RISK MANAGEMENT SECURITY SYSTEM

§101 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . The non-final office action mailed 3/5/2026 has been vacated. DETAILED ACTION [This Corrected Non-Final Action replaces the Non-Final Action of 3/5/26] Response to Amendment Claims 1, 3-4, 9, 12 and 17-18 have been amended. Claims 1-20 are pending. Allowable Subject Matter - Withdrawn The previous indication of allowability* of claims 1-20 are withdrawn in view of the newly discovered reference(s) to LAWSON (USPN 11,985,142) and XIE et al “Using Bayesian Networks for Cyber Security Analysis”. Rejections based on the newly cited references follow. *Applicant is advised that the Notice of Allowance mailed 10/1/2025 is vacated. If the issue fee has already been paid, applicant may request a refund or request that the fee be credited to a deposit account. However, applicant may wait until the application is either found allowable or held abandoned. If allowed, upon receipt of a new Notice of Allowance, applicant may request that the previously submitted issue fee be applied. If abandoned, applicant may request refund or credit to a specified Deposit Account. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. CLAIMS 1-4, 8-11, 14-17, AND 19-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 1 recites a method that recites: “performing a risk evaluation”; “generating an insight providing an evaluation of risk for the user participant in a risk category based on the activity data”; “generating a risk score for the user participant based on the insight”. Each of these limitations would be practical to perform in the mind with the aid of pencil and paper, thus directed towards a mental process (see MPEP §2106.04(a)(2)(III)). Each of these limitations which analyze a certain bit of data regarding activity data and draw conclusion and risk factors about the user participant. This is the type of analysis can reasonably be done in the human mind. As result, the limitations listed recite an abstract idea. This judicial exception is not integrated into a practical application. Claim 1 further recites that the risk evaluation is performed “via a risk management security platform” and that the generation of the risk score is “via a causal belief network”. The claimed RMSP platform generic computer component that is being claimed as just a tool to perform the claimed mental steps. Performing an abstract idea on a computer tool does not transform the abstract idea into a practical application (see MPEP §2106.05(f)). Additionally, using a generic computer tool such as a causal belief network is yet another tool that can be used to implement mental steps, tying an abstract idea with generic tools or just “apply it" type language to computer tools such as ML models or CBNs do not help integrate the abstract idea into a practical application (see MPEP §2106.05(f)). Claim 1 also recites “receiving activity data for a risk-oriented event corresponding to a user participant” and “providing a notification based on the risk score”. These limitations are pre-solution and post-solution extra solution activities (see MPEP §2106.05(g)). Both claimed insignificant extra solution activity and does not transform the claimed abstract idea into a practical application. The additional elements have been considered alone, and in combination with the claimed invention as a whole, but does not integrate the abstract idea into a practical application. As result, the invention is directed towards an abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of the method amount to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The limitations directed towards the receiving of the activity data and providing the notifications are insignificant extra solution activity, which is additional well understood routine, and conventional. MPEP §2106.05(g) details similar data gathering and transmission steps that have been found by the courts to be well understood routine, and conventional (MPEP §2106.05(d). As result, the claim is not patent eligible. Claim 9 is directed towards an apparatus rather than the method of claim 1, however the same rationale applies to claim 9 as provided in the rejection to claim 1. Additionally, the recitation of the processor within the apparatus does not help integrate the invention into a practical application or transform the invention into something significantly more than the abstract idea itself because the process is only providing a generic computer component that implements the recited abstract idea as instructions. As result, claim 9 is not patent eligible. Claim 17 is directed towards a memory device rather than the method of claim 1, however the same rationale applies to claim 17 as provided in the rejection to claim 1. Additionally, the recitation of the instructions within the memory do not help integrate the invention into a practical application or transform the invention into something significantly more than the abstract idea itself because the process is only providing a generic computer component that implements the recited abstract idea as instructions. As result, claim 17 is not patent eligible. Claim 2 recites “the risk evaluation further including: grouping a plurality of user participants having a shared attribute into a segment; evaluating a risk trend for the segment based on the risk score for the plurality of user participants; and generating the notification regarding the risk trend for the segment.