Educational Tool for Business and Enterprise Risk Management

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 29 January 2026 has been entered. Status of Claims This is a non-final office action in response to the request for continued examination filed 29 January 2026. Claims 1, 11, and 19 have been amended. Claims 1-20 are pending and have been examined. Response to Amendment Applicant’s amendment to claims 1, 11, and 19 has been entered. Applicant’s amendment is insufficient to overcome the pending 35 U.S.C. 101 rejection. The rejection remains pending and is updated below, as necessitated by amendment. Applicant’s amendment is sufficient to overcome the pending 35 U.S.C. 103 rejection. The rejection is respectfully withdrawn. Response to Arguments Applicant’s arguments regarding the 35 U.S.C. 103 rejection have been fully considered, and are persuasive, particularly the arguments at pages 11-12 of the Remarks that the prior art of record fails to teach or otherwise suggest each and every recitation set forth in independent claims 1, 11, and 20. An updated prior art search was conducted, as necessitated by amendment. Examiner analyzed amended Claim 1 and similarly claims 11 and 20, in view of the prior art of record and the updated prior art search and finds not all claim limitations are explicitly taught nor would one of ordinary skill in the art find it obvious to combine these references with a reasonable expectation of success. The prior art made of record and not relied upon is updated and detailed below. The prior art rejection is respectfully withdrawn. Applicant’s argument’s regarding the 35 U.S.C. 101 rejection have been fully considered, but are not persuasive. Applicant asserts that the claims are not directed to an abstract idea of analyzing data because the claims recite a specific technological system and process rooted in computer technology to solve a technical problem inherent in cybersecurity by efficiently and accurately identifying, prioritizing, and mitigating complex cyber risks within an enterprise network using simulations and targeted training sessions. Applicant further asserts that the claims integrate any alleged abstract idea into a practical application, similar to the claims of Ex Parte Desjardins, by providing automated security training with simulations to target what is relevant to particular users of the network using past training performance, past tests, and real world context that is patent eligible. Examiner respectfully disagrees. Per paragraph [0089] of the Specification the inventive concept involves “feeding of the details of the detected incident into multiple hypothetical simulations of that incident will be performed by the importance node module in order to predict and/or control the autonomous response to the detected incident as well as subsequently improve the detection of the cyber threat causing that ongoing attack.” Because the recited claim limitations are directed to receiving and processing known data to predict cyber security risks, and based on the data collection and analysis, perform training simulations and generate reports, the claim limitations fall within the certain methods of organizing human behavior and mental processes grouping of abstract concepts. Further performing simulated training is a form of content presentation based on data analysis. The claimed modules, modeling components, and cyber threat attack simulator are additional elements that perform data processing functions to perform calculations, generate predictions, and perform training simulations based on calculations in a manner that improves the abstract idea itself, not the underlying data processing technology used to implement the abstract concepts of determining a threat, classifying and quantifying risks, and generating a report or simulated training based on the data collection and analysis. Because the claimed output is not used in a meaningful way (such as autonomously executing a solution to mitigate the threat to a live network or system) beyond modeling known data, generating a report, or presenting content to a user or group of users in the form of a training simulation, the recited abstract idea is not integrated into a practical application. In Ex Parte Desjardins, Appeal No. 2024-000567 (PTAB Sept. 26, 2025) (precedential), the claimed invention improves how the machine learning model itself operates. In Desjardins, the Board held eligible a recited method of training a machine learning model, where (1) the model was trained on a first machine learning task using first training data to determine first values of machine learning model parameters, where a respective measure of performance was determined for a parameter of the first task and assigned to each parameter, and (2) the machine learning model was trained on a second machine learning task with second training data to adjust the first parameter values to optimize the machine learning model’s performance on the second machine learning task while protecting the model’s performance on the first machine learning task. See Desjardins at 2–3. In arriving at its eligibility conclusion, the Board noted that the claimed invention’s adjustment of the first values of plural parameters to optimize performance of the machine learning model on the second machine learning task while protecting performance of the machine learning model on the first machine learning task constituted an improvement to how machine learning model itself operates. See id. at 9. That is not the case here. Neither the claims nor the Specification herein indicate that the recited data gathering and output functions are performed in an unconventional way to add significantly more than the abstract idea to provide an inventive concept under Alice/Mayo step two. See MPEP § 2106.05(II). As a result, the 35 U.S.C. 101 rejection is proper, maintained, and updated below as necessitated by amendment. Claim Objections Claims 1, 11, and 20 are objected to because of the following informalities: the clause “iii) determine key pathways within the network and associated vulnerable network nodes in the network that a potential cyber-attack and iv)” appears to include a typographical error or omission of necessary wording. Appropriate correction is required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1 -20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea of collecting, analyzing, and outputting data