Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This action is in response to communication filed on 10/6/2022. 
Claims 1-6 and 8-20 are pending.
Claims 1 and 17 have been amended. 
Claim 7 has been canceled.

Response to Arguments
Applicant's argument(s) filed on 10/6/2022 with respect to claim(s) 1 and 17 have been fully considered but they are not persuasive. 
In the communication field, applicant argues in substance that:
a.  	Regarding claim(s) 1 and 17, Applicant argues (Remark page(s) 10-11)
“Independent claim 1 has been amended to recite subject matter from dependent claim 7, which has been cancelled accordingly. the test parameters are each based on a response to a previous phishing email. Applicant respectfully submits that Hadnagy fails to disclose these features.”
In response to argument [a], Examiners respectfully disagrees.
HADNAGY teaches this interpretation because "[0101], if user 123 either clicked on the phishing message or did not report the phishing message, then user 123 fails and is provided educational information and training. [0102], the same process is then performed for user 125, and the difficulty rating (parameters) will increase if user 125 passes but does not increase if user 125 fails. [0094], FIG. 2 shows a general diagram of the major elements used to perform the process of FIG. 1. A testing system 110 has an email server 111 capable of communicating with other computing devices via email. It also has a control device 113 which controls the functioning of the testing system 110. The testing system 110 is capable of acquiring and categorizing messages according to difficulty level. It is also capable of modifying existing messages to modify them to cause them to be in a desired difficulty level.”

				Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

1.	Claim 1 is rejected under 35 U.S.C. 102(a)(1) as being anticipated by HADNAGY (US20160330238 A1).
With respect to independent claims:
Regarding claim(s) 1, HADNAGY teaches a method for generating test phishing emails with a target difficulty level, comprising: in an information processing apparatus comprising at least one computer processor: (HADNAGY, [0007])
receiving a target difficulty level, a target population, and a plurality of parameters for a test phishing email, (HADNAGY, [0066], therefore, as indicated above, greeting type, spelling, grammar, email address of sender, message content, and use of personal information are parameters used to create phish messages of varying levels of difficulty. The higher the level, the more authentic the message appears.) 
the target population based on a response to a prior phishing email, and the plurality of parameters based on the response to a prior phishing email; (HADNAGY, [0101], if user 123 either clicked on the phishing message or did not report the phishing message, then user 123 fails and is provided educational information and training. [0102], the same process is then performed for user 125, and the difficulty rating (parameters) will increase if user 125 passes but does not increase if user 125 fails. [0094], FIG. 2 shows a general diagram of the major elements used to perform the process of FIG. 1. A testing system 110 has an email server 111 capable of communicating with other computing devices via email. It also has a control device 113 which controls the functioning of the testing system 110. The testing system 110 is capable of acquiring and categorizing messages according to difficulty level. It is also capable of modifying existing messages to modify them to cause them to be in a desired difficulty level.)
selecting a plurality of test email components from a library of test email components based on the parameters and the target difficulty level; (HADNAGY, [0094], FIG. 2 shows a general diagram of the major elements used to perform the process of FIG. 1. A testing system 110 has an email server 111 capable of communicating with other computing devices via email. It also has a control device 113 which controls the functioning of the testing system 110. The testing system 110 is capable of acquiring and categorizing messages according to difficulty level. It is also capable of modifying existing messages to modify them to cause them to be in a desired difficulty level.)
generating the test phishing using the selected test email components, wherein the test phishing email comprises at least one of a hyperlink and an attachment; and (HADNAGY, [0095], the testing system 110 also is capable of storing an identification of a user and the user's current difficulty level. Initially this is set to an initial level, as indicated in FIG. 1, block 25. [0096], the control device can request Company Data from the company system 120. A system administrator 127 of company system 120 sends the company data which includes electronic message addresses for users at the company intended to be tested to testing system 110 which stores the information. [0005], the present invention relates to training and services relating to corporate security and more specifically to training and services relating to compromising corporate information security by opening electronic messages and either clicking on a malicious link or attachment.)
disseminating the test phishing email to the target population. (HADNAGY, [0095], the testing system 110 also is capable of storing an identification of a user and the user's current difficulty level. Initially this is set to an initial level, as indicated in FIG. 1, block 25. [0096], the control device can request Company Data from the company system 120. A system administrator 127 of company system 120 sends the company data which includes electronic message addresses for users at the company intended to be tested to testing system 110 which stores the information.)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


