Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsKnowbe4 Inc. › 17745803
Last updated: May 29, 2026
Application No. 17/745,803

SYSTEM AND METHODS TO INCENTIVIZE ENGAGEMENT IN SECURITY AWARENESS TRAINING

Non-Final OA §103
Filed
May 16, 2022
Priority
May 21, 2021 — provisional 63/191,446
Examiner
DOAN, HIEN VAN
Art Unit
2449
Tech Center
2400 — Computer Networks
Assignee
Knowbe4 Inc.
OA Round
5 (Non-Final)
51%
Grant Probability
Moderate
5-6
OA Rounds
2m
Est. Remaining
85%
With Interview

Interview Optional

+34.0% interview lift. Interview already conducted in this application's prosecution history. This examiner has a 51% grant rate with +34.0% interview lift. Since an interview has already been tried, recommend written response with narrowed claims based on precedent claim evolution patterns.
Based on 178 resolved cases, 2023–2026

Examiner Intelligence

DOAN, HIEN VAN View full profile →
Grants 51% of resolved cases
51%
Career Allowance Rate
90 granted / 178 resolved
-7.4% vs TC avg
Strong +34% interview lift
Without
With
+34.0%
Interview Lift
resolved cases with interview
Typical timeline
4y 2m
Avg Prosecution
9 currently pending
Career history
196
Total Applications
across all art units

