DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Continued Examination Under 37 CFR 1.114

2. 	A request for continued examination under 37 GFR 1.114, including the fee set forth in 37 GFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 GFR 1,114, and the fee set forth in 37 GFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 GFR 1,114. Applicant's submission filed on 11/07/2022 has been entered.

Remarks
3.	 Pending claims for consideration are claims 1-20. Applicant has amended claims 1, 8, and 15 have been amended. 


Response to Arguments
4. 	Applicant's arguments filed 11/07/2022 have been fully considered, but they are not persuasive.
	In the remark’s applicant argues in substance:
a.	That – Gibson, Baikalov and Varghese, taken singly or in combination, do not disclose or suggest the security risk assessment includes taking into account a risk score associated with the user, the risk score associated with the user changing over time, the assigning the group security policy changing an assigned group security policy from the plurality of group security policies as the risk score changes over time, as required by claims 1, 8 and 15.
In response to applicant’s argument – The combination of Gibson, GANPATRAO, and Harris disclose in its broadest most reasonable interpretation in light of the applicants specification “the security risk assessment includes taking into account a risk score associated with the user, the risk score associated with the user changing over time, the assigning the group security policy changing an assigned group security policy from the plurality of group security policies as the risk score changes over time. As explained below in the 103 rejection GANPATRAO discloses “the security risk assessment includes taking into account a risk score associated with the user” in paragraph 0025 which teaches that “enabling risk scores to be determined for each threat indicator, and by enabling the risk scores to be aggregated and combined to determine a composite threat score as a weighted probability of all associated threat indicators for a user.” GANPATRAO additionally teaches “the risk score associated with the user changing over time” in paragraph 0009 which details that a composite (i.e. made up of various changing parts)  risk score which is compared by a threshold that’s compared with changing threats over time. GANPATRAO again teaches “the assigning the group security policy changing an assigned group security policy from the plurality of group security policies as the risk score changes over time” in paragraph 0044-45 that a normalization formula is utilized within the policy in regards to a change in underlying raw risk scores, and parameters can be recalculated when the new risk vector is added or risk landscape has changed significantly and changes such as adding or removing entities to the enterprise or to significant changes in entity risk score.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


5.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 9,246,941 B1 to Gibson et al (hereafter referenced as Gibson) in view of WO 2016/123528 A1 to BAIKALOV IGOR, GULATI TANUJ, NAYAR SACHIN, SHENOY ANJANEYA, PATWARDHAN GANPATRAO H et al (hereafter referenced as GANPATRAO), in further view of European Patent EP 1,875,653 B1 to Thomas Varghese, Jon Bryan Fisher, Steven Lucas Harris, and Don Durai (hereafter referenced as Harris).
Regarding claim 1, Gibson discloses “a computer-implemented method for assigning security policy to a user, comprising: providing a plurality of group security policies” (plurality of group security policies, prediction information and behavior information within database 120 [Fig.1]) , “wherein one or more of the plurality of group security policies have different levels of security enforcement” (security policy enforcer comprising predicting module level and security policy levels[Fig.2/item 210]) ; “assigning a group security policy from the plurality of group security policies to the user based on a comparison of the security risk assessment for the user with the security risk assessments associated with the group security policies” (correlating the impact of security policy 220 across groups of associated users [Col.9/lines 17-21]), “the comparison determining when the security risk assessment are within a set of predetermined limits associated with a particular user group” (predicting module 106 may use these determinations to predict (e.g., by correlating the impact of security policy 220 across groups of associated users) how activating security policy 220 on end-user computing systems 202(1)-(N) may impact future user behavior), “and communicating the assigned group security policy over an electronic communication network (network [Fig.2/item204])  to an endpoint device (end user computing system [Fig.2/item (202)]) operated by the user for automatic enforcement of the group security policy at the endpoint device” (enforcement of policy is communicated to on end user device [Col.9/lines 21-33]) via identifying module, predicting module , notifying module, and activating module [Fig.1/item 102]).
Gibson does not explicitly disclose “receiving a security risk assessment for the user; assigning the user to a user group, the user group being one of a plurality of user groups, each of the plurality of user groups being associated with common risk assessments, each of the plurality of user groups being associated with predetermined risk assessment limits, the security risk assessment includes taking into account a risk score associated with the user, the risk score associated with the user changing over time, the assigning the group security policy changing an assigned group security policy from the plurality of group security policies as the risk score changes over time.
