DETAILED ACTION
The following claims are pending in this office action: 1-25
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 12/22/2020 are accepted.  
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/22/2020 has been considered.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, an initialed and dated copy of Applicant’s IDS form 1449 filed 12/22/2020 is attached to the instant Office action. 
Claim Objections
Claims 4, 6-7, 13, 15-16, 22 and 24-25 are objected to because of the following informalities:
Claims 4, 13 and 22 recites the limitation “a first predetermined threshold” (claim 4, ln. 5-6; claim 13, ln. 5-6; and claim 22, ln. 5). It is unclear whether applicant intends to refer to “a first predetermined threshold” (claim 4, ln. 3-4; claim 13, ln. 3-4; and claim 22, ln. 3).  If so, examiner suggests “the first predetermined threshold”. 
Claims 6, 15 and 24 recites the limitation “user behavior” (claim 6, ln. 2; claim 15, ln. 3; and claim 24, ln. 2).  It is unclear whether applicant intends to refer to “user’s behavior” (claim 1, ln. 2; claim 10, ln. 5; and claim 19, ln. 2).  If so, examiner suggests “the user behavior”.
Claims 7, 16 and 25 recites the limitation “at least some improper behavior” (claim 7, ln. 7-8; claim 16, ln. 9; and claim 25, ln. 7).  It is unclear whether applicant intends to refer to “at least some improper behavior” (claim 7, ln. 5; claim 16, ln. 6; claim 25, ln. 4-5).  If so, examiner suggests “the at least some improper behavior”.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 7, 16 and 25 are rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claims 7, 16 and 25 recites the limitations “the scope of at-risk user behavior” (claim 7, ln. 3-4; claim 16, ln. 3-4; and claim 25, ln. 3) and “the scope of the behaviors predetermined to be at-risk user behavior related to cybersecurity” (claim 7, ln. 5-6; claim 16, ln. 6-7; and claim 25, ln. 5-6).  These limitations lack antecedent basis.  Examiner suggests “a scope of at-risk user behavior” and “a scope of the behavior predetermined to be at-risk user behavior related to cybersecurity”.    
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
	
Claims 1, 4, 6-7, 10, 13, 15-16, 19, 22, and 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Basavapatna et al (US Pub. 2013/0097709) (hereinafter “Basavapatna”) in view of Chalmers et al. (US Pub. 2018/0069866) (hereinafter “Chalmers”).

As per claim 1, Basavapatna teaches a computer-implemented method, comprising: receiving behavior data associated with a user's behavior on at least one device ([Basavapatna, para. 0027] “Events relating to user behavior… can also be detected… with data received from security tool deployment 210 and for use in assessing risk associated with user behavior within the system”) wherein the behavior data is based on one or more of an email account, a browser history, password usage and online behavior history; ([para. 0030] assessment data [behavior data] for a user can include email behavior, network usage, access and user of enterprise-owned resources, internet usage using system affiliated devices)
generating risk levels associated with the behavior data; ([Basavapatna, para. 0030] A risk profile score [level] is calculated for a user based on an aggregation of the profiles [behavior data])
predicting role-based risk events based on the behavior data; ([Basavapatna, para. 0051] user activity [behavior data] can be monitored and compared against the behavior profile to predict that a security or risk event [role-based risk event] is taking place or in danger of taking place)
Basavapatna does not clearly teach simulating the role-based risk events based on the risk levels; and adjusting role-based access control of the user based on results of the simulating.
However, Chalmers teaches simulating the role-based risk events based on the risk levels; and ([Chalmers, para. 0043] “the risk management system 210 may include a test generation component 215 for generating targeted tests, which may simulate an attack such as a phishing attack or entice a nefarious link or attachment, which contains malware to be downloaded [role-based risk event]…Each test may be different and may be tailored for each level of privilege afforded by the system and for each scenario likely to be encountered by such system users” [based on the risk levels])
adjusting role-based access control of the user based on results of the simulating. ([Chalmers, para. 0045] “the risk management system 210 may include a user update component 218 to reduce a user’s access privileges(s) 223 responsive to a response message to a test [results of the simulating])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basavapatna with the teachings of Chalmers to include simulating the role-based risk events based on the risk levels; and adjusting role-based access control of the user based on results of the simulating.  One of ordinary skill in the art would have been motivated to make this modification because “specific pseudo-targeted attacks or test may be generated… in order to discover (and restrict access to certain systems) the user population who might not have proper training around secure computing practices”.  (Chalmers, para. 0027)

