Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This final action is in response to amendment filed on 06/14/2022. Claims 1-20 are pending, with claims 1 and 11 being independent. 

Priority
This patent application claims the benefit of and priority to U.S. Provisional Patent Application No. 63/123,812 filed December 10, 2020, which also claims the benefit of and priority to U.S. Provisional Patent Application No. 63/142,071 filed January 27, 2021.

Response to Arguments
Claim Objection
Claim 1 objection has been withdrawn in view of amended claim.
Claim 2 objection has been maintained because the objection has not been addressed. Limitation “an email address identified by the personal information” has an issue because it is not clear how the personal information can identify an email address. It appears that it should be “an email address in the personal information” as indicated in claim 6.
35 U.S.C. § 101 Rejections
Applicants’ arguments have been fully considered but they are not persuasive.
In the response, applicant argues in substance that:
1. 	The claimed features involve a security awareness system configured on one or more servers which adjusts the score of a user based on a result of an exposure check or a security audit, which cannot be practically performed in the human mind. Therefore, the claims do not recite an abstract idea (remarks pages 6-7).
The examiner respectfully disagrees. As indicated in the rejection, adjusting the score of a user based on a result of an exposure check or a security audit is one of mental processes because they can be performed in the human mind. For instance, the human can mentally change/adjust the score (e.g., from 20 to 60) of a user when a result of an exposure check or a security audit indicates that the user having high security risk. Element a security awareness system configured on one or more servers is an additional element as indicated in the rejection. 
2.	The claims are directed to a practical application of a judicial exception because they are directed to an improvement to the functioning of a system (remarks pages 7-9).
The examiner respectfully disagrees. The additional elements above have been identified as general Purpose Machine which are merely implementing the abstract idea within a computer environment. See MPEP 2106.05(b)(I). When taken individually or viewed as an ordered combination the claims as a whole do not appear to be integrated into a practical application.
Claims 10 and 20, however, are directed to a practical application of a judicial exception. The applicant may incorporate the claims into independent claims to overcome the rejection.