However, GANPATRAO in an analogous art discloses “receiving a security risk assessment for the user.” (a risk scoring threat assessment in which a singular risks 112 and composite risks 130 attributed to a specific entity such as a user, an application or a system may be used to determine entity risks 140 for such entities (GANPATRAO [par.0037]) by way of a scoring system via threat indicators (GANPATRAO [par.0008]), “assigning the user to a user group, the user group being one of a plurality of user groups”  (entity risks may further be aggregated to determine the organizational risk 150 for departments or groups GANPATRAO [par.0024]) , “each of the plurality of user groups being associated with common risk assessments , each of the plurality of user groups being associated with predetermined risk assessment limits” (risks are associated with privileged access, high risk user groups and access to critical assets, and with inherent risk associated with such risk boosters as contractors and vendors GANPATRAO [par.0037]), “the security risk assessment includes taking into account a risk score associated with the user” (the invention affords a method for accomplishing this by enabling risk scores to be determined for each threat indicator, and by enabling the risk scores to be aggregated and combined to determine a composite threat score as a weighted probability of all associated threat indicators, as will be described below GANPATRAO [par,0025]), “the risk score associated with the user changing over time”(a composite (i.e. made up of various changing parts)  risk score which is compared by a threshold that’s compared with changing threats over time GANPATRAO [par.0009]) , “the assigning the group security policy changing an assigned group security policy from the plurality of group security policies as the risk score changes over time” (a normalization formula is utilized within the policy  in regards to a change in underlying raw risk scores, and parameters can be recalculated when the new risk vector is added or risk landscape has changed significantly and changes such as adding or removing entities to the enterprise or to significant changes in entity risk score GANPATRAO [par.0044-0045]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gibson’s security policy with Young’s risk scoring threat assessment. One of ordinary skill in the art would have been motivated to combine Gibson’s security policy which comprises prediction behavior information of a user and GANPATRAO’s  risk assessment because both utilize a security policy system which predicts a security risk of a user and both are from the same field of endeavor.
Neither Gibson nor GANPATRAO explicitly disclose “each of the plurality of group security policies is configured for a group of users having similar security risk assessments”, and the different levels of security enforcement include different levels of automated control of one or more of access to electronic documents of a secured network system, and access to electronic resources of a secured network system.”
However, Harris in an analogous art discloses “each of the plurality of group security policies is configured for a group of users having similar security risk assessments (security policy configured for In group devices [par.0071] see also table 7 sample policy data for in group devices [pg.15]), “and the different levels of security enforcement include different levels of automated control of one or more of access to electronic documents of a secured network system”(the rules engine automatically determines what modules to run during a policy authorization [par.0072]), “and access to electronic resources of a secured network system.” (user and device based robust fraud monitoring and detection along with robust fraud analysis and risk assessment to give a service provider real time information needed to determine how and whether to allow a device to access the provider’s system Harris [par.0021]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gibson’s security policy and Young’s risk scoring threat assessment with Harris’s system for fraud monitoring, detection, and tier user authentication. One of ordinary skill in the art would have been motivated to combine Gibson’s security policy which comprises prediction behavior information of a user, GANPATRAO’s risk assessment, Harris’s system for fraud monitoring, detection, and tier user authentication because all utilize a security policy system which predicts a security risk of a user and both are from the same field of endeavor.
Regarding claim 2 in view of claim 1, the references combined disclose “further comprising: dynamically responding to changes in the security risk assessment for the user by changing the group security policy to which the user is assigned”(prediction module responds to security risk assessment of a user Gibson[Fig.3/item ]304]) , “wherein a group security policy from the plurality of group security policies (group of security policies from end-users Gibson[Fig.2/item 220]) having a higher level of security enforcement is assigned to the user in response to changes in the security risk assessment indicating that the user poses an increased security risk”(Prediction module of the level of security impacts at least one user of the end-user Computing system by monitoring at least one behavior of the user on the end-user Computing system and determines how activating the security policy on the end-user Computing system may have impacted the behavior Gibson[Fig.3/item 304]) ; “and a group security policy from the plurality of group security policies having a lower level of security enforcement is assigned to the user in response to changes in the security risk assessment indicating that the user poses a lowered security risk”. (Prediction module of the level of security impacts at least one user of the end-user Computing system by monitoring at least one behavior of the user on the end-user Computing system and determines how activating the security policy on the end-user Computing system may have impacted the behavior Gibson[Fig.3/item 304]).