Statute-Specific Performance

§101
1.7%
-38.3% vs TC avg
§103
89.6%
+49.6% vs TC avg
§102
7.3%
-32.7% vs TC avg
§112
0.9%
-39.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 178 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim status: claims 1-24 are pending in this Office Action DETAILED ACTION Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1,148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under pre- AIA 35 U.S.C. 103(a) are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-2, 4-14, 16-24 are rejected under 35 U.S.C. 103 as being unpatentable over Krishna (US20220130274A1) hereafter referred to as “Krishna”, in view of Yao (US20180212994) hereafter referred to as “Yao”. Regarding to claim 1: Krishna discloses A method comprising: receiving, by a server, an enrollment request of a user of an organization to a simulated self-phishing system to selectively enroll in the simulated self- phishing system, the simulated self-phishing system configured to enable the user to self-engage to receive simulated self-phishing communications and be scored on user’s interactions with the simulated self-phishing communications ((Krishna [0034] a user (who may, e.g., be an employee of an enterprise organization. [0039] a cybersecurity training triggering event or opportunity may include a first login attempt by a user to a device, application, system, or the like. For instance, a new employee or new user of a device, system, application, or the like, may attempt a first login and, upon attempting the login, a triggering event may be detected. [0033] an attempt to login to a virtual private network (VPN), a first login to a particular computing device or an application (e.g., as a new user) [0082] a user may attempt to login to a customer database having personally identifying information for a plurality of users. This may be detected as a cybersecurity training triggering event and may provide cybersecurity training for login security (e.g., password best practices) and/or customer data security. Accordingly, the generated cybersecurity training session may be related to the action being requested by the user and/or content of a system or application being accessed. Fig. 2A-2C, 201-215. [0037] step 201, cybersecurity training platform 110 may monitor processes and/or functions executed by or requested at one or more internal enterprise user devices … to identify applications being launched … to detect a cybersecurity training triggering event. [0048] based on the identified type of cybersecurity training triggering event, and/or any additional event details, user details, and the like, a cybersecurity training session prompt may be generated. [0053] At step 215, the generated cybersecurity training session prompt may be received by internal enterprise user device 120. See fig. 4 [0060] user interface 400 that may be generated … overall cybersecurity score has been updated. Note: a first login or login (comprising password) is an enrollment request (see spec [0080] request enrollment information that includes basic user information such as a username, password); a cybersecurity training is a simulated self- phishing system; an attempt to login to a virtual private network (VPN) comprising cybersecurity training platform executed by a request is selectively enroll in a simulated self- phishing system) identifying, by the server responsive to the enrollment request, organizational information of the user ([0039] a cybersecurity training triggering event or opportunity may include a first login attempt by a user to a device, application, system, or the like. For instance, a new employee or new user of a device, system, application, or the like, may attempt a first login and, upon attempting the login, a triggering event may be detected [0004-0006] detecting cybersecurity training triggering events performed by a user device … the computing platform may retrieve user profile data (of an organization see step 211 and [0061] the updated user profile may be transmitted from the cybersecurity training platform 110 to the enterprise organization system (system 140)) … the user profile data may include an overall cybersecurity score of the user and one or more user characteristics … The computing platform may then transmit, via the communication interface, the generated cybersecurity training session prompt to the user device. In some examples, transmitting the generated cybersecurity training session prompt to the user device may cause the user device to execute the generated cybersecurity training session prompt. [0035] user profile data including cybersecurity score data associated with a plurality of users (e.g., employees of the enterprise organization) Note: retrieve user profile data (include score of an internal user) then generated cybersecurity training session is identifying organizational information of the user) receiving, by the server, a selection by the user of one or more parameters of simulated self-phishing communications, provided as selectable options to the user via one or more user interface elements to adjust one of content or delivery of the simulated self-phishing communications to be communicated to the user (see fig. 3 [0049-0050] Once the user has provided a response, the user may select “OK” option to process the response. Alternatively, the user may select “CANCEL” option. However, selecting the “CANCEL” option may cause this or another cybersecurity training session prompt to be generated and/or displayed at a later time … generating the cybersecurity training session prompt, expected response data may also be generated. [0025-0027] Execution of the cybersecurity training session prompt may cause one or more user interfaces to be displayed by the user device. The user may then provide user input in response to the question or request for data and user response data may be generated. The user response data may be compared to expected response data … Based on determining whether the user answered the question correctly, a cybersecurity training session score may be generated. This score may then be used to update an overall cybersecurity score for the user. Additionally or alternatively, the cybersecurity training session score and/or overall cybersecurity score may be used to determine whether additional cybersecurity training session prompts and/or additional modifications should be executed … cybersecurity training can be provided to users. [0082] the generated cybersecurity training session may be related to the action being requested by the user and/or content of a system or application being accessed. [0034] based on user data requests, user input, or the like, that may be detected as a cybersecurity training triggering event. Note: “OK”/Cancel option or user answers are one or more parameters); generating, by the server responsive to the user's enrollment in the simulated self- phishing system, one or more simulated self-phishing communications for the user based at least on the organizational information of the user and the one or more parameters of the simulated self-phishing communications selected by the user ([0034] a user (who may, e.g., be an employee of an enterprise organization. [0035] user profile data including cybersecurity score data associated with a plurality of users (e.g., employees of the enterprise organization) [0008] the cybersecurity training triggering event may include … request to access a website, or login to a virtual private network. [0004-0006] detecting cybersecurity training triggering events performed by a user device … user devices of the enterprise organization … retrieve user profile data … include an overall cybersecurity score of the user and one or more user characteristics … generated cybersecurity training session prompt to the user device … cause the user device to execute the generated cybersecurity training session prompt. see fig. 3 [0049-0050] Once the user has provided a response, the user may select “OK” option to process the response. Alternatively, the user may select “CANCEL” option. However, selecting the “CANCEL” option may cause this or another cybersecurity training session prompt to be generated and/or displayed at a later time … generating the cybersecurity training session prompt, expected response data may also be generated. [0026] Based on determining whether the user answered the question correctly, a cybersecurity training session score may be