2.	Claim(s) 2-6, 8, 11-14, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over HADNAGY (US20160330238 A1) in view of Irimie et al (US 20190173919 A1).
With respect to independent claims:
Regarding claim(s) 17, HADNAGY teaches a system for generating test phishing emails with a target difficulty level, comprising: an electronic device comprising at least one computer processor and executing a computer program; (HADNAGY, [0007])
a first database comprising a library of email components; (HADNAGY, [0079], as indicated in the “Setup” phase above, phishing messages are created with each having a different difficulty level based upon the “levels” indicated above. In block 30, the information about the company and its users is entered into the system. This will include the email addresses of each of the users to be tested. The phishing messages (email components) that have been created/acquired and their associated levels are also stored in the system.)
a second database comprising organizational information for an organization; and (HADNAGY, [0089], if a report is due, all findings are reported to the client in block 60. This report will have information and a format as requested by/negotiated with the company/client in block 15. The report may include the phishing messages sent, the users who received them, the users who passed, those who did not pass, education provided, current level of each user, summaries of those users having the lowest/highest levels, users failing/passing the most tests, statistical distributions, or other information which the company would find helpful.)
a third database comprising a phishing difficulty algorithm; (HADNAGY, [0066], therefore, as indicated above, greeting type, spelling, grammar, email address of sender, message content, and use of personal information are parameters used to create phish messages of varying levels of difficulty. The higher the level, the more authentic the message appears.)
wherein: the computer program receives a target difficulty level, a target population from the organizational information, and a plurality of parameters for a test phishing email; (HADNAGY, [0066], therefore, as indicated above, greeting type, spelling, grammar, email address of sender, message content, and use of personal information are parameters used to create phish messages of varying levels of difficulty. The higher the level, the more authentic the message appears.)
the computer program generates the test phishing using the selected test email components, wherein the test phishing email comprises at least one of a hyperlink and an attachment; (HADNAGY, [0095], the testing system 110 also is capable of storing an identification of a user and the user's current difficulty level. Initially this is set to an initial level, as indicated in FIG. 1, block 25. [0096], the control device can request Company Data from the company system 120. A system administrator 127 of company system 120 sends the company data which includes electronic message addresses for users at the company intended to be tested to testing system 110 which stores the information. [0005], the present invention relates to training and services relating to corporate security and more specifically to training and services relating to compromising corporate information security by opening electronic messages and either clicking on a malicious link or attachment.)
the target population based on a response to a prior phishing email, and the plurality of parameters based on the response to a prior phishing email; (HADNAGY, [0101], if user 123 either clicked on the phishing message or did not report the phishing message, then user 123 fails and is provided educational information and training. [0102], the same process is then performed for user 125, and the difficulty rating will increase if user 125 passes but does not increase if user 125 fails. [0094], FIG. 2 shows a general diagram of the major elements used to perform the process of FIG. 1. A testing system 110 has an email server 111 capable of communicating with other computing devices via email. It also has a control device 113 which controls the functioning of the testing system 110. The testing system 110 is capable of acquiring and categorizing messages according to difficulty level. It is also capable of modifying existing messages to modify them to cause them to be in a desired difficulty level.)
the computer program disseminates the test phishing email to the target population; (HADNAGY, [0095], the testing system 110 also is capable of storing an identification of a user and the user's current difficulty level. Initially this is set to an initial level, as indicated in FIG. 1, block 25. [0096], the control device can request Company Data from the company system 120. A system administrator 127 of company system 120 sends the company data which includes electronic message addresses for users at the company intended to be tested to testing system 110 which stores the information.)
However, the prior art fails to teach using a trained machine learning model, the computer program selects a plurality of test email components from the library of test email components based on the parameters and the target difficulty level and using the phishing difficulty algorithm; the computer program monitors a response to the test phishing email from the target population; the computer program identifies one or more automated action to take based on the response of at least one user in the target population; and the computer program executes the automated action.
Irimie et al teach using a trained machine learning model, the computer program selects a plurality of test email components from the library of test email components based on the parameters and the target difficulty level and using the phishing difficulty algorithm; (Irimie, [0018], FIG. 2A depicts an implementation of some of the architecture of an implementation of a system capable of performing artificial intelligence driven simulated phishing attack campaigns as part of a security awareness system; [0089], the simulated phishing campaign module 251 may be integrated with or coupled to memory 122. In some embodiments, the memory may include any type and form of storage, such as a database or file system. The memory 122 may store data such as parameters and scripts corresponding to the choices made by a server 106 through a simulated phishing campaign manager 251, e.g. as described above for a particular simulated phishing attack. [0077], a system can be configured to send multiple simulated phishing emails, text messages, phone calls (e.g. via VoIP) and Internet based communications, varying the quantity, frequency, type, level of sophistication (difficulty level), content, timing, and combination of messages using machine learning algorithms (phishing difficulty algorithm) or other forms of artificial intelligence.)
the computer program monitors a response to the test phishing email from the target population; (Irimie, [0078], the system may adaptively learn the best method (e.g., set of steps) and/or the best combination of messages to get the user to perform the requested action, such as interacting with a hyperlink or opening a file. The learning process implemented by the system can be trained by observing the behavior of other users in the same company or in the same industry, by observing the behavior of all other users of the system, or by observing the behavior of a subset of other users in the system based on one or more attributes of the subset of other users meeting one or more selected criteria.)
the computer program identifies one or more automated action to take based on the response of at least one user in the target population; and the computer program executes the automated action. (Irimie, [0079], the system can record when and how the action was performed and can produce reports about the actions. The reports can track the number of users the simulated messages were sent to, whether messages were successfully delivered, whether a user performed a requested action, when a requested action was performed, and a combination and timing of messages that induced a user to perform a requested action. In some implementations, the system may provide training on why a user should not have performed a requested action at the time that the user performs the requested action.)
Therefore, it would have been obvious to a person of ordinary skill to use using a trained machine learning model, the computer program selects a plurality of test email components from the library of test email components based on the parameters and the target difficulty level and using the phishing difficulty algorithm; the computer program monitors a response to the test phishing email from the target population; the computer program identifies one or more automated action to take based on the response of at least one user in the target population; and the computer program executes the automated action as taught by Irimie et al. The motivation/suggestion would have been because there is a need to artificial intelligence driven security awareness systems for performing simulated phishing attacks. Additionally, the cited references are in the field of communication, as is the current application, and thus, are in analogous arts.

