Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
This non-final Office action is in response to applicant’s communication received on December 31, 2020, wherein claims 1-20 are currently pending.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.

The claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) obtaining/receiving/accessing/etc., information/data (monitoring, getting, and using information (where the information itself is abstract in nature – mainly used for risk determination and mathematical score calculations/determination)), data analysis and manipulation to determine more data (also using mathematical concepts, comparing abstract information, and abstract information decision making on risk), and providing/displaying this determined information/data.  The claimed invention further uses mathematical steps to analyze and determine further data.  These claims are directed towards gathering/collecting information/data, using the data for analysis, and manipulating/refining/etc., the information/data to generate more data; and further geared towards mathematical relationships (as discussed in the claims and the specification).  The use of some technical elements (e.g. “automating,” “computers,” “systems,” “machine learning techniques (just stating using ML without any algorithms or details – and no showing of technical integration in the system),” “NLG,” etc.,) are just merely stated (without details, algorithms, specific functionalities, etc.,) as post-solution/extra-solution (in an “apply it” fashion).
The core concepts and inventive limitations of the independent claims of monitoring a set of risk sources; implementing an identification and a weighted scoring of a set of risks associated with each risk source; matching a set of similar risk inputs with an associated weight, wherein the set of similar risk inputs are similar to the risk sources; monitoring for changes in risk levels of each risk source; generating a risk-score number for each risk source, wherein the risk-score number is used to avoid a subjective understanding of the risk source; and generating a report comprising a snapshot of the data of the risk-score number for each risk source, under the broadest reasonable interpretation, covers methods of organizing human activity and mathematical concepts but for the recitation of generic computer components.  That is, but for the recitation of, for example, “automating,” “computers,” “systems,” “machine learning techniques (just stating using ML without any algorithms or details – and no showing of technical integration in the system),” “NLG,” “processors,” “graphical user interfaces (GUIs)” “storage medium/media”, etc., in the context of the claims, the claim encompasses obtaining data, data analysis to determine more data, and providing/displaying this determined data.  The claimed invention further uses mathematical steps to analyze and determine further data.  If a claims limitation, under its broadest reasonable interpretation, covers the performance of the limitation as fundamental economic principles or practices (including hedging, insurance, mitigating risk); commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations); managing personal behavior or relationships or interactions between people (including scheduling, social activities, teaching, and following rules or instructions), then it falls within the “organizing human activities” grouping of abstract ideas. (See 2019 Revised Patent Subject Matter Eligibility Guidance – Federal Register, Vol. 84, Vol. 4, January 07, 2019, pages 50-57).  If a claims limitation, under its broadest reasonable interpretation, covers the performance of the limitation as mathematical relationships, mathematical formulas or equations, mathematical calculations then it falls within the Mathematical concepts grouping of abstract ideas. (See 2019 Revised Patent Subject Matter Eligibility Guidance - Federal Register, Vol. 84, Vol. 4, January 07, 2019, pages 50-57). Accordingly, since Applicant's claims fall under organizing human activities grouping, and mathematical concepts grouping, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application because the claims and specification recite generic components (“automating,” “computers,” “systems,” “machine learning techniques (just stating using ML without any algorithms or details – and no showing of technical integration in the system),” “NLG,” “processors,” “graphical user interfaces (GUIs)” “storage medium/media”, etc.,) which are recited at a high level of generality, i.e., as generic “automating,” “computers,” “systems,” “machine learning techniques (just stating using ML without any algorithms or details – and no showing of technical integration in the system),” “NLG,” “processors,” “graphical user interfaces (GUIs)” “storage medium/media”, etc., performing generic computer functions. (See 2019 Revised Patent Subject Matter Eligibility Guidance – Federal Register, Vol. 84, Vol. 4, January 07, 2019, page 53-55). The generic “automating,” “computers,” “systems,” “machine learning techniques (just stating using ML without any algorithms or details – and no showing of technical integration in the system),” “NLG,” “processors,” “graphical user interfaces (GUIs)” “storage medium/media”, etc., limitations are no more than mere instructions to apply the judicial exception (the above abstract idea) using generic computer components.  It is not enough, however, to merely improve abstract processes by invoking a computer merely as a tool. Customedia Techs., LLC v. Dish Network Corp., 951 F.3d 1359, 1364 (Fed. Cir. 2020).  The focus of the claims is simply to use computers and a familiar network/systems as a tool to perform abstract processes (organizing human activities (fundamental economic practices (of risk analysis) and data organization) and mathematical concepts) involving simple information exchange. Carrying out abstract processes of organizing human activities (fundamental economic practices and data organization) and mathematical concepts involving information exchange is an abstract idea. See, e.g., BSG, 899 F.3d at 1286; SAP America, 898 F.3d at 1167-68; Affinity Labs of Tex., LLC v. DIRECTV, LLC, 838 F.3d 1253, 1261-62 (Fed. Cir. 2016). And use of standard computers and networks to carry out those functions—more speedily, more efficiently, more reliably—does not make the claims any less directed to that abstract idea. See Alice Corp., 573 U.S. at 222-25; Customedia, 951 F.3d at 1364; Trading Techs. Int'l, Inc. v. IBG LLC, 921 F.3d 1084, 1092-93 (Fed. Cir. 2019); SAP America, 898 F.3d at 1167; Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1314 (Fed. Cir. 2016); Electric Power Grp., LLC v. Alstom S.A., 830 F.3d 1350, 1353, 1355 (Fed. Cir. 2016); Intellectual Ventures I LLC v. Capital One Bank (USA), 792 F.3d 1363, 1367, 1370 (Fed. Cir. 2015); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355 (Fed. Cir. 2014).  Accordingly, the additional elements do not integrate the abstract idea in to a practical application because it does not impose any meaningful limits on practicing the abstract idea – i.e. they are just post-solution activities. 