Regarding claim 3 in view of claim 1, the references combined disclose “wherein the security risk assessment includes one or more of: a security risk level; a composite security risk score; a security risk sub-score; and a data exfiltration score” (threat risk score assessment comprising a multiple data filtration assessment scores  GANPATRAO [par.0008]).
Regarding claim 4 in view of claim 1, the references combined disclose “wherein the security risk assessment for the user is received from a security analytics system” (threat risks to the computer infrastructure of an enterprise are detected and assessed by assembling singular threats identified using both direct and behavioral threat indicators into composite threats to create complex use cases across multiple do - mains, and to amplify risks along kill chains of known attacks for early detection GANPATRAO [Fig.1]), “wherein the security analytics system dynamically updates the security risk assessment for the user based on one or more of: user behavior at the endpoint device operated by the user; user interactions with a system resource; and user interactions with other user devices”(system monitors behavior of user for assessment Gibson[Fig.3/item 304]).
Regarding claim 5 in view of claim 4, the references combined disclose “wherein the security risk assessment for the user is received from the security analytics system at an API.” (notifying module 108 may display to the administrator of end-user computing systems 202(1)-(N) via graphical user interface 230 the information collected and predicted as part of step 304 Gibson[Col.9/lines 46-49]).
Regarding claim 6 in view of claim 1, the references combined disclose “wherein the assigned group security policy is communicated from a server (server device Gibson [Fig.2/item 206]) to an agent (end user computing device comprising security policy enforcer agent Gibson [Fig.2/item 210]) of the endpoint device operated by the user for enforcement of the assigned group security policy at the endpoint device.”(security policy enforcer Gibson [Fig.2/item 210]).
Regarding claim 7 in view of claim 6, the references combined disclose “further comprising: initiating communications by the agent at the endpoint device with the server in response to occurrence of one or more of a scheduled communication time assigned to the endpoint device”(module comprising identifying, predicting, notifying, and activating module monitors and initiates communication at the endpoint device Gibson[Fig.1]) ; “a communication timeout at the endpoint device; and a violation of a security policy rule at the endpoint device.” (security policy enforcer Gibson [Fig.2/item 210]). 
Regarding claim 8, Gibson discloses “a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: providing a plurality of group security policies” (plurality of group security policies, prediction information and behavior information within database 120 [Fig.1]), “wherein one or more of the plurality of group security policies have different levels of security enforcement” (security policy enforcer [Fig.2/item 210]); “assigning a group security policy from the plurality of group security policies to the user based on a comparison of the security risk assessment for the user with the security risk assessments associated with the group security policies” (correlating the impact of security policy 220 across groups of associated users via comparison prediction module and group users behaviors[Col.9/lines 17-21]), “the comparison determining when the security risk assessment are within a set of predetermined limits associated with a particular user group(predicting module 106 may use these determinations to predict (e.g., by correlating the impact of security policy 220 across groups of associated users) how activating security policy 220 on end-user computing systems 202(1)-(N) may impact future user behavior), “and communicating the assigned group security policy over an electronic communication network to an endpoint device operated by the user for automated enforcement of the group security policy at the endpoint device.” (enforcement of policy is communicated to on end user device [Col.9/lines 21-33]) via identifying module, predicting module, notifying module, and activating module [Fig.1/item 102]).
Gibson does not explicitly disclose “receiving a security risk assessment for a user, each of the plurality of group security policies is configured for a group of users having similar security risk assessments, and the different levels of security enforcement include different levels of automated control of one or more of access to electronic documents, and access to electronic resources: the security risk assessment includes taking into account a risk score associated with the user, the risk score associated with the user changing over time, the assigning the group security policy changing an assigned group security policy from the plurality of group security policies as the risk score changes over time;”
However, GANPATRAO in an analogous art discloses “receiving a security risk assessment for the user; assigning the user to a user group, the user group being one of a plurality of user groups” (a risk scoring threat assessment in which a singular risks 112 and composite risks 130 attributed to a specific entity such as a user, an application or a system may be used to determine entity risks 140 for such entities (GANPATRAO [par.0037]) by way of a scoring system via threat indicators (GANPATRAO [par.0008]), “each of the plurality of user groups being associated with common risk assessments”  (entity risks may further be aggregated to determine the organizational risk 150 for departments or groups GANPATRAO [par.0024]), each of the plurality of user groups being associated with predetermined risk assessment limits ”(risks are associated with privileged access, high risk user groups and access to critical assets, and with inherent risk associated with such risk boosters as contractors and vendors GANPATRAO [par.0037]), “the security risk assessment includes taking into account a risk score associated with the user” (the invention affords a method for accomplishing this by enabling risk scores to be determined for each threat indicator, and by enabling the risk scores to be aggregated and combined to determine a composite threat score as a weighted probability of all associated threat indicators, as will be described below GANPATRAO [par,0025]), “the risk score associated with the user changing over time”(a composite (i.e. made up of various changing parts)  risk score which is compared by a threshold that’s compared with changing threats over time GANPATRAO [par.0009]) , “the assigning the group security policy changing an assigned group security policy from the plurality of group security policies as the risk score changes over time” (a normalization formula is utilized within the policy  in regards to a change in underlying raw risk scores, and parameters can be recalculated when the new risk vector is added or risk landscape has changed significantly and changes such as adding or removing entities to the enterprise or to significant changes in entity risk score GANPATRAO [par.0044-0045]).