As per claim 4, Basavapatna in view of Chalmers teaches claim 1
Basavapatna does not clearly teach wherein adjusting the role-based access control of the user includes: reducing administrator privileges of the user in response to a determination that the risk levels exceed a first predetermined threshold and in response to a determination that second risk levels associated with previous behavior data of the user also exceed a first predetermined threshold.
However, Chalmers teaches wherein adjusting the role-based access control of the user includes: reducing administrator privileges of the user ([Chalmers, para. 0072] “reducing an access privilege of the user”) in response to a determination that the risk levels exceed a first predetermined threshold ([para. 0072] “when the user proceeds with the user action when the recommendation is to not proceed [a risk level – see para. 0035: a score may be tabulated as a result of the user behavior] and another insecure result is produced” [a first predetermined threshold – see para. 0035: the score may be required to be above a minimum threshold, scores below the minimum as scores exceeding the threshold]) and in response to a determination that second risk levels associated with previous behavior data of the user also exceed a first predetermined threshold.  ([para. 0072] “determining if the detected user action is similar to a previous action, wherein the previous user action [second risk level] produced an insecure result [exceed a first predetermined threshold]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basavapatna with the teachings of Chalmers to include wherein adjusting the role-based access control of the user includes: reducing administrator privileges of the user in response to a determination that the risk levels exceed a first predetermined threshold and in response to a determination that second risk levels associated with previous behavior data of the user also exceed a first predetermined threshold.  One of ordinary skill in the art would have been motivated to make this modification because such a technique allows an evaluation of the client’s risk made via separate tests so that a user may be blocked before access to the protected system is achieved.  (Chalmers, para. 0052)

As per claim 6, Basavapatna in view of Chalmers teaches claim 1.
Basavapatna does not clearly teach outputting, a predetermined task suggestion to reinforce user behavior associated with a low risk level; determining whether the user has completed the predetermined task within a predetermined amount of time; and in response to a determination that the user has completed the predetermined task within the predetermined amount of time, reverting the role-based access control of the user.
However, Chalmers teaches outputting, a predetermined task suggestion to reinforce user behavior associated with a low risk level; ([Chalmers, para. 045] “The risk management system 210 may include a training component 219 for providing a training session [a predetermined task suggestion] to the user of the end user system which may be tailored to the tests”; “examples of training modules may include… how to take appropriate [associated with a low risk level] action [reinforce user behavior] after a nefarious act has been committed”)
determining whether the user has completed the predetermined task within a predetermined amount of time; and ([Chalmers, para. 0045] “In an embodiment, once a period of time has elapsed … with minor offenses [a predetermined task] from the user, the profile may be switched or updated [determining]”)
in response to a determination that the user has completed the predetermined task within the predetermined amount of time, reverting the role-based access control of the user. ([Chalmers, para. 0045] “a different user profile…can reinstate [revert] the user’s privileges [the role-based access control]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basavapatna with the teachings of Chalmers to include outputting, a predetermined task suggestion to reinforce user behavior associated with a low risk level; determining whether the user has completed the predetermined task within a predetermined amount of time; and in response to a determination that the user has completed the predetermined task within the predetermined amount of time, reverting the role-based access control of the user.  One of ordinary skill in the art would have been motivated to make this modification because a privileged user may perform insecure computing practices due to poor user practices and lack of training and a solution to this problem would be to provide appropriate training.  (Chalmers, para. 0024-0025)