without significantly more. Independent claim 1 recites a device, independent claim 11 recites a process, and independent claim 20 recites a product for automated cyber security training. Claims 1, 11, and 20 recite substantially similar limitations. Under Step 1, independent claims 1, 11, and 20 recite at least one step or act, including classifying network nodes based on security risks and associated vulnerabilities. Thus the claims fall within one of the statutory categories of invention. See MPEP 2106.03. Taking independent claim 11 as representative, amended claim 11 recites at least the following limitations: configuring an importance node module generate to one or more graphs and determine an importance metric of a network node in the one or more graphs based on at least two or more factors that at least include a hierarchy of a user in an organization, a job title of the user in the organization, aggregated account privileges from multiple different network domains for the user, and a level of shared resource access for the user; configuring an attack path modeling component to i) receive the one or more graphs as input from the importance node module, ii) conduct analytics of the one or more graphs to determine an importance of a particular network node in the network compared to other network nodes in the network, iii) determine key pathways within the network and associated vulnerable network nodes in the network that a potential cyber-attack and iv) conduct a modeling of the potential cyber-attack with a cyber threat attack simulator, where the attack path modeling component is configured to understand the importance of the network nodes in the network based on the supplied input of the one or more graphs from the importance node module; configuring a grouping module to cooperate with the importance node module and the attack path modeling component and analyze the importance of the network nodes in the network compared to the other network nodes in the network, and the key pathways within the network and the associated vulnerable network nodes in the network used during the potential cyber-attack, where the grouping module is further configured to classify the network nodes based on security risks and associated vulnerabilities of the network nodes in order to generate reports including areas of vulnerability and known weaknesses of the network under analysis, where the reports are generated based on calculations to determine riskiest network nodes and risk factors associated with each network node; configuring one or more processing units to execute software instructions associated with the importance node module, the attack path modeling component, and the grouping module; and configuring one or more non-transitory storage mediums to store at least software associated with the importance node module, the attack path modeling component, and the grouping module, wherein the automated training system is configured to counter cyberthreats by performing simulations to counter potential cyber-attacks where the simulations are directed to groups of users of the network nodes with common susceptibility to a particular type of cyber-attack to conduct a targeted training session. Under Step 2A Prong One, the method steps of claim 11 for configuring software modules to perform functions (software instructions), as drafted, illustrates a process that, under its broadest reasonable interpretation covers performance of the limitation in the mind (measuring security threats and generating reports regarding user vulnerability and known weaknesses). Further configuring an importance module to generate one or more graphs; and determine an importance metric of a network node in the one or more graphs Abstract idea: organizing and manipulating data through mathematical correlations - “a process that employs mathematical algorithms to manipulate existing information to generate additional information is not patent eligible.” See DigitechImage Techs, LLC v. Elecs. for Imaging, Inc., 758 F.3d 1344, 1351 (Fed. Cir. 2014). configuring the attack path modeling component to i) receive graphs as input; ii) conduct analytics of the graphs, iii) determine key pathways, and iv) conduct modeling of the potential cyber-attack Abstract idea: comparing data to make a determination could be performed mentally. Receiving data as input is insignificant extra-solution activity (i.e., data gathering). See MPEP § 2106.05(g). a modeling of the cyber-attack Modeling is outside of the scope of the claim requirements, while the model is referenced to make a determination, the claims limitations do not positively recite limitations for modeling a cyber-attack. The attack path modeling component is configured to understand the importance of the network modes in the network compared to other network nodes Abstract idea: comparing data to make a determination could be performed mentally. configuring a grouping module to cooperate with the importance node module and the attack path modeling component Cooperating with software modules over a network is a form of transmitting and/or receiving data and amounts to insignificant extra-solution activity (i.e., data gathering). See MPEP § 2106.05(g). configuring a grouping module to … analyze the importance of the network nodes in the network compared to other network nodes in the network Abstract idea: comparing data to make a determination could be performed mentally. The grouping module is further configured to classify the network nodes based on security risks and associated vulnerabilities of the network nodes Abstract idea: classifying data involves evaluating and making judgements which can be performed mentally. in order to generate reports … , where the reports are prepared based on calculations to determine riskiest network nodes and risk factors associated with each network node The reporting step is an intended result of the data analysis steps, generating a report is the output of data and is construed as insignificant extra solution activity. See MPEP 2106.05(g). Further, generating a report is not actively claimed or positively recited. configuring one or more processing units to execute software instruction associated with the importance node module, the attack path modeling component, and the grouping module Abstract idea: processing data to generate an output could be performed mentally. configuring one or more non-transitory storage mediums to store