Neither Gibson nor GANPATRAO explicitly disclose “each of the plurality of group security policies is configured for a group of users having similar security risk assessments”, and the different levels of security enforcement include different levels of automated control of one or more of access to electronic documents of a secured network system, and access to electronic resources of a secured network system.”
However, Harris in an analogous art discloses “each of the plurality of group security policies is configured for a group of users having similar security risk assessments (security policy configured for In group devices [par.0071] see also table 7 sample policy data for in group devices [pg.15]), “and the different levels of security enforcement include different levels of automated control of one or more of access to electronic documents of a secured network system”(the rules engine automatically determines what modules to run during a policy authorization [par.0072]), “and access to electronic resources of a secured network system.” (user and device based robust fraud monitoring and detection along with robust fraud analysis and risk assessment to give a service provider real time information needed to determine how and whether to allow a device to access the provider’s system Harris [par.0021]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gibson’s security policy and Young’s risk scoring threat assessment with Harris’s system for fraud monitoring, detection, and tier user authentication. One of ordinary skill in the art would have been motivated to combine Gibson’s security policy which comprises prediction behavior information of a user, GANPATRAO’s risk assessment, Harris’s system for fraud monitoring, detection, and tier user authentication because all utilize a security policy system which predicts a security risk of a user and both are from the same field of endeavor.
Regarding claim 9 in view of claim 8, the references combined disclose “wherein the instructions are further configured for: dynamically responding to changes in the security risk assessment for the user by changing the group security policy to which the user is assigned” (prediction module responds to security risk assessment of a user Gibson[Fig.3/item ]304]), “wherein a group security policy from the plurality of group security policies(group of security policies from end-users Gibson[Fig.2/item 220]) having a higher level of security enforcement is assigned to the user in response to changes in the security risk assessment indicating that the user poses an increased security risk” (Prediction module of the level of security impacts at least one user of the end-user Computing system by monitoring at least one behavior of the user on the end-user Computing system and determines how activating the security policy on the end-user Computing system may have impacted the behavior Gibson[Fig.3/item 304]) ; “and a group security policy from the plurality of group security policies having a lower level of security enforcement is assigned to the user in response to changes in the security risk assessment indicating that the user poses a lowered security risk” (Prediction module of the level of security impacts at least one user of the end-user Computing system by monitoring at least one behavior of the user on the end-user Computing system and determines how activating the security policy on the end-user Computing system may have impacted the behavior Gibson[Fig.3/item 304]).
Regarding claim 10 in view of claim 8, the references combined disclose “wherein the security risk assessment includes one or more of: a security risk level; a composite security risk score; a security risk sub-score; and a data exfiltration score” (threat risk score assessment comprising a multiple data filtration assessment scores  GANPATRAO [par.0008]).
Regarding claim 11 in view of claim 8, the references combined disclose “wherein the security risk assessment for the user is received from a security analytics system” (threat risks to the computer infrastructure of an enterprise are detected and assessed by assembling singular threats identified using both direct and behavioral threat indicators into composite threats to create complex use cases across multiple do - mains, and to amplify risks along kill chains of known attacks for early detection GANPATRAO [Fig.1]), “wherein the security analytics system dynamically updates the security risk assessment for the user based on one or more of: user behavior at the endpoint device operated by the user; user interactions with a system resource; and user interactions with other user devices” (system monitors behavior of user for assessment Gibson[Fig.3/item 304]).