35 U.S.C. § 103 Rejections
Applicants’ arguments have been fully considered but they are not persuasive.
In the response, applicant argues in substance that:
The combination of Kashyap, Franzetti and Trentini does not adjust a risk score based on the result of an exposure check or the security audit performed on personal information of a user. While the Office action points to the "fishing attack risk factors" of Kashyap as an alleged "exposure check," Trentini's risk score is not adjusted based on a result of any such exposure check.
The examiner respectfully disagrees. One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. In reKeller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In reMerck & Co., Inc., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Kashyap and Trentini teaches the limitation above. For instance, Kashyap teaches scanning the personal information for key words and phrases associated with phishing risks [exposure check] to identify phishing attack risk factors, and assessing a risk of a user based on the phishing attack risk factor [result of the exposure check]) (Kashyap pars. 52-53). Trentini teaches user risk score is adjusted with each risk indication (Trentini par. 88). Kashyap and Trentini teaches scanning the personal information for key words and phrases associated with phishing risks [exposure check] to identify phishing attack risk factors, and adjusing a risk of a user based on the phishing attack risk factor [result of the exposure check]).
Since the argument of claim 1 is not persuasive, other claims’ arguments that rely on the argument above are also not persuasive.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/14/2022 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 2 and 12 are objected to because of the following informalities: 
Element “an email address identified by the personal information” should read “an email address in the personal information” because it is not clear how the personal information can identify an email address. It appears that it should be “an email address in the personal information” as indicated in claim 6.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-9 and 11-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  
Claims 1-9 are directed to a method (process).
Claims 11-20 are directed to a system (machine).
Thus, each of the claims is directed to one of the statutory categories of invention (Step 1: Yes).
Below the bolded features correspond to an abstract idea, and the non-bolded features correspond to the additional elements.
1. A method comprising: 
receiving, by a security awareness system configured on one or more servers, registration of personal information of a user of an organization; 
performing, by the security awareness system, at least one of an exposure check or a security audit of the personal information of the user; and 
adjusting, by the security awareness system, a personal risk score of the user based at least on a result of one of the exposure check or the security audit.
2. The method of claim 1, further comprising verifying, by the security awareness system, an email address identified by the personal information as used in a personal domain of the user.
3. The method of claim 2, further comprising storing, by the security awareness system, the email address used in the personal domain of the user in association with a profile of the user for the security awareness system.
4. The method of claim 2, further comprising registering the personal information with the security awareness system responsive to the email address used in the personal domain of the user being verified.
5. The method of claim 1, further comprising storing, by the security awareness system, the personal information in an obfuscated form.
6. The method of claim 1, further comprising performing the exposure check by searching using at least one of an email address or a username in the personal information for breached user information in one or more breach databases.
7. The method of claim 1, further comprising performing the security audit by assessing a strength of one or more registered personal passwords from the personal information and compliances to password requirements of the organization.
8. The method of claim 1, further comprising adjusting the personal risk score of the user based at least on the user's registration of the personal information with the security awareness system.
9. The method of claim 1, further comprising determining, by the security awareness system, a risk score based at least on the personal risk score of the user.
11. A system comprising: 
a security awareness system configured on one or more servers, the security awareness system configured to: 
receive personal information of a user of an organization; 
perform at least one of an exposure check or a security audit of the personal information of the user; and 
adjust a personal risk score of the user based at least on a result of one of the exposure check or the security audit.
12. The system of claim 11, wherein the security awareness system is further configured to verify an email address identified by the personal information as used in a personal domain of the user.
13. The system of claim 12, wherein the security awareness system is further configured to store the email address used in the personal domain of the user in association with a profile of the user for the security awareness system.
14. The system of claim 12, wherein the security awareness system is further configured to register the personal information responsive to the email address used in the personal domain of the user being verified.
15. The system of claim 11, wherein the security awareness system is further configured to store the personal information in an obfuscated form.
16. The system of claim 11, wherein the security awareness system is further configured to perform the exposure check by searching using at least one of an email address or a username in the personal information for breached user information in one or more breach databases.
17. The system of claim 11, wherein the security awareness system is further configured to perform the security audit by assessing a strength of one or more registered personal passwords from the personal information and compliances to password requirements of the organization.
18. The system of claim 11, wherein the security awareness system is further configured to adjust the personal risk score of the user based at least on the user's registration of the personal information with the security awareness system.
19. The system of claim 11, wherein the security awareness system is further configured to determine a risk score based at least on the personal risk score of the user.
The bolded features are mental processes because they can be performed in the human mind. For instance, the human can perform in the human mind the steps of receiving registration of personal information of a user of an organization; performing at least one of an exposure check or a security audit of the personal information of the user; and adjusting a personal risk score of the user based at least on a result of one of the exposure check or the security audit (Step 2A Prong One: Yes).
The additional elements (e.g., non-bolded features) above have been identified as general Purpose Machine which are merely implementing the abstract idea within a computer environment. See MPEP 2106.05(b)(I). When taken individually or viewed as an ordered combination the claims as a whole do not appear to be integrated into a practical application (Step 2A Prong Two: No).
The additional elements (e.g., non-bolded features) above have been identified as general Purpose Machine which are merely implementing the abstract idea within a computer environment. See MPEP 2106.05(b)(I). When taken individually or viewed as an ordered combination the claims as a whole do not appear to amount to significantly more than the abstract idea (Step 2B: No).
Based on the above rational the claims have been deemed to ineligible subject matter under 35 USC 101.