at least software associated with the importance node module, the attack path modeling component, and the grouping module Storing information is insignificant extra solution activity. See MPEP 2106.05(g). The automated training system is configured to counter cyberthreats by performing simulations Presenting content to a user or group of users in the form of a training simulation based on data analysis output is a mental process. Simulations can be carried out by human beings imitating the actual process with the aid of pencil and paper. None of the additional elements preclude the steps from practically being performed in the human mind, or by a human using a pen and paper. See MPEP 2106.04(a)(2)(III). The claim limitations for performing calculations using a mathematical function and use of one or more graphs falls under both the mathematical concepts grouping and mental processes grouping, and the claims recite an abstract idea. See MPEP § 2106.04(a)(2)(I). Therefore, the limitations the claims recite an abstract idea. See MPEP § 2106.04(a). Because performing cybersecurity training based on analysis of known data and generation of a report of a user’s (or group of users) vulnerability and known weakness is a form of managing personal behavior and the claims fall within the abstract concept grouping of certain methods of organizing human activity. See MPEP 2106.04(a)(2)(II). Under Step 2A Prong Two, the judicial exception of claim 11 is not integrated into a practical application. In particular, the claims only recite a processor and storage device for performing the recited steps. These elements are recited at a high level of generality (i.e., as a generic processor performing a generic computer function) and amount to no more than mere instructions to apply the exception using generic computer components. See MPEP 2106.05(f). For example, Applicant’s specification at paragraph [0204] states: “FIG. 7 illustrates a block diagram of an embodiment of one or more computing devices that can be a part of the automated training system to counter cyber-threats for an embodiment of the disclosure. The computing device may include one or more processors or processing units 620 to execute instructions, one or more memories 630- 632 to store information, one or more data input components 660-663 to receive data input from a user of the computing device 600, one or more modules that include the management module, a network interface communication circuit 670 to establish a communication link to communicate with other computing devices external to the computing device.” Adding generic computer components to perform generic functions, such as data gathering, performing calculations, and outputting a result would not transform the claim into eligible subject matter. See MPEP 2106.05(h). Claim 11 recites the following additional elements: (1) an importance module, (2) attack path modeling component, and (3) a grouping module. Each of these additional elements are construed as software modules comprising instructions for processing the data input, without significantly more. Accordingly, the additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Under Step 2B, claim 11 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to the integration of the abstract idea into a practical application, the additional elements of a processor and storage device amount to no more than mere instructions to apply the exception using a generic computer component which cannot provide an inventive concept. Dependent claims 2-10 and 12-19 include the abstract ideas of the independent claims. The limitations of the dependent claims merely narrow the mental process of collecting data, analyzing it, and generating certain output/method of organizing human activity related to behavior on a network that creates cyber-security risks or threats abstract idea by describing how the analyzed data is intended to be used for implementing cyber security training and reporting, including training specific to the intended user or group of users. The limitations of the dependent claims are not integrated into a practical application because none of the additional elements set forth any limitations that meaningfully limit the abstract idea implementation. There are no additional elements that transform the claim into a patent eligible idea by amounting to significantly more. The analysis above applies to all statutory categories of invention. Accordingly, independent claims 1 and 20 and the claims that depend therefrom are rejected as ineligible for patenting under 35 U.S.C. 101 based upon the same analysis applied to claim 11 above. Therefore claims 1 -20 are ineligible under 35 U.S.C. 101. Allowable Subject Matter Claims 1-20 are rejected under 35 U.S.C. 101, but the claims would be allowable if the aforementioned rejections are overcome. An updated prior art search was conducted, as necessitated by amendment. Examiner analyzed amended Claim 1 and similarly claims 11 and 20, in view of the prior art of record and the updated prior art search and finds not all claim limitations are explicitly taught nor would one of ordinary skill in the art find it obvious to combine these references with a reasonable expectation of success. Therefore claims 1-20 are eligible over the prior art. Regarding independent claims 1, 11, and 20, Saad Ahmed et al. (US 2022/0094702) and Hadar et al. (US 2021/0273978) combined disclose an iterative, cyber threat awareness training method. Saad Ahmed et al. [para. 0009-0013, 0029-0030]. … one or more simulated cyber-attacks may be generated and/or provided as a part of an overall training module which provides one or more target users with visual cues and/or virtual credits or rewards that may include penalties to reinforce desired behaviors and learn from them. Saad Ahmed et al. [para. 0018, 0131]; where a first input to a reinforcement learning (RL) algorithm module is used to carry out a sequence of a number of simulated cyber-attacks on the target user. Saad Ahmed et al. [para. 0031-0032]. … The results of one or a number of the simulated cyber-attack instances carried out by the attack engine are preferably analyzed and used to create and/or output recommendations to the target user via a reinforcement learning scheme, suitable social engineering-based cyber-attack countermeasures. Saad Ahmed et al. [para. 0013-0018]). However, the combined references fail to explicitly teach or otherwise