With respect to dependent claims:
Regarding claim(s) 2, HADNAGY-Irimie teaches the method of claim 1, wherein the difficulty level is selected using a phishing difficulty algorithm. (HADNAGY, claim 18. The on-line service of claim 16 wherein the difficulty levels of phish messages are determined by at least one of: 
a. impersonal versus personal greetings and closings;
b. misspelling;
c. incorrect grammar;
d. improbable pretext;
e. incorrect links in the body of the phish message;
f. incorrect origin email address; and
g. unknown sender name.)

Regarding claim(s) 3, HADNAGY-Irimie teaches the method of claim 1, wherein the plurality of parameters may include at least one of a delivery time, a day of delivery, and an email component to test. (Irimie, [0077] A system can be configured to send multiple simulated phishing emails, text messages, phone calls (e.g. via VoIP) and Internet based communications, varying the quantity, frequency, type, sophistication, content, timing, and combination of messages using machine learning algorithms or other forms of artificial intelligence. Such a system may be referred to as an artificial intelligence driven agent system, or AIDA system, or simply a system. The set of phishing emails, text messages, and/or phone calls may be referred to as a simulated phishing campaign. In some implementations, some or all messages (email, text messages, VoIP calls, Internet based communications) in a simulated phishing campaign after the first simulated phishing message may be used to direct the user to open the first simulated phishing message, or to open the latest simulated phishing message. In some implementations, simulated phishing messages of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call.)