Claims 11-20 are also rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim is directed towards a software per se. 
Claims 11 recites “A system comprising: a security awareness system configured on one or more servers [ ].”
Applying the broadest reasonable interpretation in light of the specification and taking into account the meaning of the words in their ordinary usage as they would be understood by one of ordinary skill in the art (See MPEP 2111), the recited “servers” may include computer program code or software and since there is no positive recitation of “hardware” in the claim, the claim as a whole is directed towards software per se, which is one of the non-statutory category.  
35 USC 101 enumerates four categories of subject matter that Congress deemed to be appropriate subject matter for a patent: Processes, Machines, Manufactures and Composition of Matter. 
Software or computer program per se does not fall within any one of these four statutory category, i.e. software per se is not a process because it is not a series of acts or steps, nor is it a machine which is a concrete thing consisting of parts or of certain devices and combination of devices, nor is it a manufacture nor a composition of matter, as defined in MPEP 2106.03 I. Therefore, the claim which is directed towards software or computer program per se is ineligible. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 8, 11-14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap et al. (US 2015/0264084, published Sep. 17, 2015), Franzetti et al. (US 2014/0257962, published Sep. 11, 2014) and Trentini et al. (US 2022/0021654, provisional application No. 63/068,953, filed on Aug. 21, 2020).
As per claim 1, Kashyap discloses: 
receiving, by a security awareness system configured on one or more servers, [registration of] personal information of a user of an organization (Kashyap Fig. 3, Search a plurality of websites for a plurality of user profiles belonging to a plurality of users who are affiliated with an organization at 302 and Retrieve, from the plurality of user profiles, personal information describing the plurality of users at 304; Kashyap par. 36, Users who are affiliated with an organization may include employees of the organization); 
performing, by the security awareness system, at least one of an exposure check (Kashyap par. 52, Identification module 110 may identify the phishing attack risk factors in a variety of ways. For example, identification module 110 may scan the personal information for key words and phrases associated with phishing risks) or a security audit of the personal information of the user;
[adjusting], by the security awareness system, a personal risk [score] of the user based at least on a result of one of the exposure check or the security audit (Kashyap par. 53, At step 310 one or more of the systems described herein may assess, based at least in part on the phishing attack risk factor, a risk of a phishing attack targeting the individual user to illegitimately gain access to the privileged computing resource; Kashyap par. 63, systems described herein may perform a security action based on the risk of the phishing attack targeting the individual user. The security action may be based on the level of risk).
Kashyap does not explicitly disclose:
receiving registration of personal information of a user; 
adjusting a personal risk score.
Franzetti teaches:
receiving registration of personal information of a user (Franzetti par. 66, the user registers directly with the application by providing an identification of the user (e.g., full name, user name, etc.), an email address, and a password… As part of the registration process, the user can create a user profile. The user profile can include information about the user).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Kashyap with the teaching of Franzetti for receiving, by a security awareness system configured on one or more servers, registration of personal information of a user of an organization. One of ordinary skilled in the art would have been motivated because it offers the advantage of collecting user data for analysis.
Trentini teaches:
adjusting a personal risk score (Trentini par. 88, The user profile may comprise a risk score that is adjusted with each risk indication).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Kashyap with the teaching of Trentini for adjusting, by the security awareness system, a personal risk score of the user based at least on a result of one of the exposure check or the security audit. One of ordinary skilled in the art would have been motivated because it offers the advantage of improving the accuracy of user risk assessment.

As per claim 2, Kashyap-Franzetti-Trentini discloses the method of claim 1. Kashyap also discloses an email address identified by the personal information as used in a personal domain of the user (Kashyap par. 42, Personal information may include contact information such as a home address, phone number, and/or email address and/or descriptive information such as name, age, location, images, hobbies, job history and/or current job title).
Kashyap does not explicitly disclose:
further comprising verifying, by the security awareness system, an email address.
Franzetti teaches:
verifying, by the security awareness system, an email address (Franzetti par. 66, the application can send an email to the email address provided by the user and the user can verify that the user received the email).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Kashyap with the teaching of Franzetti for verifying, by the security awareness system, an email address identified by the personal information as used in a personal domain of the user. One of ordinary skilled in the art would have been motivated because it offers the advantage of ensuring user provided email is valid.

As per claim 3, Kashyap-Franzetti-Trentini discloses the method of claim 2. Kashyap-Franzetti also discloses further comprising storing, by the security awareness system, the email address used in the personal domain of the user (Kashyap par. 42, Personal information may include contact information such as a home address, phone number, and/or email address and/or descriptive information such as name, age, location, images, hobbies, job history and/or current job title) in association with a profile of the user for the security awareness system (Franzetti par. 66, the user registers directly with the application by providing an identification of the user (e.g., full name, user name, etc.), an email address, and a password… As part of the registration process, the user can create a user profile. The user profile can include information about the user). The same rationale as in claim 1 applies.