generated. This score may then be used to update an overall cybersecurity score for the user. Additionally or alternatively, the cybersecurity training session score and/or overall cybersecurity score may be used to determine whether additional cybersecurity training session prompts and/or additional modifications should be executed. Note: login is enrollment; “OK”/Cancel option or user answers are one or more parameters; retrieve user profile data (include score of user) then generated cybersecurity training session is identifying organizational information of the user); communicating, by the server, to one or more devices of the user, the one or more simulated self-phishing communications ([0004-0006]generated cybersecurity training session prompt to the user device … cause the user device to execute the generated cybersecurity training session prompt. [0025-0026] Execution of the cybersecurity training session prompt may cause one or more user interfaces to be displayed by the user device. The user may then provide user input in response to the question … Based on determining whether the user answered … determine whether additional cybersecurity training session prompts and/or additional modifications should be executed). receiving, by the server, interaction data of the user with the one or more simulated self- phishing communications ([0007] the computing platform may receive, from the user device and in response to execution of the cybersecurity training session prompt, user response data received via the generated cybersecurity training session prompt. The computing platform may then compare the received user response data to the expected response data to determine whether the received user response data matches the expected response data) ; and generating, by the server for display, a score of the user based at least on the interaction data ([0007] Based on the comparison of the user response data to the expected response data, the computing platform may compute a cybersecurity training session score … then update, based on the cybersecurity training session score of the outcome of the comparison . See fig. 4 [0060] user interface 400 that may be generated … overall cybersecurity score has been updated). Krishna does not explicitly disclose an enrollment request of a user to a simulated self-phishing system Yao teaches an enrollment request of a user to a simulated self-phishing system (Fig. 1 user register to anti-phishing system. [[0034-0035] user registers … registered and authenticated by the following steps 1 to 5 … In step 1, the email sending user registers in the anti-phishing email system to be a user, and submits an email address to the email address registration and authentication subsystem). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Yao and apply them on the teachings of Krishna to further implement an enrollment request of a user to a simulated self-phishing system. One would be motivated to do so because in order to improve better system and method to provide user registers in the anti-phishing email system (Yao, Fig. 1 [0034-0035]). Regarding to claim 2: Krishna teaches The method of claim 1, further comprising receiving, by the server responsive to the enrollment request to enroll, a selection of the user to be in one of a single user mode or a multi-user mode of the simulated self-phishing system ([0082] a user may attempt to login to a customer database having personally identifying information for a plurality of users. This may be detected as a cybersecurity training triggering event and may provide cybersecurity training for login security (e.g., password best practices) and/or customer data security. Accordingly, the generated cybersecurity training session may be related to the action being requested by the user and/or content of a system or application being accessed. [0048] The one or more questions may be general cybersecurity training questions. Fig.2D. [0055-0056] At step 217, user input may be received … Based on the received user input, at step 218, user response data may be generated by internal enterprise user device 120 … At step 220, the user response data may be received by cybersecurity training platform 110. Note: a user attempt to login a customer database having personally identifying information for a plurality of users is a selection of the user to be in one of a multi-user mode of the simulated self-phishing system. See spec [0080] the user chooses the single user mode, enrollment manager 242 may provide an option to the user to provide personal information. [0082] the multi-user mode, enrollment manager 242 may identify, access and/or obtain organizational information of the user) Regarding to claim 4: Krishna teaches The method of claim 2, further comprising receiving, by the server responsive to the selection of the user to be in the single user mode of the simulated self-phishing system, one or more parameters to adjust one of content or delivery of the one or more simulated self-phishing communications (0082] In some instances, content of a cybersecurity training session prompt may be related to a type of data being accessed. For instance, a user may attempt to login to a customer database having personally identifying information for a plurality of users. This may be detected as a cybersecurity training triggering event and may provide cybersecurity training for login security (e.g., password best practices) and/or customer data security. Accordingly, the generated cybersecurity training session may be related to the action being requested by the user and/or content of a system or application being accessed. Additionally or alternatively, content of one or more cybersecurity training session prompts may be based on threats to various customers of the enterprise (e.g., to provide customer-specific training or training raising awareness of customer concerns), threats to the enterprise organization, and/or best practices for operating in a connected environment. [0026] Based on determining whether the user answered the question correctly, a cybersecurity training session score may be generated. This score may then be used to update an overall cybersecurity score for the user. Additionally or alternatively, the cybersecurity training session score and/or overall cybersecurity score may be used to determine whether additional cybersecurity training session prompts and/or additional modifications should be executed. Note: user answers and/or scores are one or more parameters) Regarding to claim 5: Krishna teaches The method of claim 4, wherein the one or more parameters comprises identification of one or more of the following: a range of time in which to receive the one or more simulated self- phishing communications, a number of how many simulated self-phishing communications to receive, and a time window in which a first simulated self-phishing communication is to be sent ([0026] Based on determining whether the user answered the question correctly, a cybersecurity training session score may be generated. This score may then be used to update an overall cybersecurity score for the user. Additionally or alternatively, the cybersecurity training session score and/or overall cybersecurity score may be used to determine whether additional cybersecurity training session prompts and/or additional modifications should be executed. [0083] Additionally or alternatively, cybersecurity training session prompts may be generated at predetermined intervals (e.g., once per day, once per week), or upon every (or a predetermined number of) events (e.g., at every login to a user device, at every third opening of a particular application, or the like. Note: user answers and/or scores are one or more parameters) Regarding to claim 6: Krishna teaches The method of claim 4, wherein the one or more parameters comprise identification of one or more of the following: a type of simulated self-phishing communication, a difficulty level of the simulated self-phishing communication and a mode of communication of the simulated self- phishing communication ([0026] Based on determining whether the user answered the question correctly, a cybersecurity training session score may be generated. This score may then be used to update an overall cybersecurity score for the user. Additionally or alternatively, the cybersecurity training session score and/or overall cybersecurity score may be used to determine whether additional