Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the claims filed 10/08/2020.  Claims 1-20 are pending.  Claims 1 (a machine), 14 (a method), and 20 (a non-transitory CRM) are independent.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) either a mental process or a method of organizing human activity; the implementation of compliance testing and training. Ostensibly, the claims are directed to administering a test and then providing education to individuals to remedy their deficiencies.  Administering person specific education in response to the assessment of their skills is an abstract idea and either a method of organizing human activity or a mental process of the educator. This judicial exception is not integrated into a practical application because the claims merely link the use of the judicial exception (testing and teaching) to the use of generic electronic messages such as email and do not utilize a particular machine or improve the functioning of a particular machine. See MPEP 2106.04(d)(I). The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because sending and receiving of messages such as email is well-understood, routine, and conventional activity.  MPEP 2106.05(d).
 

Examiner’s Note
	Claims 5, 6, 18, and 19 are not rejected in view of the prior art as the further features of claims 5 and 18 are not anticipated or rendered obvious by the references made of record.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4, 7-17, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Irimie et al., US 2019/0173919 (filed 2017-12), in view of Sadeh-Koniecpol et al., US 2012/0258437 (filed 2012-04).
	As to claims 1, 14, and 20 Irimie discloses a machine/method/CRM comprising:
at least one processor; (Irimie figure 1C.)
a communication interface communicatively coupled to the at least one processor; and (Irimie figure 1C.)
memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: (“The storage device 128 may include, without limitation, an operating system, software, and a software of a simulated phishing attack system 120.” Irimie ¶ 49)
send, to a first enterprise user device, an initial simulated spear phishing message; (“the simulated phishing message generator 253 can be configured to generate a simulated phishing email.” Irimie ¶ 92, see also ¶ 138)
receive, from the first enterprise user device, initial user interaction information indicating how a user of the first enterprise user device interacted with the initial simulated spear phishing message; (“the messaging application 237 can be configured to display simulated phishing attack emails. Furthermore, the messaging application 237 can be configured to allow the target to generate reply messages” Irimie ¶ 102. “when a recipient in a campaign responds to a message of the campaign….  campaign controller 250 uses this string to create a message to a campaign recipient.” Irimie ¶¶ 141-143)
generate, based on the initial user interaction information and using a series of branching message templates, one or more first follow on simulated spear phishing messages; (“campaign controller 250 may change the order of actions in the template based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments campaign controller 250 may change the content of messages described by the template detail pages and to be sent to a user, based on a user's actions in response to an action sent to the user by campaign controller 250.” Irimie ¶ 140. “an appropriate response generated by serving module 230 may include another copy of the link that was in a previous message. In some embodiments, an appropriate response generated by serving module 230 may include a new link for the user to interact with. In some embodiments, serving module 230 generates an appropriate response to the campaign recipient according to a model selected for the campaign recipient for the current campaign.” Irimie ¶ 143)
receive, from the first enterprise user device, first additional user interaction information indicating how the user of the first enterprise user device interacted with the one or more follow on simulated spear phishing messages; (“the messaging application 237 can be configured to display simulated phishing attack emails. Furthermore, the messaging application 237 can be configured to allow the target to generate reply messages” Irimie ¶ 102. The further responses to the messages of Irimie ¶ 143.  See also Irimie ¶ 145)
compute, based on the initial user interaction information and the first additional user interaction information, one or more spear phishing scores corresponding to the user of the first enterprise user device; (“the simulated phishing campaign manager 251 may include data collected from targets, records of failures such as a listing of which targets replied to a simulated phishing email, systemic or other security measures in place during the simulated phishing attacks…. this analysis may include determining which users are a security risk based on having a number of failures above a predetermined threshold,” Irimie ¶ 233)
the one or more spear phishing scores to one or more spear phishing thresholds; (“a number of failures above a predetermined threshold,” Irimie ¶ 233. “when a recipient fails a simulated phishing test, website workers 263 enroll the user in remedial training that will take place at some time in the future.” Irimie ¶ 177)

Irimie does not disclose:
based on the comparison of the one or more spear phishing scores to the one or more spear phishing thresholds, generate one or more customized spear phishing training modules for the user of the first enterprise user device; and 
send, to the first enterprise user device, the one or more customized spear phishing training modules, wherein sending the one or more customized spear phishing training modules to the first enterprise user device causes the first enterprise user device to display the one or more customized spear phishing training modules.