As per claim 4, Kashyap-Franzetti-Trentini discloses the method of claim 2. Kashyap-Franzetti also discloses further comprising registering the personal information with the security awareness system responsive to the email address used in the personal domain of the user being verified (Franzetti par. 66, the user registers directly with the application by providing an identification of the user (e.g., full name, user name, etc.), an email address, and a password. In response, the application can send an email to the email address provided by the user and the user can verify that the user received the email… As part of the registration process, the user can create a user profile. The user profile can include information about the user). The same rationale as in claim 2 applies.

As per claim 8, Kashyap-Franzetti-Trentini discloses the method of claim 1. Kashyap-Franzetti-Trentini also discloses further comprising adjusting the personal risk score of the user (Trentini par. 88, The user profile may comprise a risk score that is adjusted with each risk indication) based at least on the user's registration of the personal information (Franzetti par. 66, the user registers directly with the application by providing an identification of the user (e.g., full name, user name, etc.), an email address, and a password… As part of the registration process, the user can create a user profile. The user profile can include information about the user) with the security awareness system (Kashyap par. 52, Identification module 110 may identify the phishing attack risk factors in a variety of ways. For example, identification module 110 may scan the personal information for key words and phrases associated with phishing risks). The same rationale as in claim 1 applies.

Claims 11-14 and 18 are system claims corresponding to the method claims 1-4 and 8; thus claim 11-14 and 18 are analyzed and rejected accordingly.

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap et al. (US 2015/0264084, published Sep. 17, 2015), Franzetti et al. (US 2014/0257962, published Sep. 11, 2014), Trentini et al. (US 2022/0021654, provisional application No. 63/068,953, filed on Aug. 21, 2020) and Ford et al. (US 2019/0034657, published Jan. 31, 2019).
As per claim 5, Kashyap-Franzetti-Trentini discloses the method of claim 1. Kashyap-Franzetti-Trentini does not explicitly disclose further comprising storing, by the security awareness system, the personal information in an obfuscated form.
Ford teaches:
storing, by the security awareness system, the personal information in an obfuscated form (Ford par. 3, storing obfuscated sensitive personal information within an obfuscated sensitive personal information repository).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Kashyap with the teaching of Ford for storing, by the security awareness system, the personal information in an obfuscated form. One of ordinary skilled in the art would have been motivated because it offers the advantage of protecting sensitive personal information.

Claim 15 is a system claim corresponding to the method claim 5; thus claim 15 is analyzed and rejected accordingly.

Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap et al. (US 2015/0264084, published Sep. 17, 2015), Franzetti et al. (US 2014/0257962, published Sep. 11, 2014), Trentini et al. (US 2022/0021654, provisional application No. 63/068,953, filed on Aug. 21, 2020) and Wright et al. (US 2018/0046796, published Feb. 15, 2018).
As per claim 6, Kashyap-Franzetti-Trentini discloses the method of claim 1. Kashyap-Franzetti also discloses at least one of an email address or a username in the personal information (Franzetti par. 66, the user registers directly with the application by providing an identification of the user (e.g., full name, user name, etc.), an email address, and a password). The same rationale as in claim 1 applies.
Kashyap-Franzetti-Trentini does not explicitly disclose:
further comprising performing the exposure check by searching using at least one of an email address or a username for breached user information in one or more breach databases.
Wright teaches:
performing the exposure check by searching using at least one of an email address or a username for breached user information in one or more breach databases (Wright par. 63, implementing a more-stringent account access policy (e.g., locking accounts) for accounts with usemames matching usernames in an identified compromised credentials database).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Kashyap with the teaching of Wright for performing the exposure check by searching using at least one of an email address or a username in the personal information for breached user information in one or more breach databases. One of ordinary skilled in the art would have been motivated because it offers the advantage of identifying at-risk user for risk mitigation.

Claim 16 is a system claim corresponding to the method claim 6; thus claim 16 is analyzed and rejected accordingly.