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claims do not recite an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment. The claims recite using known and/or generic/general-purpose computing devices and software (labeling/naming known and/or generic/general-purpose computing devices and software in a unique way does not convert the known and/or generic/general-purpose computing devices and software into anything specific and does not show any technical improvement – naming/labeling something is non-functional and non-technical and just descriptive material). For the role of a computer in a computer implemented invention to be deemed meaningful in the context of this analysis, it must involve more than performance of "well-understood, routine, [and] conventional activities previously known to the industry." Alice Corp. v. CLS Bank Int'l, 110 USPQ2d 1976 (U.S. 2014), at 2359 (quoting Mayo, 132 S. Ct. at 1294 (internal quotation marks and brackets omitted)). These activities as claimed by the Applicant are all well-known and routine tasks in the field of art – as can been seen in the specification of Applicant’s application (for example, see Applicant’s specification at, for example, Fig. 15, and paras. 0062 and 101-102 [generic/general-purpose computers/computing components/elements]) and/or the specification of the below cited art and/or also as noted in the court cases in §2106.05 in the MPEP. Further, "the mere recitation of a generic computer cannot transform a patent ineligible abstract idea into a patent-eligible invention." Alice, at 2358. None of the hardware offers a meaningful limitation beyond generally linking the system to a particular technological environment, that is, implementation via computers. Adding generic computer components to perform generic functions that are well‐understood, routine and conventional, such as gathering data, performing calculations, and outputting a result would not transform the claim into eligible subject matter.  Abstract ideas are excluded from patent eligibility based on a concern that monopolization of the basic tools of scientific and technological work might impede innovation more than it would promote it.  The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claims require no more than a generic computer to perform generic computer functions.  The additional element(s) or combination of elements in the claim(s) other than the abstract idea per se amount(s) to no more than: (i) mere instructions to implement the idea on a computer, and/or (ii) recitation of generic computer structure that serves to perform generic computer functions that are well-understood, routine, and conventional activities previously known to the pertinent industry.  Applicant is directed to the following citations and references: Digitech Image., LLC v. Electronics for Imaging, Inc.(U.S. Patent No. 6,128,415); and (2) Federal register/Vol. 79, No 241 issued on December 16, 2014, page 74629, column 2, Gottschalk v. Benson.  Viewed as a whole, the claims do not purport to improve the functioning of the computer itself, or to improve any other technology or technical field. Use of an unspecified, generic computer does not transform an abstract idea into a patent-eligible invention. Thus, the claim does not amount to significantly more than the abstract idea itself. See Alice Corp. v. CLS Bank Int'l, 110 USPQ2d 1976 (U.S. 2014).

The dependent claims 2-10 and 12-20 further define the independent claims and merely narrow the described abstract idea, but not adding significantly more than the abstract idea.  The dependent claims further state using collected/obtained/received abstract information in risk analysis, using the abstract well-known type of abstract information for analysis, manipulations (including using mathematical concepts), and comparisons, and providing/displaying this determined data/information so as take decisions based on this information.  These dependent claims are directed towards gathering/collecting data, using the data for analysis, and manipulating/refining/etc., the data to generate more data (organizing human activities in the fundamental economic practice of risk analysis); and further geared towards mathematical concepts (as discussed in the claims and the specification).  The dependent claims also do not include additional elements that are sufficient to amount to significantly more than the juridical exception because the additional elements either individually or in combination are merely an extension of the abstract idea itself as discussed above (and also for the independent claims) above.