As per claim 7, Basavapatna in view of Chalmers teaches claim 1.
Basavapatna also teaches wherein generating the risk levels associated with the behavior data includes comparing the behavior data with at least some behaviors predetermined to be within the scope of at-risk user behavior, ([Basavapatna, Para. 0030] a composite risk score [risk level] is generated for a user [associated with the behavior data] based on an aggregation of users of use or type specific user profiles [within the scope] of which violations can be detected [at-risk user behavior].  [Para. 0046] the assessment data [behavior data] may be compared to a particular identified user’s interaction with or use of system resources [as least some behaviors])
and comprising: determining whether the user's behavior includes at least some improper behavior that is outside the scope of the behaviors predetermined to be at-risk user behavior related to cybersecurity; ([Basavapatna, Para. 0030] “in each instance, events and violations [at least some improper behavior] can be detected based on a user’s deviation from [outside the scope of] an associated, statistically-predicted behavioral profiled [behaviors] either for the user, a group to which the user belongs, or all users” [outside the scope of behaviors].  [Para. 0002] this disclosure relates in general to the field of computer security [cybersecurity])
and in response to a determination that the user's behavior includes at least some improper behavior, taking an action responsive thereto. ([Para. 0051] user behavior is used to identify deviations.  In instances where deviations exceed a tolerated threshold, countermeasures are triggered based on the detected deviations).  

As per claim 10, Basavapatna teaches a computer program product for adjusting role-based access control, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions readable and/or executable by a computer.  ([Basavapatna, para. 0072] embodiments can be implemented as one or more computer programs, i.e. one or more modules of computer instructions for execution by a data processing apparatus [computer])
The computer program product causes a computer to perform the steps of the method of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus the computer program product claim is rejected with the same rational applied against claim 1.  

As per claim 13, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4.

As per claim 15, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 16, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.

As per claim 19, Basavapatna teaches a system, comprising:
a processor; and ([Basavapatna, para. 0073] the operations are implemented by a programmable processor)
logic integrated with the processor, executable by the processor, or integrated with and executable by the processor.  ([Basavapatna, para. 0076] process and logic flows described are performed by the programmable processors)
The system claim comprises a logic integrated with the processor configured to perform the steps of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus is rejected with the same rational applied against claim 1.  

As per claim 22, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4.

As per claim 24, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 25, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.

Claims 2-3, 5, 11-12, 14, 20-21 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Basavapatna in view of Chalmers as applied to claim 1 above, and further in view of Vishwanath (US Pub. 2020/0267183) (hereinafter “Vishwanath”)

As per claim 2, Basavapatna in view of Chalmers teaches claim 1.  
Basavapatna does not clearly teach determining, based on the results of the simulating, data and/or an infrastructure that are potentially vulnerable to the predicted role-based risk events, wherein adjusting the role- based access control of the user includes: adding a security layer to the data and/or to the infrastructure in response to a determination that the risk levels exceed a first predetermined threshold.
However, Chalmers teaches determining, based on the results of the simulating, data and/or an infrastructure that are potentially vulnerable to the predicted role-based risk events. ([Chalmers, para. 0024] Privileged users can compromise [make vulnerable] their environment or workstation [data and/or infrastructure] due insecure computing practices; [para. 0043-0044] during a simulated attack [based on simulating], the system generates an alert if [determining] the user makes an insecure or improper response [results of the simulating])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Basavapatna and Chalmers for the same reasons as disclosed above.  
Basavapatna in view of Chalmers does not clearly teach wherein adjusting the role-based access control of the user includes: adding a security layer to the data and/or to the infrastructure in response to a determination that the risk levels exceed a first predetermined threshold.
However, Vishwanath teaches wherein adjusting the role- based access control of the user includes: adding a security layer to the data and/or to the infrastructure ([Vishwanath, para. 0085] high-risk users may be subject to changes in permission [adjusting the role-based access control of the user] and enhanced security measures [adding a security layer to the data and/or infrastructure] as a result of an automatic action by the system) in response to a determination that the risk levels exceed a first predetermined threshold. ([Para. 0032] “deviation metrics from the baseline scores [high risk users] can be used to establish thresholds”; “user scores [risk levels] exceeding a number of deviation [a first predetermined threshold] can be subject to automatic system operation”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basavapatna in view of Chalmers with the teachings of Vishwanath to include wherein adjusting the role- based access control of the user includes: adding a security layer to the data and/or to the infrastructure in response to a determination that the risk levels exceed a first predetermined threshold.  One of ordinary skill in the art would have been motivated to make this modification because threshold risk scores enables the system to compare multiple iterations of phishing simulations [attacks exposing infrastructure vulnerabilities] effectively and accurately.  (Vishwanath, para. 0074)