Claims 7, 9, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap et al. (US 2015/0264084, published Sep. 17, 2015), Franzetti et al. (US 2014/0257962, published Sep. 11, 2014), Trentini et al. (US 2022/0021654, provisional application No. 63/068,953, filed on Aug. 21, 2020) and Chakra et al. (US 2020/0112582, published Apr. 9, 2020).
As per claim 7, Kashyap-Franzetti-Trentini discloses the method of claim 1. Kashyap-Franzetti also discloses one or more registered personal passwords from the personal information (Franzetti par. 66, the user registers directly with the application by providing an identification of the user (e.g., full name, user name, etc.), an email address, and a password). The same rationale as in claim 1 applies.
Kashyap-Franzetti-Trentini does not explicitly disclose:
further comprising performing the security audit by assessing a strength of one or more passwords and compliances to password requirements of the organization.
Chakra teaches:
performing the security audit by assessing a strength of one or more passwords and compliances to password requirements of [the organization] (Chakra par. 38, if a user updates their password which fails to meet the minimum requirements of the social media group the aggregated group score will be increased).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Kashyap with the teaching of Chakra for performing the security audit by assessing a strength of one or more registered personal passwords from the personal information and compliances to password requirements of the organization. One of ordinary skilled in the art would have been motivated because it offers the advantage of identifying vulnerability of the user.

As per claim 9, Kashyap-Franzetti-Trentini discloses the method of claim 1. Kashyap-Franzetti-Trentini does not explicitly disclose further comprising determining, by the security awareness system, a risk score based at least on the personal risk score of the user.
Chakra teaches:
determining, by the security awareness system, a risk score based at least on the personal risk score of the user (Chakra Fig. 3, Calculating an aggregated group score based on the vulnerability score for the one or more group members at 308).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Kashyap with the teaching of Chakra for determining, by the security awareness system, a risk score based at least on the personal risk score of the user. One of ordinary skilled in the art would have been motivated because it offers the advantage of assessing vulnerability for the organization.

Claims 17 and 19 are system claims corresponding to the method claims 7 and 9; thus claim 17 and 19 are analyzed and rejected accordingly.

Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap et al. (US 2015/0264084, published Sep. 17, 2015), Franzetti et al. (US 2014/0257962, published Sep. 11, 2014), Trentini et al. (US 2022/0021654, provisional application No. 63/068,953, filed on Aug. 21, 2020) and Oprea et al. (US 9,674,210, patented Jun.6, 2017).
As per claim 10, Kashyap-Franzetti-Trentini discloses the method of claim 1. Kashyap-Franzetti-Trentini does not explicitly disclose further comprising performing, by the security awareness system based on at least the personal risk score of the user, one of a remedial training or a simulated phishing campaign directed to the user.
Oprea teaches:
performing, by the security awareness system based on at least the personal risk score of the user, one of a remedial training or a simulated phishing campaign directed to the user (Oprea 7:17-21, Users of host devices having the highest risk scores can be warned and receive special training to avoid common pitfalls. More particularly, the risk scores can be used to develop a customized training procedure tailored to the observed user activity).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Kashyap with the teaching of Oprea for performing, by the security awareness system based on at least the personal risk score of the user, one of a remedial training or a simulated phishing campaign directed to the user. One of ordinary skilled in the art would have been motivated because it offers the advantage of mitigating the risk of the user.

Claim 20 is a system claim corresponding to the method claim 10; thus claim 20 is analyzed and rejected accordingly.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20200252422 A1; Risk Score Generation For Assets Of An Enterprise System Utilizing User Authentication Activity
A method includes obtaining information regarding authentication events for users accessing assets of an enterprise system. The method also includes determining a likelihood of a given asset of the enterprise system becoming compromised responsive to compromise of a given user of the enterprise system.
US 20190052664 A1; System And Method For Assessing Cybersecurity Risk Of Computer Network
Systems and methods for assessing cybersecurity risk of a computer network include the use of a risk model application that is configured to determine an initial cyber risk score value based upon an underwriting process.
US 20160226911 A1; Dynamic Enterprise Security Control Based On User Risk Factors
Aspects dynamically set enterprise-level security rules by assessing risk factors associated with a user. Risk values representing likelihoods of loss of enterprise secure data are determined for different attributes of a user, and added together to generate a user risk factor.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KHANG DO/Primary Examiner, Art Unit 2492