Regarding claim(s) 4, HADNAGY-Irimie teaches the method of claim 1, wherein the test email components are selected using a trained machine learning model. (Irimie, [0077] A system can be configured to send multiple simulated phishing emails, text messages, phone calls (e.g. via VoIP) and Internet based communications, varying the quantity, frequency, type, sophistication, content, timing, and combination of messages using machine learning algorithms or other forms of artificial intelligence. Such a system may be referred to as an artificial intelligence driven agent system, or AIDA system, or simply a system. The set of phishing emails, text messages, and/or phone calls may be referred to as a simulated phishing campaign. In some implementations, some or all messages (email, text messages, VoIP calls, Internet based communications) in a simulated phishing campaign after the first simulated phishing message may be used to direct the user to open the first simulated phishing message, or to open the latest simulated phishing message. In some implementations, simulated phishing messages of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call.)

Regarding claim(s) 5, HADNAGY-Irimie teaches the method of claim 1, wherein a subject of the test phishing email is selected based on a job function for the target population of the test phishing email. (Irimie, [0092], the simulated phishing message generator 253 can retrieve this information from the memory 122 and can generate a set of emails similar to the email, each addressed to a respective target identified in the information stored in the memory 122. That is, the simulated phishing message generator 253 can generate the emails such that the “From:” and “Subject:” fields of each email are identical, while the “To:” field is adjusted according to the desired targets.)

Regarding claim(s) 6, HADNAGY-Irimie teaches the method of claim 1, wherein the target population is identified based on a job function. (Irimie, [0092], the simulated phishing message generator 253 can retrieve this information from the memory 122 and can generate a set of emails similar to the email, each addressed to a respective target identified in the information stored in the memory 122. That is, the simulated phishing message generator 253 can generate the emails such that the “From:” and “Subject:” fields of each email are identical, while the “To:” field is adjusted according to the desired targets.)

Regarding claim(s) 8, HADNAGY-Irimie teaches method of claim 1, further comprising: monitoring a response to the test phishing email from the target population; identifying one or more automated action to take based on the response of at least one user in the target population; and executing the automated action. (Irimie, [0140], campaign controller 250 may create a template for an AIDA campaign as the campaign is running based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments, campaign controller 250 may modify an existing template during an AIDA campaign based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments, campaign controller 250 may change the order of actions in the template based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments campaign controller 250 may change the content of messages described by the template detail pages and to be sent to a user, based on a user's actions in response to an action sent to the user by campaign controller 250.)

Regarding claim(s) 11, HADNAGY-Irimie teaches method of claim 8, wherein the automated action is identified in response to a test threshold is reached. (Irimie, [0233], this analysis may include determining which users are a security risk based on having a number of failures above a predetermined threshold, whether certain security systems in place are effective by e.g. correlating the presence of such security systems with a lower than average incidence of failures. The simulated phishing campaign manager may allow an attack manager to view, on a graphical user interface, for example a timeline of overall failure rates, which may be useful in helping to determine whether a security policy that was instituted at a particular time was effective in improving security.)

Regarding claim(s) 12, HADNAGY-Irimie teaches method of claim 11, wherein the test threshold is based on a security level access for the user and a user susceptibility level. (Irimie, [0233], this analysis may include determining which users are a security risk based on having a number of failures above a predetermined threshold, whether certain security systems in place are effective by e.g. correlating the presence of such security systems with a lower than average incidence of failures. The simulated phishing campaign manager may allow an attack manager to view, on a graphical user interface, for example a timeline of overall failure rates, which may be useful in helping to determine whether a security policy that was instituted at a particular time was effective in improving security.)

