campaign and one or more metrics for each user.  (in at least [0117] FIG. 9 depicts an embodiment of a screen of a system administrator user interface 3001 that displays examples of sensed historical training data collected about a user 3003 (identified as “George Smith”). In this example, user Smith was recently assigned a collection of training modules referred to as the “New Hire Assignment” 3005. The historical training data in this particular case shows that the user was assigned four training modules (safe social networks, email security, anti-phishing, and passwords) 3007 and has provided responses to the questions or other prompts included in the assigned training modules. The interface displays a summary of the type of historical training data collected by the platform, including in this case training relating to the threat scenarios of social network usage, email security, anti-phishing and password security 3009...The example screen shown in FIG. 10 allows an administrator user to select, view and filter statistics of user activity data according to different criteria. These criteria can include filtering by individual users or groups of users, by training assignment (such as the “new hire assignment” shown in FIG. 9), which can include a collection of training interventions, by specific training intervention, by training campaign, namely a collection of one or more training interventions assigned to a selected group of users. The system or the administrator may use this information 3009 to identify users at risk for different threat scenarios. [0118] FIG. 10 illustrates a screen 3101 of an embodiment of an administrator interface that may display statistics for a population of users, such as those users who have taken a particular interactive training module or collection of modules, or users who have been subject to particular mock attacks. The statistics may include, for example, vulnerability data 3103 that shows a measurement of how many users fell for various types of mock attacks. It may also illustrate statistics 3005 representing user responses to various training modules or interventions. The administrator and/or system may use this information, which can be stored with historical training data or behavioral data, to benchmark individual users or groups of users and help determine which training interventions to direct to them later on based on training needs models. The system or administrator may also use this information to identify patterns such as correlations in the vulnerability of users to different types of threat scenarios. By comparing these statistics with baseline populations (e.g., employees at other companies, employees in other departments, same group of employees but at other times), the system can calibrate the need to train individual users or groups of users. This information may be incorporated in the system's training needs logic, where it can be used to support both automated and semi-automated processes. Statistics can be organized and presented according to taxonomies of training needs and training interventions (e.g. “mock phishing emails with fraudulent phone numbers”, “mock phishing emails with prize offers”, etc.). The interface may include user-selectable options that allow the administrator to have the statistics presented, sorted and/or compiled according to administrator-selected criteria such as particular training interventions, training modules or time windows.)


As per Claim 22, Sadeh-Koniecpol teaches: (Previously Presented) The system of claim 11, 
wherein the one or more graphical representations comprise an aggregation of statistics across users.  (in at least [0117] The example screen shown in FIG. 10 allows an administrator user to select, view and filter statistics of user activity data according to different criteria. These criteria can include filtering by individual users or groups of users, by training assignment (such as the “new hire assignment” shown in FIG. 9), which can include a collection of training interventions, by specific training intervention, by training campaign, namely a collection of one or more training interventions assigned to a selected group of users. The system or the administrator may use this information 3009 to identify users at risk for different threat scenarios. )


As per Claim 23, Sadeh-Koniecpol teaches: (Previously Presented) The system of claim 11, 
wherein the server is further configured to update the one or more graphical representations as a corresponding campaign progresses.  (in at least [0082] Regular assessment of user training needs may also include pushing short security quizzes and creating mock situations aimed at better evaluating the needs of an individual user or a group of users. In a real-time mode, the policy manager 19 may operate in an event-driven manner enabling it to more rapidly detect changes in user behavior or activities and other relevant contextual attributes, and to more quickly push training interventions that reflect the risks to which the user is exposed at a desired time. [0087] as users engage with the training interventions 190, their responses may be recorded in part or in whole 200. That response data itself may be analyzed in real-time by the policy manager or may be stored in an appropriate format, possibly for later analysis, (whether in raw form or in summarized form) in a part of the storage system responsible for storing historical training data or in a part of the storage system responsible for storing user behavior data, or some other relevant storage, or any combination of the above. [0123] Mock attack campaigns can be automatically created by the policy manager or can be the result of mixed initiative interaction with a system administrator interface or administrator client, where the mock attack campaigns can be directed at individual users, entire groups of users organized by department, location, role or some other combination of available parameters, where mock campaigns can be subject to customizable scheduling constraints, and user training data and activity/behavior data can be accessed by the system administrator to review the campaign while in progress or after it has been completed..)






Conclusion
Relevant prior art not relied upon:

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to PO HAN MAX LEE whose telephone number is (571)272-3821.  The examiner can normally be reached on Mon-Thurs 8:00 am - 7:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on (571) 272-6045.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from 




/PO HAN MAX LEE/Examiner, Art Unit 3623         

/CHARLES GUILIANO/Primary Examiner, Art Unit 3623