The limitations of the dependent claims 2-10 and 12-20, under the broadest reasonable interpretation, covers methods of organizing human activity and mathematical concepts but for the recitation of generic computer components.  That is, but for the recitation of, for example, “automating,” “computers,” “systems,” “machine learning techniques (just stating using ML without any algorithms or details – and no showing of technical integration in the system),” “NLG,” “processors,” “graphical user interfaces (GUIs)” “storage medium/media”, etc., in the context of the claims, the claim encompasses obtaining data, data analysis to determine more data, and providing/displaying this determined data.  The claimed invention further uses mathematical steps to analyze and determine further data.  If a claims limitation, under its broadest reasonable interpretation, covers the performance of the limitation as fundamental economic principles or practices (including hedging, insurance, mitigating risk); commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations); managing personal behavior or relationships or interactions between people (including scheduling, social activities, teaching, and following rules or instructions), then it falls within the “organizing human activities” grouping of abstract ideas. (See 2019 Revised Patent Subject Matter Eligibility Guidance – Federal Register, Vol. 84, Vol. 4, January 07, 2019, pages 50-57).  If a claims limitation, under its broadest reasonable interpretation, covers the performance of the limitation as mathematical relationships, mathematical formulas or equations, mathematical calculations then it falls within the Mathematical concepts grouping of abstract ideas. (See 2019 Revised Patent Subject Matter Eligibility Guidance - Federal Register, Vol. 84, Vol. 4, January 07, 2019, pages 50-57). Accordingly, since Applicant's claims fall under organizing human activities grouping, and mathematical concepts grouping, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application because the claims and specification recite generic components (“automating,” “computers,” “systems,” “machine learning techniques (just stating using ML without any algorithms or details – and no showing of technical integration in the system),” “NLG,” “processors,” “graphical user interfaces (GUIs)” “storage medium/media”, etc.,) which are recited at a high level of generality, i.e., as generic “automating,” “computers,” “systems,” “machine learning techniques (just stating using ML without any algorithms or details – and no showing of technical integration in the system),” “NLG,” “processors,” “graphical user interfaces (GUIs)” “storage medium/media”, etc., performing generic computer functions. (See 2019 Revised Patent Subject Matter Eligibility Guidance – Federal Register, Vol. 84, Vol. 4, January 07, 2019, page 53-55). The generic “automating,” “computers,” “systems,” “machine learning techniques (just stating using ML without any algorithms or details – and no showing of technical integration in the system),” “NLG,” “processors,” “graphical user interfaces (GUIs)” “storage medium/media”, etc., limitations are no more than mere instructions to apply the judicial exception (the above abstract idea) using generic computer components.  It is not enough, however, to merely improve abstract processes by invoking a computer merely as a tool. Customedia Techs., LLC v. Dish Network Corp., 951 F.3d 1359, 1364 (Fed. Cir. 2020).  The focus of the claims is simply to use computers and a familiar network/systems as a tool to perform abstract processes (organizing human activities (fundamental economic practices (of risk analysis) and data organization) and mathematical concepts) involving simple information exchange. Carrying out abstract processes of organizing human activities (fundamental economic practices and data organization) and mathematical concepts involving information exchange is an abstract idea. See, e.g., BSG, 899 F.3d at 1286; SAP America, 898 F.3d at 1167-68; Affinity Labs of Tex., LLC v. DIRECTV, LLC, 838 F.3d 1253, 1261-62 (Fed. Cir. 2016). And use of standard computers and networks to carry out those functions—more speedily, more efficiently, more reliably—does not make the claims any less directed to that abstract idea. See Alice Corp., 573 U.S. at 222-25; Customedia, 951 F.3d at 1364; Trading Techs. Int'l, Inc. v. IBG LLC, 921 F.3d 1084, 1092-93 (Fed. Cir. 2019); SAP America, 898 F.3d at 1167; Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1314 (Fed. Cir. 2016); Electric Power Grp., LLC v. Alstom S.A., 830 F.3d 1350, 1353, 1355 (Fed. Cir. 2016); Intellectual Ventures I LLC v. Capital One Bank (USA), 792 F.3d 1363, 1367, 1370 (Fed. Cir. 2015); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355 (Fed. Cir. 2014).  Accordingly, the additional elements do not integrate the abstract idea in to a practical application because it does not impose any meaningful limits on practicing the abstract idea – i.e. they are just post-solution activities. 