Regarding claim 12 in view of claim 11, the references combined disclose “wherein the security risk assessment for the user is received from the security analytics system at an API” (notifying module 108 may display to the administrator of end-user computing systems 202(1)-(N) via graphical user interface 230 the information collected and predicted as part of step 304 Gibson [Col.9/lines 46-49]).
Regarding claim 13 in view of claim 8, the references combined disclose “wherein the assigned group security policy is communicated from a server (server device Gibson [Fig.2/item 206]) to an agent (end user computing device comprising security policy enforcer agent Gibson [Fig.2/item 210]) of the endpoint device operated by the user for enforcement of the assigned group security policy at the endpoint device” (security policy enforcer Gibson [Fig.2/item 210]). 
Regarding claim 14 in view of claim 13, the references combined disclose “wherein the instructions are further configured initiating communications by the agent at the endpoint device with the server in response to occurrence of one or more of a scheduled communication time assigned to the endpoint device” (module comprising identifying, predicting, notifying, and activating module monitors and initiates communication at the endpoint device Gibson[Fig.1]); “a communication timeout at the endpoint device; and a violation of a security policy rule at the endpoint device” (security policy enforcer Gibson[Fig.2/item 210]).
Regarding claim 15, Gibson discloses “a non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for: providing a plurality of group security policies” (plurality of group security policies, prediction information and behavior information within database 120 [Fig.1]), “wherein one or more of the plurality of group security policies have different levels of security enforcement” (security policy enforcer [Fig.2/item 210]); “assigning a group security policy from the plurality of group security policies to the user based on a comparison of the security risk assessment for the user with the security risk assessments associated with the group security policies” (correlating the impact of security policy 220 across groups of associated users [Col.9/lines 17-21]), the comparison determining when the security risk assessment are within a set of predetermined limits associated with a particular user group” (predicting module 106 may use these determinations to predict (e.g., by correlating the impact of security policy 220 across groups of associated users) how activating security policy 220 on end-user computing systems 202(1)-(N) may impact future user behavior), “and communicating the assigned group security policy over in electronic communication network to an endpoint device operated by the user for automatic enforcement of the group security policy at the endpoint device.” (enforcement of policy is communicated to on end user device [Col.9/lines 21-33]) via identifying module, predicting module, notifying module, and activating module [Fig.1/item 102]).
Gibson does not explicitly disclose “receiving a security risk assessment for a user, assigning the user to a user group, the user group being one of a plurality of user groups, each of the plurality of user groups being associated with common risk assessments, each of the plurality of user groups being associated with predetermined risk assessment limits, the security risk assessment includes taking into account a risk score associated with the user, the risk score associated with the user changing over time, the assigning the group security policy changing an assigned group security policy from the plurality of group security policies as the risk score changes over time;”
However, GANPATRAO in an analogous art discloses “receiving a security risk assessment for the user.” (a risk scoring threat assessment in which a singular risks 112 and composite risks 130 attributed to a specific entity such as a user, an application or a system may be used to determine entity risks 140 for such entities (GANPATRAO [par.0037]) by way of a scoring system via threat indicators (GANPATRAO [par.0008]), assigning the user to a user group, the user group being one of a plurality of user groups” (entity risks may further be aggregated to determine the organizational risk 150 for departments or groups GANPATRAO [par.0024]), “each of the plurality of user groups being associated with common risk assessments, each of the plurality of user groups being associated with predetermined risk assessment limits” (risks are associated with privileged access, high risk user groups and access to critical assets, and with inherent risk associated with such risk boosters as contractors and vendors GANPATRAO [par.0037]), “the security risk assessment includes taking into account a risk score associated with the user” (the invention affords a method for accomplishing this by enabling risk scores to be determined for each threat indicator, and by enabling the risk scores to be aggregated and combined to determine a composite threat score as a weighted probability of all associated threat indicators, as will be described below GANPATRAO [par,0025]), “the risk score associated with the user changing over time”(a composite (i.e. made up of various changing parts)  risk score which is compared by a threshold that’s compared with changing threats over time GANPATRAO [par.0009]) , “the assigning the group security policy changing an assigned group security policy from the plurality of group security policies as the risk score changes over time” (a normalization formula is utilized within the policy  in regards to a change in underlying raw risk scores, and parameters can be recalculated when the new risk vector is added or risk landscape has changed significantly and changes such as adding or removing entities to the enterprise or to significant changes in entity risk score GANPATRAO [par.0044-0045]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gibson’s security policy with Young’s risk scoring threat assessment. One of ordinary skill in the art would have been motivated to combine Gibson’s security policy which comprises prediction behavior information of a user and GANPATRAO’s  risk assessment because both utilize a security policy system which predicts a security risk of a user and both are from the same field of endeavor.