cybersecurity training session prompts and/or additional modifications should be executed [0064] If a cybersecurity training session score and/or overall cybersecurity score is above a second threshold but below the first threshold, the user may have a moderate risk level and one or more additional training sessions may be identified for the user … a high risk and remedial cybersecurity training may be identified for the user. [0071] At step 232, the additional cybersecurity training session prompt may be displayed and/or executed by the internal enterprise user device 120 … user input may be received and user response data may be generated based on the user input. The user response data may be transmitted from the internal enterprise user device 120 to the cybersecurity training platform 110) Regarding to claim 7: Krishna teaches The method of claim 2, further comprising generating, by the server, the one or more simulated self-phishing communications based at least on the selection of the user to be in one of the single user mode or the multi-user mode of the simulated self-phishing system ([0082] a user may attempt to login to a customer database having personally identifying information … provide cybersecurity training for login security (e.g., password best practices). [0048-0049] At step 212 …The user interface 300 may further include a field to receive user input in response to the cybersecurity training question. Once the user has provided a response, the user may select “OK” option to process the response. Alternatively, the user may select “CANCEL” option. [0053] At step 215, the generated cybersecurity training session prompt may be received by internal enterprise user device 120. Note: login with name or unique identifier is a selection of the user to be in one of a single user mode) Regarding to claim 8: Krishna teaches The method of claim 1, further comprising receiving, by the server, personal information of the user comprising one or more of the following: a personal email address, a personal phone number, information of one or more social media accounts, a hometown of the user, a birthdate, a gender, a club, an interest or an affiliation ([0034] a user (who may, e.g., be an employee of an enterprise organization). [0004-0006] detecting cybersecurity training triggering events performed by a user device … the computing platform may detect a cybersecurity training triggering event at a user device of the plurality of user devices of the enterprise organization … retrieve user profile data … include an overall cybersecurity score of the user and one or more user characteristics … The computing platform may then transmit, via the communication interface, the generated cybersecurity training session prompt to the user device. Also see step 210 sending user profile to platform 110) Regarding to claim 9: Krishna teaches The method of claim 7, further comprising generating, by the server, the one or more simulated self-phishing communications using the personal information of the user ([0005] the user profile data may include an overall cybersecurity score of the user and one or more user characteristics [0004-0006] detecting cybersecurity training triggering events performed by a user device … the computing platform may detect a cybersecurity training triggering event at a user device of the plurality of user devices of the enterprise organization … retrieve user profile data … include an overall cybersecurity score of the user and one or more user characteristics … The computing platform may then transmit, via the communication interface, the generated cybersecurity training session prompt to the user device). Regarding to claim 10: Krishna teaches The method of claim 7, further comprising adjusting, by the server responsive to receiving the personal information, the score of the user (See fig. 4 [0082] a user may attempt to login to a customer database having personally identifying information [0007] Based on the comparison of the user response data to the expected response data, the computing platform may compute a cybersecurity training session score … then update, based on the cybersecurity training session score of the outcome of the comparison . See fig. 4 [0060] user interface 400 that may be generated … overall cybersecurity score has been updated. Regarding to claim 11: Krishna teaches The method of claim 1, further comprising generating, by the server responsive to the interaction data, a test to communicate to the user (see fig.3 [0049-0050] The user interface 300 may further include a field to receive user input in response to the cybersecurity training question … an expected (e.g., correct or acceptable) response to each question may also be generated by the cybersecurity training platform 110) Regarding to claim 12: Krishna teaches The method of claim 10, further comprising adjusting, by the server, responsive to receiving results of the test, the score of the user ([0072] A cybersecurity training session score may be generated and the overall cybersecurity score of the user may be modified. If the overall score is modified by a threshold amount, to be lower than a previous value, or the like, additional cybersecurity training session prompts). Regarding to claim 13: [Rejection rationale for claim 1 is applicable]. Regarding to claim 14: [Rejection rationale for claim 2 is applicable]. Regarding to claim 16: [Rejection rationale for claim 4 is applicable]. Regarding to claim 17: [Rejection rationale for claim 5 is applicable]. Regarding to claim 18: [Rejection rationale for claim 6 is applicable]. Regarding to claim 19: [Rejection rationale for claim 7 is applicable]. Regarding to claim 20: [Rejection rationale for claim 8 is applicable]. Regarding to claim 21: [Rejection rationale for claim 9 is applicable]. Regarding to claim 22: [Rejection rationale for claim 10 is applicable]. Regarding to claim 23: [Rejection rationale for claim 11 is applicable]. Regarding to claim 24: [Rejection rationale for claim 12 is applicable]. Claims 3 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Krishna (US20220130274A1) hereafter referred to as Krishna, in view of Yao (US20180212994), further in view of Atencio (US20200135049A1) hereafter referred to as Atencio. Regarding to claim 3: Krishna-Yao teaches The method of claim 2, Krishna-Yao does not explicitly disclose wherein the multi-user mode of the simulated self-phishing system is configured to display the score of the user with scores of other users in an enumerated list of scores. Atencio teaches wherein the multi-user mode of the simulated self-phishing system is configured to display the score of the user with scores of other users in an enumerated list of scores (Atencio. See Fig.4 for display scores in the list. [0180] FIG. 4 illustrates a scoring summary 402 of various users that may be displayed [0060] Management or others can view user scores and score trends at either the component or composite level for segments of a workforce to track trends over time. Management or others can also view individual and workforce training and awareness improvement score patterns to determine if and by how much users are improving relative to company goals. Finally, the evaluation system provides an estimate of organizational risk reduction based on population learning trends) It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Atencio and apply them on the teachings of Krishna-Yao to further implement wherein the multi-user mode of the simulated self-phishing system is configured to display the score of the user with scores of other users in an enumerated list of scores. One would be motivated to do so because in order to improve better system and method to provide a scoring summary of various users that may be displayed, management or others can also view individual and workforce training and awareness improvement score patterns Atencio. Fig.4 [0060]). Regarding to claim 15: [Rejection rationale for claim 3 is applicable]. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to HIEN DOAN whose telephone number is 571 272-4317. The examiner can normally be reached on Monday-Thursday and biweekly Friday 9am-6pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SRIVASTAVA VIVEK can be reached on 571-272-7304(571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HIEN V DOAN/Examiner, Art Unit 2449 /VIVEK SRIVASTAVA/Supervisory Patent Examiner, Art Unit 2449
Read full office action