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claims do not recite an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment. The claims recite using known and/or generic/general-purpose computing devices and software (labeling/naming known and/or generic/general-purpose computing devices and software in a unique way does not convert the known and/or generic/general-purpose computing devices and software into anything specific and does not show any technical improvement – naming/labeling something is non-functional and non-technical and just descriptive material). For the role of a computer in a computer implemented invention to be deemed meaningful in the context of this analysis, it must involve more than performance of "well-understood, routine, [and] conventional activities previously known to the industry." Alice Corp. v. CLS Bank Int'l, 110 USPQ2d 1976 (U.S. 2014), at 2359 (quoting Mayo, 132 S. Ct. at 1294 (internal quotation marks and brackets omitted)). These activities as claimed by the Applicant are all well-known and routine tasks in the field of art – as can been seen in the specification of Applicant’s application (for example, see Applicant’s specification at, for example, Fig. 15, and paras. 0062 and 101-102 [generic/general-purpose computers/computing components/elements]) and/or the specification of the below cited art and/or also as noted in the court cases in §2106.05 in the MPEP. Further, "the mere recitation of a generic computer cannot transform a patent ineligible abstract idea into a patent-eligible invention." Alice, at 2358. None of the hardware offers a meaningful limitation beyond generally linking the system to a particular technological environment, that is, implementation via computers. Adding generic computer components to perform generic functions that are well‐understood, routine and conventional, such as gathering data, performing calculations, and outputting a result would not transform the claim into eligible subject matter.  Abstract ideas are excluded from patent eligibility based on a concern that monopolization of the basic tools of scientific and technological work might impede innovation more than it would promote it.  The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claims require no more than a generic computer to perform generic computer functions.  The additional element(s) or combination of elements in the claim(s) other than the abstract idea per se amount(s) to no more than: (i) mere instructions to implement the idea on a computer, and/or (ii) recitation of generic computer structure that serves to perform generic computer functions that are well-understood, routine, and conventional activities previously known to the pertinent industry.  Applicant is directed to the following citations and references: Digitech Image., LLC v. Electronics for Imaging, Inc.(U.S. Patent No. 6,128,415); and (2) Federal register/Vol. 79, No 241 issued on December 16, 2014, page 74629, column 2, Gottschalk v. Benson.  Viewed as a whole, the claims do not purport to improve the functioning of the computer itself, or to improve any other technology or technical field. Use of an unspecified, generic computer does not transform an abstract idea into a patent-eligible invention. Thus, the claim does not amount to significantly more than the abstract idea itself. See Alice Corp. v. CLS Bank Int'l, 110 USPQ2d 1976 (U.S. 2014).




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-9, 11-13, and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al., (US 2020/0286016) in view of Amarasingham (US 2015/0213225).  
As per claim 1, Singh discloses a computerized process useful for automating Risk Identification, Quantification, Benchmarking and Mitigation in an enterprise computer system (Abstract; Figs. 1-3, 21-24, 26-30; ¶¶ 0005-0006, 0039-0040 [produce a risk profile consisting of a risk score and trends of risk scores across entities such as user identities and other objects…risk scoring solution architecture… risk scoring and predictive analytics engine]; note that “for automating Risk Identification, Quantification, Benchmarking and Mitigation” is just intended use and, as stated in the claims, it is non-functional and non-technical labelled/named type subject matter – it is not patentable subject matter (names/labels/titles are non-functional and non-technical subject which is not patentable)), comprising: 
integrating an enterprise security, privacy and compliance system in an enterprise computer system, wherein the enterprise security, privacy and compliance system monitors a set of risk sources in the enterprise computer system (Figs. 1-3, 21-24, 26-30; ¶¶ 0005-0006, 0039-0043 [produce a risk profile consisting of a risk score and trends of risk scores across entities such as user identities and other objects…risk scoring solution architecture… risk scoring and predictive analytics engine…ongoing monitoring…monitoring riles and provide predictive analytics…responding to monitoring processes…alerting], 0174-0179, 0284+; claim 1); 
implementing an identification and a weighted scoring of a set of risks associated with each risk source (claims 1-3; 0039-0040, 0056 [run the risk dashboard, he or she desired to be able to run a heat-map chart dashboard referred to herein as Risk Scores By Business Unit. This could be location, cost center, division, etc. This configuration allows the user to select Business Units to chart. The aggregated median risk scores for those departments are charted, color-coded, with legends and the percent distribution], 0059-0062 [run a pie-chart of company-wide distribution of contributing factors], 0081-0094+ [(Risk calculation)…allocate risk points for each contributing factor…calculates the risks for all identities ], 0104-0109+, 0346-0350 [the risk score…threats detected…ability to define different types of threats (e.g., terrorism, gun violence, etc.) and attach different weights based on severity. Users (such as super users) of the system may be able to select which type of threats is included in risk score calculation and the weightage of each type…risk score rules may be defined with singular threats or a combination of threats detected from public web sites or a combination of activities and threats detected both within the corporate environment and from public websites…[b]ased on the defined rules, risk scores may be calculated after any threats are detected]); 