As per claim 3, Basavapatna in view of Chalmers teaches claim 1.  
Basavapatna does not clearly teach wherein adjusting the role-based access control of the user includes: reducing administrator privileges of the user in response to a determination that the risk levels exceed a first predetermined threshold, wherein reducing administrator privileges of the user includes maintaining data viewing privileges of the user and revoking data amending privileges of the user.
However, Chalmers teaches wherein reducing administrator privileges of the user ([Chalmers, para. 0034] “A notice may be provided 105 to the end user that a security aspect has been violated and that access privileges have been reduced” [reducing administrator privileges]) includes maintaining data viewing privileges of the user and revoking data amending privileges of the user. ([Para. 0034] “the user’s group membership would be changed from a group with full modify privileges [revoking data amending privileges] to a group with read-only access [maintaining data viewing privileges] on the system”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basavapatna with the teachings of Chalmers to include wherein reducing administrator privileges of the user includes maintaining data viewing privileges of the user and revoking data amending privileges of the user.  One of ordinary skill in the art would have been motivated to make this modification because a privileged user may perform insecure computing practices due to poor user practices and a solution to this problem would be to ensure that a user’s privileged access is suspended.  (Chalmers, para. 0024-0025)
Basavapatna in view of Chalmers does not clearly teach wherein adjusting the role-based access control of the user includes: reducing administrator privileges of the user in response to a determination that the risk levels exceed a first predetermined threshold.
However, Vishwanath teaches wherein adjusting the role-based access control of the user includes: reducing administrator privileges of the user ([Vishwanath, para. 0085] high-risk users may be subject to changes in permission [adjusting the role-based access control of the user] and access rights [reducing administrator privileges] as a result of an automatic action by the system) in response to a determination that the risk levels exceed a first predetermined threshold.  ([Para. 0032] “deviation metrics from the baseline scores [high risk users] can be used to establish thresholds”; “user scores [risk levels] exceeding a number of deviation [a first predetermined threshold] can be subject to automatic system operation”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Basavapatna, Chalmers and Vishwanath for the same reasons as disclosed above.  

As per claim 5, Basavapatna in view of Chalmers teaches claim 1.  
Basavapatna does not clearly teach determining, based on the results of the simulating, data and/or an infrastructure that are potentially vulnerable to the predicted role-based risk events, wherein adjusting the role- based access control of the user includes: adding a security layer to the data and/or to the infrastructure and reducing administrator privileges of the user, wherein the adjusting is performed in response to a determination that the risk levels exceed a first predetermined threshold.  
However, Chalmers teaches determining, based on the results of the simulating, data and/or an infrastructure that are potentially vulnerable to the predicted role-based risk events. ([Chalmers, para. 0024] Privileged users can compromise [make vulnerable] their environment or workstation [data and/or infrastructure] due insecure computing practices; [para. 0043-0044] during a simulated attack [based on simulating], the system generates an alert if [determining] the user makes an insecure or improper response [results of the simulating])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Basavapatna and Chalmers for the same reasons as disclosed above.  
Basavapatna in view of Chalmers does not clearly teach wherein adjusting the role-based access control of the user includes: adding a security layer to the data and/or to the infrastructure and reducing administrator privileges of the user, wherein the adjusting is performed in response to a determination that the risk levels exceed a first predetermined threshold.
However, Vishwanath teaches wherein adjusting the role-based access control of the user includes: adding a security layer to the data and/or to the infrastructure and reducing administrator privileges of the user, ([Vishwanath, para. 0085] high-risk users may be subject to changes in permission [adjusting the role-based access control of the user], access rights [reducing administrator privileges] and enhanced security measures [adding a security layer to the data and/or infrastructure] as a result of an automatic action by the system) wherein the adjusting is performed in response to a determination that the risk levels exceed a first predetermined threshold.  ([Para. 0032] “deviation metrics from the baseline scores [high risk users] can be used to establish thresholds”; “user scores [risk levels] exceeding a number of deviation [a first predetermined threshold] can be subject to automatic system operation”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Basavapatna, Chalmers and Vishwanath for the same reasons as disclosed above.  