Prosecution Timeline

Show 9 earlier events
Jul 16, 2025
Non-Final Rejection mailed — §103
Oct 06, 2025
Response Filed
Dec 10, 2025
Final Rejection mailed — §103
Feb 10, 2026
Response after Non-Final Action
Mar 06, 2026
Request for Continued Examination
Mar 18, 2026
Response after Non-Final Action
Apr 18, 2026
Non-Final Rejection (signed) — §103
May 22, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

15/925,258
Patent 12641141
IDENTIFYING AN HTTP RESOURCE USING MULTI-VARIANT HTTP REQUESTS
8y 2m to grant Granted May 26, 2026
16/264,292
Patent 12615317
INTERACTIVE CUSTOMIZED PUSH NOTIFICATIONS WITH CUSTOMIZED ACTIONS
7y 2m to grant Granted Apr 28, 2026
17/643,878
Patent 12542722
AUTOMATED INITIATION OF HELP SESSION IN A VIDEO STREAMING SYSTEM
4y 1m to grant Granted Feb 03, 2026
17/456,520
Patent 12470569
ANOMALY DETECTION RELATING TO COMMUNICATIONS USING INFORMATION EMBEDDING
3y 11m to grant Granted Nov 11, 2025
17/756,835
Patent 12443717
METHODS & PROCESSES TO SECURELY UPDATE SECURE ELEMENTS
3y 4m to grant Granted Oct 14, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
51%
Grant Probability
85%
With Interview (+34.0%)
4y 2m (~2m remaining)
Median Time to Grant
High
PTA Risk
Based on 178 resolved cases by this examiner. Grant probability derived from career allowance rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month