with a specified machine learning technique, matching a set of similar risk inputs with an associated weight, wherein the set of similar risk inputs are similar to the risk sources (¶¶ 0190 [Hadoop Reducer that is responsible for calculating risk score or the risk level using matched rules], 0193-0200 [match attributes…type’s available attributes (match condition)], 0232, 0238-0241 [scores contributed by the matching rules], 0243 [matched rules contribute to the overall risk level], 0247-0258 [uses the matched rules for an entity to determine the risk score per configured group and the max group score is used to determine the risk level], 0308 [predictive analytics…machine learning], 0319-0320 [predictive analytics and machine learning techniques plays a huge role in anomaly detection and potential risk incident identification. Once machine data is collected, using density based clustering techniques, any anomalous transaction in the M2M communication can be detected and contributed towards the asset risk score mechanism according to an embodiment. In an embodiment density based clustering techniques are applied to specific parameters and data], 0343; table 5); 
monitoring the relevant enterprise systems for changes in risk levels of each risk source (¶¶ 0089-0097 [(risk/sensitivity levels are monitored for changes)…of Low, Medium, High and Critical with expected score impacts…violation levels], 0064-0066, 0104-0107 [changes…recalculates], 0148, 0190-0193, 0229-0232, 0238-0242, 0247-0258; claim 1);
generating a risk-score number for each risk source, wherein the risk-score number is used to avoid a subjective understanding of the risk source (claim 1 [ risk scoring and predictive analytics engine generates a risk score of the entity that is the total sum of all risk scores contributed by matching rules and generates a risk level, wherein the risk level is a mapping of the risk score to a value between 0 and 100; wherein the risk scoring and predictive analytics engine runs on a big data platform on a network and uses in-memory database processing; providing system response and automatically generating real-time alerts when said risk score exceeds a defined threshold; and wherein said generating a risk level uses entity groups]; ¶¶ 0005-0006, 0039-0043 [see above], 0082-0086, 0104-0111 [Risk scores can be calculated at real-time, i.e. whenever an event happens that is considered a contributing factor…risk score are assigned to applications or resources based on factors such as number of orphans, dormant, shared or service accounts. This process can be referred to as Resource Risk Scoring and can be combined with the risk associated with the resource itself…tracking of risk scores over time for trending analysis. An audit trail can keep track of what was incremented or decremented from the risk score, what event happened, and the date/time it happened]; (note that Singh shows the risk score is objectively stating risk so it “avoids subjective understanding”)); and 
generating a report comprising a snapshot of the data of the risk-score number for each risk source (¶¶ 0042-0044 [providing…reports, analytics…screen shots of risk scoring dashboard…reports… include median risk score, risk score bar chart, risk score heat map, and number of work items], 0166-0173 [reports and dashboards]).
Amarasingham discloses risk analysis and using natural language generation (NLG) functionality for reports and presenting/displaying results (¶¶ 0054-0056 [data extraction…natural language processing (NLP)], 0057-0058 [natural language processing is conducted on unstructured…data], 0063, 0069 [automatically generate…natural language generated text…reports], 0071; claim 4 [the risk logic module further comprises a natural language processing and generation logic module configured to process and analyze clinical and non-clinical data expressed in natural language, and to generate an output expressed in natural language]; see also Abstract [discussing monitoring risk sources and determining risk scores], 0029 [data is used to determine likelihood of an adverse occurrence…via risk score] 0048 [risk identification]).
Therefore, it would be obvious to one of ordinary skill in the art to include in the system/method of Singh using natural language generation (NLG) functionality as taught by analogous art Amarasingham in order to accurately and efficient gather and translate/interpret information (from raw/unstructured information) for accurate risk analysis since doing so could be performed readily by any person of ordinary skill in the art, with neither undue experimentation, nor risk of unexpected results (TSM/KSR-G) and also since one of ordinary skill in the art at the time of the invention would have recognized that applying the known technique and concepts of Amarasingham would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such concepts and features into similar systems (KSR-D). (See (1) 2007 Examination Guidelines for Determining Obviousness Under 35 U.S.C. 103 in View of the Supreme Court Decision in KSR International Co. v. Teleflex Inc. - Federal Register, Vol. 72, No. 195, October 10, 2007, pages 57526-57535; (2) 2010 Examination Guidelines Updated Developments in the Obviousness Inquiry After KSR v. Teleflex. -Federal Register, Vol. 75, No. 169, September 01, 2010, pages 53643-53660; and (3) materials posted at https://www.uspto.gov/patent/laws-and-regulations/examination-policy/examination-guidelines-training-materials-view-ksr).