disclose configuring an importance node module generate to one or more graphs and determine an importance metric of a network node in the one or more graphs based on at least two or more factors that at least include a hierarchy of a user in an organization, a job title of the user in the organization, aggregated account privileges from multiple different network domains for the user, and a level of shared resource access for the user; configuring an attack path modeling component to i) receive the one or more graphs as input from the importance node module, ii) conduct analytics of the one or more graphs to determine an importance of a particular network node in the network compared to other network nodes in the network, iii) determine key pathways within the network and associated vulnerable network nodes in the network that a potential cyber-attack and iv) conduct a modeling of the potential cyber-attack with a cyber threat attack simulator, where the attack path modeling component is configured to understand the importance of the network nodes in the network based on the supplied input of the one or more graphs from the importance node module. The closest prior art, detailed below yet not relied upon is Sites et al. Sites et al. discloses a method describing the process of training and using the one or more artificial intelligence models useful for determining a user's job score. user risk score (which may also be called a vulnerability score) may take into consideration a job score of the user which in some examples is determined by at least the job, position or role that the user has in an organization. The job, position or role that a user has in an organization may be indicative of how frequently the user is presented with a malicious attack, how likely a user is to respond to a malicious attack, or how severe the consequence of the user responding to a malicious attack may be to the organization, which may for example be influenced by how much access the user has to critical systems and servers of their organization. Sites et al. [para. [0079-0085]. A numeric label or score is assigned to each node which represents a user within an organization, wherein the numeric label or score represents users' importance within the organization. The centrality of each node is calculated using betweenness centrality. This centrality metric defines and measures the importance of a node in a graph based upon how many times the node occurs in the shortest path between all pairs of nodes in a graph. Nodes having the highest betweenness centrality are the nodes that are on the shortest paths between the largest number of pairs of nodes and hence are crucial to the communication in a graph as they connect a high number of nodes with each other. Sites et al. [para. 0165-0170]. However, Sites et al. fails to explicitly teach or otherwise disclose an attack path modeling component to i) receive the one or more graphs as input from the importance node module, ii) conduct analytics of the one or more graphs to determine an importance of a particular network node in the network compared to other network nodes in the network, iii) determine key pathways within the network and associated vulnerable network nodes in the network that a potential cyber-attack. None of the above listed references teaches the specific ordered sequence of limitations presented in independent claims 1, 11, and 20. Moreover since the specific ordered combined sequence of claim elements recited in claims 1, 11, and 20 can only be found as recited in Applicant’s specification, any combination of the cited references and/or additional references to teach all the claim elements, including the features discussed above, would be the result of impermissible hindsight reconstruction. Accordingly the prior art rejections set forth in the previous action are withdrawn. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Sites et al. (US 2022/0224714) - one or more servers are configured to determine a level of cybersecurity risk of a user using an artificial intelligence model that is configured to read a user's job title at a character by character level, detect patterns in the character sequence, and output a job score according to the job title, wherein the job score is indicative of the risk level of the user with respect to cybersecurity awareness associated with their job or position in the organization of the user. A user may be an employee of an organization. White et al. (US 2009/0320137) - Systems and methods for generating a network attack within a simulated network environment including a module configured for creating one or more attack events against network devices within the simulated network environment wherein the attack events include exploitations of published and unpublished vulnerabilities and failures of hardware and software network systems, devices, or applications within the simulated network environment and for executing the created attack event on the simulated network environment and having an interface configured for receiving metadata regarding each attack event and adding the received attack event metadata to each associated attack event. Dechene et al. (US 2022/0245462) - system including one or more processors and one or more non-transitory computer-readable media storing computing instructions that, when executed on the one or more processors, perform certain acts. The acts can include generating a digital twin network simulation of a physical computer network controlled through a software-defined-network (SDN) control system. The acts also can include training a routing agent model on the digital twin network simulation using a reinforcement-learning model on traffic that flows through nodes of the digital twin network simulation. The routing agent model includes a machine-learning model. The acts additionally can include deploying the routing agent model, as trained, from the digital twin network simulation to the SDN control system of the physical computer network. Any inquiry concerning this communication or earlier communications from the examiner should be directed to LETORIA G KNIGHT whose telephone number is (571)270-0485. The examiner can normally be reached M-F 9am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao WU can be reached at 571-272-6045. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /L.G.K/Examiner, Art Unit 3623 /RUTAO WU/Supervisory Patent Examiner, Art Unit 3623