Regarding claim(s) 13, HADNAGY-Irimie teaches method of claim 8, wherein the automated action comprises generating and sending a second test phishing email. (Irimie, [0140], campaign controller 250 may create a template for an AIDA campaign as the campaign is running based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments, campaign controller 250 may modify an existing template during an AIDA campaign based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments, campaign controller 250 may change the order of actions in the template based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments campaign controller 250 may change the content of messages described by the template detail pages and to be sent to a user, based on a user's actions in response to an action sent to the user by campaign controller 250.)
Regarding claim(s) 14, HADNAGY-Irimie teaches method of claim 8, wherein the automated action comprises providing the user with additional training. (Irimie, [0079], the system can record when and how the action was performed and can produce reports about the actions. The reports can track the number of users the simulated messages were sent to, whether messages were successfully delivered, whether a user performed a requested action, when a requested action was performed, and a combination and timing of messages that induced a user to perform a requested action. In some implementations, the system may provide training on why a user should not have performed a requested action at the time that the user performs the requested action.)
Regarding claim(s) 16, HADNAGY-Irimie teaches method of claim 8, further comprising: updating a machine learning model based on the responses. (Irimie, [ [0181], Referring to FIG. 3 in a general overview, FIG. 3 depicts an embodiment of a system 300 used for creating, updating, and managing models, such as artificial intelligence or machine learning models, for use in AIDA simulated phishing campaigns. [0140], campaign controller 250 may create a template for an AIDA campaign as the campaign is running based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments, campaign controller 250 may modify an existing template during an AIDA campaign based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments, campaign controller 250 may change the order of actions in the template based on a user's actions in response to an action sent to the user by campaign controller 250. In some embodiments campaign controller 250 may change the content of messages described by the template detail pages and to be sent to a user, based on a user's actions in response to an action sent to the user by campaign controller 250.)

3.	Claim(s) 10 are rejected under 35 U.S.C. 103 as being unpatentable over HADNAGY (US20160330238 A1) in view of Kras (US 20210075828 A1).
Regarding claim(s) 10, the prior art fails to teach the method of claim 9, further comprising: tracking hovers over test email components in the test phishing email. (Kras [0078], simulated phishing campaign manager 210 includes interaction identification manager 205, which is configured to identify interactions of users 102 of entity 101 with simulated phishing messages. In embodiments, interaction identification manager 205 is configured to record user interactions with simulated phishing messages, for example when a user clicks or hovers over a link in a simulated phishing message, downloads and/or opens an attachment of a simulated phishing message, forwards a simulated phishing message, replies to a simulated phishing message, or performs any other interaction with a simulated phishing message that is considered by phishing message interaction manager 205 to be a failure.)
Therefore, it would have been obvious to a person of ordinary skill to use tracking hovers over test email components in the test phishing email as taught by Kras. The motivation/suggestion would have been because there is a need to the simulated phishing attack system to train the user to recognize very sophisticated attack vectors. Additionally, the cited references are in the field of communication, as is the current application, and thus, are in analogous arts.	
	
4.	Claim(s) 15 are rejected under 35 U.S.C. 103 as being unpatentable over HADNAGY (US20160330238 A1) in view of Wescoe et al (US 20190173819 A1).
Regarding claim(s) 15, the prior art fails to teach the method of claim 8, wherein the automated action comprises sandboxing a user email inbox. (Wescoe, [0052], the token may include a unique predetermined or calculated value that would be verifiable by the messaging client and the cybersecurity analyzer server, but not to other services such as a sandbox that may intercept the simulated malicious message before it reaches the intended recipient.)
Therefore, it would have been obvious to a person of ordinary skill to use wherein the automated action comprises sandboxing a user email inbox as taught by Wescoe et al. The motivation/suggestion would have been because there is a need to help identify whether a simulated malicious message has reached an intended recipient, or whether the message has been forwarded to or otherwise been acted upon by someone else. Additionally, the cited references are in the field of communication, as is the current application, and thus, are in analogous arts.