As per claim 11, claim 11 discloses substantially similar limitations as claim 1 above; and therefore claim 11 is rejected under the same rationale and reasoning as presented above for claim 1.

As per claim 2, Singh discloses the computerized process of claim 1 further comprising: generating an effect on the computer system of a remediative action of a specified risk source (¶¶ 0054 [remediation], 0067-0080 [risk remediation], 0291 [remediation workflow], 0305-0306 [guidance for remediation…remediation steps], 0335 [risk posture…detects malicious activities…take remedial action]).
As per claim 3, Singh discloses the computerized process of claim 2 further comprising: providing a preview of the effect of system changes from the remediative action using a predictive analytic method (¶¶ 0029 [anomaly detection though predictive analysis], 0054 [remediation], 0067-0080 [risk remediation], 0287-0291 [automated remediation…predictive analytics that connects the dots across multiple actions that now paint a much more sinister picture…remediation workflow], 0305-0306 [guidance for remediation…remediation steps], 00319-0320 [predictive analytics and machine learning techniques plays a huge role in anomaly detection and potential risk incident identification…real time analysis is performed to identify critical risks], 0335 [risk posture…detects malicious activities…take remedial action], 0040-0042, 0308-0310).
As per claim 5, Singh discloses the computerized process of claim 1, wherein the step of integrating the enterprise security, privacy and compliance system in the enterprise computer system further comprises: integrating an enterprise security, privacy and compliance system with a set of RPPBM practices in an enterprise computer system, wherein the enterprise security, privacy and compliance system monitors a set of risk sources in the RPPBM practices (Figs. 1-3, 21-24, 26-30; ¶¶ 0005-0006, 0039-0043 [produce a risk profile consisting of a risk score and trends of risk scores across entities such as user identities and other objects…risk scoring solution architecture… risk scoring and predictive analytics engine…ongoing monitoring…monitoring riles and provide predictive analytics…responding to monitoring processes…alerting], 0174-0179, 0284+; claim 1; (note that “in the RPPBM” is just intended use and non-functional and non-technical labelled subject matter – it is not patentable subject matter; also “enterprise security, privacy and compliance” is just naming/labeling the system and is non-functional and non-technical subject which is not patentable)).  
As per claim 6, Singh discloses the computerized process of claim 5, wherein the enterprise security, privacy and compliance system monitors a set of risk sources in the RPPBM practices (Figs. 1-3, 21-24, 26-30; ¶¶ 0005-0006, 0039-0043 [produce a risk profile consisting of a risk score and trends of risk scores across entities such as user identities and other objects…risk scoring solution architecture… risk scoring and predictive analytics engine…ongoing monitoring…monitoring riles and provide predictive analytics…responding to monitoring processes…alerting], 0174-0179, 0284+; claim 1; (note that “in the RPPBM” is just intended use and non-functional and non-technical labelled subject matter – it is not patentable subject matter; also “enterprise security, privacy and compliance” is just naming/labeling the system and is non-functional and non-technical subject which is not patentable)).  
As per claim 7, Singh discloses the computerized process of claim 1 further comprising: generating and serving a dashboard view of the set of risk-score numbers for each risk source, wherein the set of risk-score numbers are displaying in a graph (Figs. 2-9, 11-18+, 25, 28; ¶¶ 0008, 0018, 0042-0044 [providing…reports, analytics…screen shots of risk scoring dashboard…reports… include median risk score, risk score bar chart, risk score heat map, and number of work items], 0055-0060 [dashboards…risk dashboard…chart dashboard], 0148 [FIGS. 11-19. FIG. 11 is a graph of a statistical distribution of a risk score. FIG. 12 is a colorized graph of a particular departmental dashboard of risk score totals. FIG. 13 is a colorized graph at drill down level 1, a view of risk distribution for the training department. FIG. 14 is a table at drill down level 2 of identities who belong to the IT department. FIG. 15 is an identity view with the risk score at drill down level 3. FIG. 16 is a view of events that contributed to the score at drill down level 4. FIG. 17 is a schematic diagram showing mock-ups of comparative dashboards by department], 0166-0173 [reports and dashboards]).  