Sadeh-Koniecpol discloses:
based on the comparison of the one or more spear phishing scores to the one or more spear phishing thresholds, (“An embodiment of a partial training needs model 6 based on simple threshold levels is illustrated in FIG. 7.” Sadeh-Koniecpol ¶ 63. See Sadeh-Koniecpol figure 7) generate one or more customized spear phishing training modules for the user of the first enterprise user 
(“A user may be identified as being at high risk for a number of different possible threat scenarios. In one embodiment, the policy manager 7 is responsible for consolidating the training needs identified for the user and for identifying a suitable and possibly prioritized collection of training actions, based on considerations such as the collection of training interventions available for addressing the collection of training needs identified by the model.” Sadeh-Koniecpol ¶ 64. Also ¶ 65)
send, to the first enterprise user device, the one or more customized spear phishing training modules, wherein sending the one or more customized spear phishing training modules to the first enterprise user device (“transmits the training intervention to the first processor if a need for training is indicated by the user input or action.” Sadeh-Koniecpol ¶ 70) causes the first enterprise user device to display the one or more customized spear phishing training modules. (“one or more computers, which may include:… iii. devices capable of delivering training interventions to users such as tablets 1002, laptop computers 1003, smart appliances 1006, smartphones 1007 and other types of output devices 1013.” Sadeh-Koniecpol ¶ 41-44 “The analysis host computer 1010 may also receive feedback, which may be in the form of additional user inputs, from user interaction with the training intervention and may further transmit additional training interventions or training intervention feedback to the user computing device (i.e., 1002, 1003, 1005, 1006, 1007, and 1008 illustrated in FIG. 3).” Sadeh-Koniecpol ¶ 70. Also ¶ 40)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Irimie with Sadeh-Koniecpol by incorporating the dynamic training generation based on user input of Sadeh-Koniecpol as the remedial training provided by Irimie (Irimie ¶ 177).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Irimie with Sadeh-Koniecpol in order to provide the user specific training suggested, but not elaborated upon, in Irimie ¶ 177. Thereby providing a computer a based training system that is customized by user activity to provide the most relevant training to individual users.

As to claims 2, 15, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 1, 14 and further discloses:
wherein the one or more first follow on simulated spear phishing messages are further generated based on temporal information detected from the first enterprise user device. (“campaign controller 250 may change the timing of messages sent to a user based on a user's actions in response to an action sent to the user by campaign controller 250.” Irimie ¶ 140. “information about a user that has interacted with a link, such as …, a time of the action, …. as a feedback loop to include behavior in serving module 230 which may inform things such as a next action in a template, a next template detail page, a next timing for sending a next message, etc.” Irimie ¶ 222)


As to claims 3, 16, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 1, 14 and further discloses:
wherein the initial user interaction information indicates whether the user of the first enterprise user device performed one or more of: replied to the initial simulated spear phishing message,(“ simulated phishing campaign manager can be configured to process reply emails received from one or more target clients 102 to determine the identities of the targets who sent the reply emails.” Irimia ¶ 234) forwarded the initial simulated spear phishing message, or deleted the initial simulated spear phishing message. (alternates not required)

As to claims 4, 17, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 3, 16 and further discloses:
wherein the first additional user interaction information indicates whether the user of the first enterprise user device performed one or more of: replied to the one or more first follow on simulated spear phishing messages, (“ simulated phishing campaign manager can be configured to process reply emails received from one or more target clients 102 to determine the identities of the targets who sent the reply emails.” Irimia ¶ 234. “an appropriate response generated by serving module 230 may include another copy of the link that was in a previous message. In some embodiments, an appropriate response generated by serving module 230 may include a new link for the user to interact with. In some embodiments, serving module 230 generates an appropriate response to the campaign recipient according to a model selected for the campaign recipient for the current campaign.” Irimie ¶ 143, a second messages like the first.)  forwarded the one or more first follow on simulated spear phishing messages, or deleted the one or more first follow on simulated spear phishing messages.

As to claim 7, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 1 and further discloses:
wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: generate (“campaign controller 250 may create a template for an AIDA campaign as the campaign is running based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments, campaign controller 250 may modify an existing template during an AIDA campaign based on a user's actions in response to an action sent to the user by campaign controller 250.” Irimie ¶ 140) the series of branching message templates (“a state machine progresses an AIDA campaign through each stage of a template, performing actions that need to be performed with timing that is associated with that template. For example, the stages of a template may be “send an email”, followed by “send a text”, followed by “call”.” Irimie ¶ 136), wherein generating the series of branching message templates comprises one or more of: generating, based on template input information, the series of branching message templates, or automatically generating the series of branching message templates based on one or more of: historical interaction information for the user of the first enterprise user device, (“based on a user's actions in response to an action sent to the user by campaign controller 250.” Irimie ¶ 140. “An AIDA system may use information found on social media. An AIDA system may use information from logs from previous simulated phishing campaigns, including all actions performed on a user and all user actions performed.” Irimie ¶ 80)  spear phishing training modules previously completed by the user of the first enterprise user device, or a job role of the user of the first enterprise user device. (“the choice of a template for a given user may be made based on user attributes” Irimie ¶ 136. “the data structure of the user information stored for each user in users storage 285 includes one or more of a user ID, a user email address, the account ID associated with a user, a user's name, a user's job title, a user's phone number, a user's mobile phone number, a user's location, what time zone a user is in, a user's division, a user's manager's name, a user's manager's email address” Irimie ¶ 132) 