5.	Claim(s) 19 are rejected under 35 U.S.C. 103 as being unpatentable over HADNAGY (US20160330238 A1) in view of Irimie et al (US 20190173919 A1) in view of Kras (US 20210075828 A1).
Regarding claim(s) 19, Kras teaches the system of claim 17, wherein the computer program tracks hovers over test email components in the test phishing email. (Kras [0078], simulated phishing campaign manager 210 includes interaction identification manager 205, which is configured to identify interactions of users 102 of entity 101 with simulated phishing messages. In embodiments, interaction identification manager 205 is configured to record user interactions with simulated phishing messages, for example when a user clicks or hovers over a link in a simulated phishing message, downloads and/or opens an attachment of a simulated phishing message, forwards a simulated phishing message, replies to a simulated phishing message, or performs any other interaction with a simulated phishing message that is considered by phishing message interaction manager 205 to be a failure.)
Therefore, it would have been obvious to a person of ordinary skill to use tracking hovers over test email components in the test phishing email as taught by Kras. The motivation/suggestion would have been because there is a need to the simulated phishing attack system to train the user to recognize very sophisticated attack vectors. Additionally, the cited references are in the field of communication, as is the current application, and thus, are in analogous arts.

6.	Claim(s) 20 are rejected under 35 U.S.C. 103 as being unpatentable over HADNAGY (US20160330238 A1) in view of Irimie et al (US 20190173919 A1) in view of Wescoe et al (US 20190173819 A1).
Regarding claim(s) 20, Wescoe et al teach the system of claim 17, wherein the automated action comprises sandboxing a user email inbox. (Wescoe, [0052], the token may include a unique predetermined or calculated value that would be verifiable by the messaging client and the cybersecurity analyzer server, but not to other services such as a sandbox that may intercept the simulated malicious message before it reaches the intended recipient.)
Therefore, it would have been obvious to a person of ordinary skill to use wherein the automated action comprises sandboxing a user email inbox as taught by Wescoe et al. The motivation/suggestion would have been because there is a need to help identify whether a simulated malicious message has reached an intended recipient, or whether the message has been forwarded to or otherwise been acted upon by someone else. Additionally, the cited references are in the field of communication, as is the current application, and thus, are in analogous arts.

7.	Claim(s) 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over HADNAGY (US20160330238 A1) in view of Irimie et al (US 20190173919 A1) in view of O'Brien et al (US 20180219830 A1).
Regarding claim(s) 8, Irimie et al teach the method of claim 8, wherein monitoring a response to the test phishing email from the target population comprises: for each user in the target population, tracking whether the test phishing email was opened and at least one of a type of device used to open the test phishing email, a user location when the test email was opened, whether the user clicked on the hyperlink or attachment, (Irimie, [0077], such a system may be referred to as an artificial intelligence driven agent system, or AIDA system, or simply a system. The set of phishing emails, text messages, and/or phone calls may be referred to as a simulated phishing campaign. In some implementations, some or all messages (email, text messages, VoIP calls, Internet based communications) in a simulated phishing campaign after the first simulated phishing message may be used to direct the user to open the first simulated phishing message, or to open the latest simulated phishing message. In some implementations, simulated phishing messages of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call. [0078], the system may adaptively learn the best method (e.g., set of steps) and/or the best combination of messages to get the user to perform the requested action, such as interacting with a hyperlink or opening a file. The learning process implemented by the system can be trained by observing the behavior of other users in the same company or in the same industry, by observing the behavior of all other users of the system, or by observing the behavior of a subset of other users in the system based on one or more attributes of the subset of other users meeting one or more selected criteria. [0132], the security awareness system 280 includes a storage for users 285. In some embodiments, the data structure of the user information stored for each user in users storage 285 includes one or more of a user ID, a user email address, the account ID associated with a user, a user's name, a user's job title, a user's phone number, a user's mobile phone number, a user's location, what time zone a user is in, a user's division, a user's manager's name, a user's manager's email address, a user's employee number, a user's gender, and the date and time that a user's record was created and/or updated. [0028], a “user identifier” is any identifier that is associated with and can be used to uniquely identify an intended or alternate recipient of a message, such as a user ID, a device ID for an electronic device that is associated with the recipient or the recipient's account (as stored in a data store that is available to the system), a client ID for a messaging client or other software application that is associated with the recipient or the recipient's account, or another unique identifier that directly or indirectly identifies the recipient.)
However, the prior art fails to teach and an amount of time spent reviewing the test phishing email.
O'Brien et al teach and an amount of time spent reviewing the test phishing email. (O'Brien, [0066] In embodiments, tracking email activity and events may include recording activity and events associated with email content. Email content may include links to other content, such as other Internet resources (e.g., URLs and the like), tags that may be embedded in an email via tracking and activity pixels, and the like, as may be described elsewhere herein. Such tracking pixels may facilitate determining a duration of interaction, determining when an email is forwarded, determining when an email is printed, determining when a link is followed, determining when an attachment is opened, determining whether an embedded advertisement is viewed, and the like.)
Therefore, it would have been obvious to a person of ordinary skill to and an amount of time spent reviewing the test phishing email as taught by O'Brien et al. The motivation/suggestion would have been because there is a need to enables management and execution of electronic message campaigns while appropriately managing challenges presented by spam filters, black lists, and domain blocking technologies, and that includes elements for managing an electronic message campaign based on dynamic conditions, quality measures, engagement factors, and other measures, factors and conditions. Additionally, the cited references are in the field of communication, as is the current application, and thus, are in analogous arts.