As per claim 8, Singh discloses the computerized process of claim 7, wherein the graph comprises a circle graph with list of each risk source and a percentage of each risk source as a portion of overall risk (Figs. 2-9, 11-18+, 25, 28; ¶¶ 0008, 0018, 0042-0044 [providing…reports, analytics…screen shots of risk scoring dashboard…reports… include median risk score, risk score bar chart, risk score heat map, and number of work items], 0055-0060 [dashboards…risk dashboard…chart dashboard], 0148 [FIGS. 11-19. FIG. 11 is a graph of a statistical distribution of a risk score. FIG. 12 is a colorized graph of a particular departmental dashboard of risk score totals. FIG. 13 is a colorized graph at drill down level 1, a view of risk distribution for the training department. FIG. 14 is a table at drill down level 2 of identities who belong to the IT department. FIG. 15 is an identity view with the risk score at drill down level 3. FIG. 16 is a view of events that contributed to the score at drill down level 4. FIG. 17 is a schematic diagram showing mock-ups of comparative dashboards by department], 0166-0173 [reports and dashboards]).  
As per claim 9, Singh discloses the computerized process of claim 8, wherein each element of the list of each risk source comprises a hyperlink to a set of underlying data sources used to build the risk score of each respective risk source (Figs. 2-9, 11-18+, 25, 28; ¶¶ 0008, 0018, 0042-0044 [providing…reports, analytics…screen shots of risk scoring dashboard…reports… include median risk score, risk score bar chart, risk score heat map, and number of work items], 0055-0060 [dashboards…risk dashboard…chart dashboard…heat map regions are clickable, which invokes a popup window of another pie chart that breaks down the distribution of contributing factors, e.g. training or usage, for the selected department. There is further drill down, i.e. when the pie slice is clicked, another window pops up with a statistical distribution chart. Further drill down can happen when the user clicks on a section of the distribution chart], 0102-0103 [shows clicking on links], 0148 [FIGS. 11-19. FIG. 11 is a graph of a statistical distribution of a risk score. FIG. 12 is a colorized graph of a particular departmental dashboard of risk score totals. FIG. 13 is a colorized graph at drill down level 1, a view of risk distribution for the training department. FIG. 14 is a table at drill down level 2 of identities who belong to the IT department. FIG. 15 is an identity view with the risk score at drill down level 3. FIG. 16 is a view of events that contributed to the score at drill down level 4. FIG. 17 is a schematic diagram showing mock-ups of comparative dashboards by department], 0166-0173 [reports and dashboards]).  


As per claims 12-13 and 15-19, claims 12-13 and 15-19 disclose substantially similar limitations as claims 2-3 and 5-9 above; and therefore claims 12-13 and 15-19 are rejected under the same rationale and reasoning as presented above for claims 2-3 and 5-9.


Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al., (US 2020/0286016) in view of Amarasingham (US 2015/0213225), further in view of Doherty et al., (US 2015/0088597).
As per claim 4, Singh discloses the computerized process of claim 1 further comprising: graphically displaying the preview of the effect of system changes from a set of remediative actions for the set of risk sources in graphs and charts (see citations in the other claims above, for example claims 1-4, 8 and also see Fig. 2-9, 11-18, 25, 28 ; ¶¶ 0055-0061 [risk dashboard…chart…risk score…cost…charted, color-coded, with legends and the percent distribution]). However, neither Singh nor Amarasingham explicitly state risk sources in plot graph with the cost of each of the set of remediative action on a y-axis and a severity of the risk of each risk source in terms of a its risk score on an x-axis; and neither Singh nor A explicitly state bubble graphs in risk analysis.
Doherty discloses a plot graph with the cost of each of the set of remediative action on a y-axis and a severity of the risk of each risk source in terms of a its risk score on an x-axis; and a bubble plot graph (Figs. 3-4; ¶¶ 0051-0054 [graph…axis…how a threat could best be addressed…include…cost to fix the threat], 0056-0058, 0061-0063 [cost valuation…underlying assets and the sensitivity of the assets to risk-creating behaviors, events or actors (which is also the cost of remedying if the assets is compromised)… higher level of effort to achieve only a moderate level of risk for a less significant asset cost valuation], 0028-0029).  
Therefore, it would be obvious to one of ordinary skill in the art to include in the system/method of Singh in view of Amarasingham a bubble plot graph with the cost of each of the set of remediative action on a y-axis and a severity of the risk of each risk source in terms of a its risk score on an x-axis as taught by analogous art Doherty in order to accurately present resultant (risk analysis) information since doing so could be performed readily by any person of ordinary skill in the art, with neither undue experimentation, nor risk of unexpected results (TSM/KSR-G); and also since one of ordinary skill in the art at the time of the invention would have recognized that applying the known technique and concepts of Doherty (using known types of graphs to plot information in the specific way for presentation) would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such concepts and features into similar systems (KSR-D). (See (1) 2007 Examination Guidelines for Determining Obviousness Under 35 U.S.C. 103 in View of the Supreme Court Decision in KSR International Co. v. Teleflex Inc. - Federal Register, Vol. 72, No. 195, October 10, 2007, pages 57526-57535; (2) 2010 Examination Guidelines Updated Developments in the Obviousness Inquiry After KSR v. Teleflex. -Federal Register, Vol. 75, No. 169, September 01, 2010, pages 53643-53660; and (3) materials posted at https://www.uspto.gov/patent/laws-and-regulations/examination-policy/examination-guidelines-training-materials-view-ksr).