As per claim 11, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

As per claim 12, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 14, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 20, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

As per claim 21, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 23, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

Claims 8-9 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Basavapatna in view of Chalmers as applied to claim 1 above, and further in view of Rath et al, “Adaptive Risk-Aware Access Control Model for Internet of Things”; 2017 International Workshop on Secure Internet of Things (SIoT); 2017; pg. 40-49 (hereinafter “Rath”)

As per claim 8, Basavapatna in view of Chalmers teaches claim 1.  
Basavapatna in view of Chalmers does not clearly teach wherein the adjustment of the role-based access control of the user is based on an assigned first risk and privacy tolerance that is unique to the user, and comprising: assigning a second user of the at least one device a second risk and privacy tolerance, wherein the first risk and privacy tolerance is different than the second risk and privacy tolerance.
However, Rath teaches wherein the adjustment of the role-based access control of the user ([Rath, Pg. 4, Sec. II.C) RBAC [role-based access control] is an access control mechanism defined around roles and privileges) is based on an assigned first risk ([Pg. 6, Sec. IV.B] “for adaptive risk-aware P-RBAC… the “risk” entity is used to express the level of risk tolerance [an assigned first risk tolerance] a policy can support) and privacy tolerance ([Pg. 6, Sec. IV.B] P-RBAC is an extension of the model RBAC and supports expressing privacy policies [tolerance]) that is unique to the user, ([Pg. 5, Sec. IV.A] RBACs use subject attributes which describe the user attempting the access) and comprising: assigning a second user of the at least one device a second risk and privacy tolerance, ([Pg. 7, Sec. IV.B] an example is given where a physician [second user] is assigned a risk value between 50% and 90% and a privacy tolerance of needing to notify the patient [first user] every access of the device) wherein the first risk and privacy tolerance is different than the second risk and privacy tolerance. ([Pg. 1, Sec. I; Pg. 4; Sec. III; Pg. Pg. 6, Sec. IV.B] “In adaptive access control , different level of enforcement is applied to access request for different situations and context”;  adaptive risk-aware privacy-role based access control inputs user subject attributes as part of its model, and so has different risk and privacy tolerances for each user)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basavapatna in view of Chalmers with the teachings of Rath to include wherein the adjustment of the role-based access control of the user is based on an assigned first risk and privacy tolerance that is unique to the user, and comprising: assigning a second user of the at least one device a second risk and privacy tolerance, wherein the first risk and privacy tolerance is different than the second risk and privacy tolerance.  One of ordinary skill in the art would have been motivated to make this modification because using such a model addresses both security and privacy concerns for sharing data.  (Rath, abstract)