Regarding claim(s) 18, HADNAGY-Irimie- O'Brien teaches the system of claim 17, wherein, for each user in the target population, the computer program tracks whether the test phishing email was opened and at least one of a type of device used to open the test phishing email, a user location when the test email was opened, whether the user clicked on the hyperlink or attachment, (Irimie, [0077], such a system may be referred to as an artificial intelligence driven agent system, or AIDA system, or simply a system. The set of phishing emails, text messages, and/or phone calls may be referred to as a simulated phishing campaign. In some implementations, some or all messages (email, text messages, VoIP calls, Internet based communications) in a simulated phishing campaign after the first simulated phishing message may be used to direct the user to open the first simulated phishing message, or to open the latest simulated phishing message. In some implementations, simulated phishing messages of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call. [0078], the system may adaptively learn the best method (e.g., set of steps) and/or the best combination of messages to get the user to perform the requested action, such as interacting with a hyperlink or opening a file. The learning process implemented by the system can be trained by observing the behavior of other users in the same company or in the same industry, by observing the behavior of all other users of the system, or by observing the behavior of a subset of other users in the system based on one or more attributes of the subset of other users meeting one or more selected criteria. [0132], the security awareness system 280 includes a storage for users 285. In some embodiments, the data structure of the user information stored for each user in users storage 285 includes one or more of a user ID, a user email address, the account ID associated with a user, a user's name, a user's job title, a user's phone number, a user's mobile phone number, a user's location, what time zone a user is in, a user's division, a user's manager's name, a user's manager's email address, a user's employee number, a user's gender, and the date and time that a user's record was created and/or updated.)
and an amount of time spent reviewing the test phishing email. (O'Brien, [0066], tracking email activity and events may include recording activity and events associated with email content. Email content may include links to other content, such as other Internet resources (e.g., URLs and the like), tags that may be embedded in an email via tracking and activity pixels, and the like, as may be described elsewhere herein. Such tracking pixels may facilitate determining a duration of interaction, determining when an email is forwarded, determining when an email is printed, determining when a link is followed, determining when an attachment is opened, determining whether an embedded advertisement is viewed, and the like.)

Conclusion
 	 THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WUJI CHEN whose telephone number is (571)270-0365.  The examiner can normally be reached on 9am-6pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SRIVASTAVA VIVEK can be reached on (571) 272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/WUJI CHEN/
Examiner, Art Unit 2449

	/VIVEK SRIVASTAVA/             Supervisory Patent Examiner, Art Unit 2449