As per claim 14, claim 14 discloses substantially similar limitations as claim 4 above; and therefore claim 14 is rejected under the same rationale and reasoning as presented above for claim 4.


Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al., (US 2020/0286016) in view of Amarasingham (US 2015/0213225), further in view of Sarkissian (US 2020/0410001) (prov. 03/22/2018).
As per claim 10, Singh discloses the computerized process of claim 1 and using machine learning (see citations above in claim 1). However, neither Singh nor Amarasingham explicitly state wherein the specified machine learning technique comprises a Recurrent neural network (RNN).
Analogous art Sarkissian discloses risk analysis and using Recurrent neural network (RNN) (¶¶ 0039-0041 [risk identification and scoring], 0063-0066, 0082, 0142 [data processed…recurrent neural networks (RNNs)]).
Therefore, it would be obvious to one of ordinary skill in the art to include in the system/method of Singh in view of Amarasingham using Recurrent neural network (RNN)as taught by analogous art Sarkissian in order to accurately and efficient process data (using ML techniques) for accurate risk analysis since doing so could be performed readily by any person of ordinary skill in the art, with neither undue experimentation, nor risk of unexpected results (TSM/KSR-G) and also since one of ordinary skill in the art at the time of the invention would have recognized that applying the known technique and concepts of Sarkissian (processing data using RNNs when applying machine learning techniques is old and well-known) would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such concepts and features into similar systems (KSR-D). (See (1) 2007 Examination Guidelines for Determining Obviousness Under 35 U.S.C. 103 in View of the Supreme Court Decision in KSR International Co. v. Teleflex Inc. - Federal Register, Vol. 72, No. 195, October 10, 2007, pages 57526-57535; (2) 2010 Examination Guidelines Updated Developments in the Obviousness Inquiry After KSR v. Teleflex. -Federal Register, Vol. 75, No. 169, September 01, 2010, pages 53643-53660; and (3) materials posted at https://www.uspto.gov/patent/laws-and-regulations/examination-policy/examination-guidelines-training-materials-view-ksr).

As per claim 20, claim 20 discloses substantially similar limitations as claim 10 above; and therefore claim 20 is rejected under the same rationale and reasoning as presented above for claim 10.



Conclusion
The prior art made of record on the PTO-892 and not relied upon is considered pertinent to applicant's disclosure. For example, some of the pertinent art is as follows:
Beard et al., (US 9,671,776): Determining, tracking, and anticipating risk in a manufacturing facility are presented. In example embodiments, the method includes obtaining operational data associated with a manufacturing facility. The method further includes accessing a risk data model corresponding to the manufacturing facility, and calculating a risk score based on the current operational data using the risk data model. The method further includes causing presentation of a user interface that includes a display of the risk score to provide a user with a measure of risk at the manufacturing facility.
Greenspan et al., (US 20170230402): Describes receiving a plurality of node data streams through a data network from a plurality of source nodes, respectively, each of the plurality of node data streams comprising a plurality of node data. The method further comprises determining a respective risk assessment for each of the plurality of node data streams based on a plurality of elements, wherein the respective risk assessment indicates a level of trustworthiness of each of the plurality of node data streams. Moreover, the method comprises determining a plurality of respective actions for each of the plurality of source nodes, based on the respective risk assessment of the plurality of node data streams. The method further comprises instructing each of the plurality of source nodes to perform the respective action.
Heckman et al., (US 20190207968 A1): Illustrates performing operations including computing a risk factor for a cybersecurity/privacy program implemented by an enterprise, computing a maturity factor for the cybersecurity/privacy program, and determining an integrated result for the cybersecurity program based at least in part on a combination of the risk factor and the maturity factor. In some embodiments, computing the risk factor may include computing a current risk management level and a target risk management level for the cybersecurity program, and computing the maturity factor may include computing a current maturity level and a target maturity level for the cybersecurity program. In some embodiments, the processor may be configured to perform operations that further include tracking any remediation activities based on the integrated result, and monitoring any changes to the current risk management level or the current maturity level for the cybersecurity/review program.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GURKANWALJIT SINGH whose telephone number is (571)270-5392.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Epstein can be reached on 571-270-5389.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Gurkanwaljit Singh/
Primary Examiner, Art Unit 3683