As to claim 8, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 7 and further discloses:
wherein the series of branching message templates are specific to an industry associated with the user of the first enterprise user device. (“An AIDA system may use information from industry profiles corresponding to an industry that a user's company is associated with.” Irimie ¶ 80).

As to claim 9, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 1 and further discloses:
wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: dynamically update the series of branching message templates based on interactions of other users with other spear phishing training modules. (“An AIDA system may use information from many sources to create, train, and refine artificial intelligence models to create simulated phishing messages for users…. As examples, an AIDA system may extract information from the past efficiency of templates that have been used to phish users…. An AIDA system may use information from logs from previous simulated phishing campaigns, including all actions performed on a user and all user actions performed.” Irimie ¶ 80. “the system may adaptively learn the best method (e.g., set of steps) and/or the best combination of messages to get the user to perform the requested action, such as interacting with a hyperlink or opening a file. The learning process implemented by the system can be trained by observing the behavior of other users in the same company or in the same industry, by observing the behavior of all other users of the system, or by observing the behavior of a subset of other users in the system based on one or more attributes of the subset of other users meeting one or more selected criteria.” Irimie ¶ 78)

As to claim 10, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 1 and further discloses:
send, to a second enterprise user device, the initial simulated spear phishing message; monitor the second enterprise user device to detect temporal information for the second enterprise user device; generate, based on the temporal information and using the series of branching message templates, one or more second follow on simulated spear phishing messages; and send, to the second enterprise user device, the one or more second follow on simulated spear phishing messages.
(see citations in claim 1. The system of Irimie operates on a plurality of users: “An AIDA system may use information from many sources to create, train, and refine artificial intelligence models to create simulated phishing messages for users.” Irimie ¶ 80. See also claim 1 of Irimie).

As to claim 11, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 10 and further discloses:
wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: receive, from the second enterprise user device, second additional user interaction information; and compute, based on the temporal information and the second additional user interaction information, one or more spear phishing scores corresponding to the user of the second enterprise user device. (see claim 1, multiple responses from users as seen in ¶¶ 140, 143, 145. “the simulated phishing campaign manager 251 may include data collected from targets, records of failures such as a listing of which targets replied to a simulated phishing email, systemic or other security measures in place during the simulated phishing attacks…. this analysis may include determining which users are a security risk based on having a number of failures above a predetermined threshold,” Irimie ¶ 233)

As to claim 12, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 11 and further discloses:
wherein comparing the one or more spear phishing scores to the one or more spear phishing thresholds comprises comparing the one or more spear phishing scores corresponding to the user of the first enterprise user device and the one or more spear phishing scores corresponding to the user of the second enterprise user device to the one or more spear phishing thresholds. (see claim 1, multiple responses from users as seen in ¶¶ 140, 143, 145. “the simulated phishing campaign manager 251 may include data collected from targets, records of failures such as a listing of which targets replied to a simulated phishing email, systemic or other security measures in place during the simulated phishing attacks…. this analysis may include determining which users are a security risk based on having a number of failures above a predetermined threshold,” Irimie ¶ 233. See also Sadeh-Koniecpol ¶¶ 64 and 65).

As to claim 13, Irimie in view of Sadeh-Koniecpol discloses the machine/method/CRM of claims 12 and further discloses:
wherein the one or more spear phishing scores corresponding to the user of the first enterprise user device include one or more of: a user specific score, (“this analysis may include determining which users are a security risk based on having a number of failures above a predetermined threshold,” Irimie ¶ 233. “An embodiment of a partial training needs model 6 based on simple threshold levels is illustrated in FIG. 7.” Sadeh-Koniecpol ¶ 63) a group specific score, or an organization specific score. (non-required alternatives).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Sadeh-Koniecpol et al., US 2014/0199663, disclosing notifying a user that they fell for a phishing communication.
Fritzon et al., US 2012/0124671, discloses testing and awareness systems for phishing threats. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/           Examiner, Art Unit 2492