As per claim 9, Basavapatna in view of Chalmers teaches claim 1.  
Basavapatna also teaches wherein the user's behavior occurs on a first application, and comprising: ([Basavapatna, para. 0027; para. 0034] the security tool receives behavior data [user’s behavior] on program 290 [first application]; wherein adjusting the role-based access control of the user is based on an assigned first risk and privacy tolerance that is specific to the first application is taught by Rath below)
receiving, second behavior data associated with the user's subsequent behavior ([Basavapatna, para. 0043] a subsequent user behavior is analyzed during detecting risk events) on at least one device, wherein the user's subsequent behavior occurs on a second application; ([Para. 0027; para. 0034] the security tool on the end user’s device receives behavior data [user’s behavior including the subsequent behavior – see para. 0043] on program 292 [second application])
generating second risk levels associated with the second behavior data; ([Basavapatna, para. 0041] a risk score is generated based on the behavior data; [para. 0042] the behavior data include a subsequent user behavior)
predicting second role-based risk events based on the second behavior data; ([Basavapatna, para. 0051] user activity [first and second behavior data] can be monitored and compared against the behavior profile to predict that a security or risk event is taking place or in danger of taking place.  [Para. 005, Fig. 4A] for instance, user behavior data can be analyzed to identify two spikes 430a [first role-based risk event], and 430b [second role based risk event)
Basavapatna does not clearly teach wherein adjusting the role-based access control of the user is based on an assigned first risk and privacy tolerance that is specific to the first application, simulating the second role-based risk events based on the second risk levels; and readjusting the user's role-based access control, wherein the readjustment is based on the simulating the second role-based risk events wherein the readjusting of the role-based access control of the user is based on an assigned second risk and privacy tolerance that is specific to the second application.
However, Chalmers teaches simulating the second role-based risk events based on the second risk levels; and ([Chalmers, para. 0043] “the risk management system 210 may include a test generation component 215 for generating targeted tests, which may simulate an attack such as a phishing attack or entice a nefarious link or attachment, which contains malware to be downloaded [first and second role-based risk event]…Each test may be different and may be tailored for each level of privilege [first and second risk levels] afforded by the system and for each scenario likely to be encountered by such system users” [based on the risk levels])
readjusting the user's role-based access control, wherein the readjustment is based on the simulating the second role-based risk events ([Chalmers, para. 0045] “the risk management system 210 may include a user update component 218 to reduce a user’s access privileges(s) 223 [readjusting a user’s role-based access control] responsive to a response message to a test [based on the simulating].  [Para. 0043] the test generation component may generate one or more targeted tests [simulating the first and second role-based risk events].  Wherein the readjusting of the role-based access control of the user is based on an assigned second risk and privacy tolerance that is specific to the second application is taught by Rath below)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Basavapatna and Chalmers for the same reasons as disclosed above.  
Basavapatna in view of Chalmers does not clearly teach wherein adjusting the role-based access control of the user is based on an assigned first risk and privacy tolerance that is specific to the first application, and wherein the readjustment is based on the simulating the second role-based risk events wherein the readjusting of the role-based access control of the user is based on an assigned second risk and privacy tolerance that is specific to the second application.
However, Rath teaches wherein adjusting the role-based access control of the user ([Rath, Pg. 4, Sec. II.C] RBAC [role-based access control] is an access control mechanism defined around roles and privileges) is based on an assigned first risk (Pg. 6, Sec. IV.B] “for adaptive risk-aware P-RBAC… the “risk” entity is used to express the level of risk tolerance a policy can support) and privacy tolerance  ([Pg. 6, Sec. IV.B] P-RBAC is an extension of the model RBAC and supports expressing privacy policies [tolerance]) that is specific to the first application, and ([Pg. 2, Sec. II.A] a number of applications are listed including a smart home scenario where a user executes commands to smart devices using a smart home application [first application].  ([Pg. 5, Sec. IV.A] RBAC are specific to resource attributes which describes the object [or application] being accessed)
wherein the readjusting of the role-based access control of the user ([Rath, Pg. 1, Sec. I]in adaptive access control, different levels of enforcement is applied [readjusting of the role based access as access is defined around, and depend upon roles – see Pg. 4, Sec. II.C] to an access request for different situation and context in order to minimize the risk associated with request) is based on an assigned second risk ([Pg. 6, Sec. IV.B] “for adaptive risk-aware P-RBAC… the “risk” entity is used to express the level of risk tolerance [a first and second risk tolerance] a policy can support; [Pg. 4, Sec. III] “estimating and managing risk is a case-by-case study given different nature and type of risk that may have in IoT system environment” [a first risk in first environment/application, and a second risk in a second environment/application]) and privacy tolerance ([Pg. 6, Sec. IV.B] P-RBAC is an extension of the model RBAC and supports expressing privacy policies [a first and second privacy tolerance]; [Pg. 4, Sec. IV.B] in Privacy-RBAC, data permissions are assigned to roles for a specific purpose [application]) that is specific to the second application. ([Pg. 2, Sec. II.A] a number of applications are listed including a system allowing physician to observe the health condition of a patient using a healthcare app [second application].  ([Pg. 5, Sec. IV.A] RBAC are specific to resource attributes which describes the object [or application] being accessed)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Basavapatna, Chalmers and Rath for the same reasons as disclosed above.  

As per claim 17, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

As per claim 18, the claim language is identical or substantially similar to that of claim 9. Therefore, it is rejected under the same rationale applied to claim 9.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Kras et al. (US Pub. 2020/0177612) discloses a server configured to execute a simulated cybersecurity attack and determining, based on the results of the simulating a score that represents how a portion of the enterprise is vulnerable to role-based risk events.  
Ramzan et al. (US Pub. 2020/0233955) discloses monitoring user behavior in an enterprise system, and generating a risk score based on predicted impact of compromise and the monitored user behavior.  
Krishnan et al. (US Pub. 2020/0076818) discloses risk-aware sessions in role-based access control systems where a risk threshold is used to establish user roles in various user environments.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493