Neither Gibson nor GANPATRAO explicitly disclose “each of the plurality of group security policies is configured for a group of users having similar security risk assessments”, and the different levels of security enforcement include different levels of automated control of one or more of access to electronic documents of a secured network system, and access to electronic resources of a secured network system.”
However, Harris in an analogous art discloses “each of the plurality of group security policies is configured for a group of users having similar security risk assessments (security policy configured for In group devices [par.0071] see also table 7 sample policy data for in group devices [pg.15]), “and the different levels of security enforcement include different levels of automated control of one or more of access to electronic documents of a secured network system”(the rules engine automatically determines what modules to run during a policy authorization [par.0072]), “and access to electronic resources of a secured network system.” (user and device based robust fraud monitoring and detection along with robust fraud analysis and risk assessment to give a service provider real time information needed to determine how and whether to allow a device to access the provider’s system Harris [par.0021]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gibson’s security policy and Young’s risk scoring threat assessment with Harris’s system for fraud monitoring, detection, and tier user authentication. One of ordinary skill in the art would have been motivated to combine Gibson’s security policy which comprises prediction behavior information of a user, GANPATRAO’s risk assessment, Harris’s system for fraud monitoring, detection, and tier user authentication because all utilize a security policy system which predicts a security risk of a user and both are from the same field of endeavor.
Regarding claim 16 in view of claim 15, the references combined disclose “wherein the instructions are further configured for: dynamically responding to changes in the security risk assessment for the user by changing the group security policy to which the user is assigned” (prediction module responds to security risk assessment of a user Gibson[Fig.3/item ]304]), “wherein a group security policy from the plurality of group security policies(group of security policies from end-users Gibson[Fig.2/item 220]) having a higher level of security enforcement is assigned to the user in response to changes in the security risk assessment indicating that the user poses an increased security risk” (Prediction module of the level of security impacts at least one user of the end-user Computing system by monitoring at least one behavior of the user on the end-user Computing system and determines how activating the security policy on the end-user Computing system may have impacted the behavior Gibson[Fig.3/item 304]); and a group security policy from the plurality of group security policies having a lower level of security enforcement is assigned to the user in response to changes in the security risk assessment indicating that the user poses a lowered security risk” (Prediction module of the level of security impacts at least one user of the end-user Computing system by monitoring at least one behavior of the user on the end-user Computing system and determines how activating the security policy on the end-user Computing system may have impacted the behavior Gibson[Fig.3/item 304]).
Regarding claim 17 in view of claim 15, the references combined disclose “wherein the security risk assessment includes one or more of: a security risk level; a composite security risk score; a security risk sub-score; and a data exfiltration score” (threat risk score assessment comprising a multiple data filtration assessment scores  GANPATRAO [par.0008]).
Regarding claim 18 in view of claim 15, the references combined disclose “wherein the security risk assessment for the user is received from a security analytics system” (threat risks to the computer infrastructure of an enterprise are detected and assessed by assembling singular threats identified using both direct and behavioral threat indicators into composite threats to create complex use cases across multiple do - mains, and to amplify risks along kill chains of known attacks for early detection GANPATRAO [Fig.1]), “wherein the security analytics system dynamically updates the security risk assessment for the user based on one or more of: user behavior at the endpoint device operated by the user; user interactions with a system resource; and user interactions with other user devices.” (system monitors behavior of user for assessment Gibson [Fig.3/item 304]).
Regarding claim 19 in view of claim 18, the references combined disclose “wherein the security risk assessment for the user is received from the security analytics system at an API.” (notifying module 108 may display to the administrator of end-user computing systems 202(1)-(N) via graphical user interface 230 the information collected and predicted as part of step 304 Gibson[Col.9/lines 46-49]).
Regarding claim 20 in view of claim 15, the references combined disclose “wherein the assigned group security policy is communicated from a server (server device Gibson [Fig.2/item 206]) to an agent (end user computing device comprising security policy enforcer agent Gibson [Fig.2/item 210]) of the endpoint device operated by the user for enforcement of the assigned group security policy at the endpoint device” (security policy enforcer Gibson [Fig.2/item 210]).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL D ANDERSON/Examiner, Art Unit 2433           

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433