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 2, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claims 10 and 19 are rejected under the same rationale as claim 2. Claim 3 recites “the risk evaluation further including: the CBN includes a probabilistic graphical model.” The claim provides additional specificity to the claimed CBN of claim 1, however the CBN is still operating within the claim as a generic computer component as a tool to perform a mental process. As result, when additional features of the claim, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 4 recites “The method of claim 3, further comprising including: modeling the activity data as input nodes; generating the insight based on an internal node receiving causal input from the input nodes; and generating the risk score based on an output node receiving causal input from a plurality of internal nodes.” The claim provides additional limitations that recite conventional usage of machine learning processes. The features do not represent an improvement to technology, but rather reciting the very nature of machine learning, which is just the application of generic computer components to an abstract idea. See Recentive Analytics, Inc. v. Fox Corp., Case No. 2023-2437, pp. 11-13, (Fed. Cir. Apr. 18, 2025). As result, when additional features of the claim, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 8 recites “The method of claim 1, the risk evaluation further including: implementing an action plan to reduce risk, including: identifying activity data having a value that corresponds to elevated risk; accessing a data structure of remedial actions based on a type of the activity data; and implementing a remedial action associated with the type of the activity data.” The claim provides additional limitations that describe mental processes, which are operating as mere instructions on generic computer components. As result, when additional features of the claim, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claims 16 and 20 are rejected under the same rationale as claim 8. Claim 11 recites “The apparatus of claim 9 comprising the processor further configured to: implement an integration service to gather and normalize the activity data, including: obtain the activity data from a plurality of third-party sources via application program interface (API) calls; convert the activity data from source formats corresponding to each of the plurality of third-party sources into a standard format; and store the activity data in the standard format to a data structure.” The claim provides additional limitations that recite conventional usage of machine learning processes. Applicant’s specification discloses these steps as typical pre-processing steps of gathered data (see specification ¶25) by reciting the steps in a high level of generality. The features do not represent an improvement to technology, but rather reciting the very nature of machine learning, which is just the application of generic computer components to an abstract idea. See Recentive Analytics, Inc. v. Fox Corp., Case No. 2023-2437, pp. 11-13, (Fed. Cir. Apr. 18, 2025). As result, when additional features of the claim, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 14 recites “The apparatus of claim 10 comprising the processor further configured to: implement a notification service to provide the notification, including: determine to provide a notification based on the risk score; generate a human-parsable notification message based on the risk score; and select a notification medium from a plurality of notification mediums by which to provide the notification.” The additional limitations provide an insignificant post solution activity notification of the results of the claimed abstract idea. MPEP §2106.05(d) discloses that electronic transmittal of the result of an abstract idea is typically a well-understood routine and conventional step. As result, when additional features of the claim, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 15 recites “The apparatus of claim 10 comprising the processor further configured to: receive a user request for information via a web application; and provide information regarding the insight via the web application.” The additional limitations provide an insignificant pre-solution and post solution activity activities. MPEP §2106.05(d) discloses that electronically receiving input and requests and electronic transmittal of the result of an abstract idea are typically a well-understood routine and conventional step. As result, when additional features of the claim, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. CLAIM REJECTIONS - 35 USC § 103 IV. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. V. CLAIMS 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over COFFEY et al (USPN 11,171,980) in view of LAWSON (USPN 11,985,142) and XIE et al “Using Bayesian Networks for Cyber Security Analysis”. a. Per claim 1, COFFEY et al teach a method comprising: performing a risk evaluation via a risk management security platform (RMSP), including (col.8 line 43-col.9 line 2, col.10 line 23-col.11 line 3—risk management service and security analytics system that performs risk assessment operations): receiving activity data for a risk-oriented event corresponding to a user participant (col.10 lines 4-22, col.10 line 52-col.11 line 31, col.24 line 52-col.26 line 29—receiving user behavior and interaction, mouse activity and web browsing activity data for risk analytics); generating an insight providing an evaluation of risk for the user participant in a risk category based on the activity data (Figure 8 steps 803-804, col.25 line 47-col.26 line 16, col.26 lines 30-65, col.29 line 66-col.30 line 39—evaluating risk for the user as anomalous, abnormal, unexpected or malicious based on the activity data); generating a risk score for the user participant based on the insight (Figure 8 step 805, col.30 lines 40-52—assigning risk scores based on risk analytics service associated with user’s behavior); and providing a notification based on the risk score (Figure 8 step 806, col.29 lines 3-52, col.30 line 53-col.31 line 7—propagating user’s risk scores to other users serves as a notice). COFFEY et al teach the limitations, as applied above, risk assessments that automatically provision auto-prevention policies enforcement tools, propagating user’s risk scores to other users (col.29 lines 3-52) and assigning risk scores based on risk analytics service associated with user’s behavior (col.17 line 1-col.18 line 18, col.26 line 30-col.27 line 15) , yet fail to explicitly teach “generating a risk score for the user participant based on the insight via a causal belief network (CBN)”. However, LAWSON using a Bayesian probabilistic analysis and framework for anomaly detection and cybersecurity analysis (col.12 line 50-col.13 line 19), generating anomaly scores and threat values using Bayesian probabilistic analysis (col.16 lines 20-29 and 34-42, col.17 line 59-col.18 line 15), and generating notifications and alerts based on the anomaly score (col.10 lines 30-67). A Bayesian Network (also known as a Bayes network, belief network, or decision network) is a probabilistic graphical model that represents a set of variables and their conditional dependencies via a directed acyclic graph (DAG). This model is used for representing and solving problems that involve uncertainty and probabilistic events, which qualifies as a causal belief network. XIE et al teach the use of a causal belief network (i.e, a Bayesian network) for cyber security analysis. In particular, XIE et al (see the bridging paragraph of the left and right column, on page 212) describes that a “Bayesian network (BN) is a graphical representation of cause-and-effect relationships within a problem domain. More formally, a Bayesian network is a Directed Acyclic Graph (DAG) in which: the nodes represent variables of interest (propositions); the directed links represent the causal influence among the variables”. XIE et al describe a BN-based tool to measure network security risk (see section 3, on pages 216-217). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed the invention to combine the teachings of COFFEY et al with LAWSON and XIE et al for the purpose of provisioning notifications/alerts based on the risk/threat or scores via a Bayesian probabilistic framework that correlates causal links, wherein Bayesian networks are well-known in the art to model probabilities for risk analysis. Furthermore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use a causal belief network (i.e., a Bayesian network) to determine network security risk as in XIE et al in the invention of COFFEY et al because the experimental results of XIE et al “show that using Bayesian networks may bring in new opportunities for improved enterprise security analysis” (see the last paragraph in section 6, on page 220), that “[o]ur work makes use of the output of intrusion detectors and incorporates it into a holistic security analysis framework” and that “[o]ur BN model address a wider range of security analysis, most importantly the problem of real-time situation awareness” (see the first and second paragraphs of section 5). Claims 9 and 17 contain limitations that are substantially equivalent to the limitations of claim 1, and are therefore rejected under same basis. As per claim 9, it is rejected for similar reasons as given for claim 1. COFFEY et al further teach an apparatus (information handling system 100, at Figure 1, and col.3 lines 13-15, which describes that “FIG. 1 is a generalized illustration of an information handling system that can be used to implement selected embodiments of the present disclosure”) comprising: a processor (CPU 102, at figure 1, and col.3 lines 16-17) configured to implement a risk management security platform to perform a risk evaluation (see col.3 lines 34-51, which describes that “[i]n various embodiments, the contagion risk analysis system 118 performs a contagion-based risk analysis operation). As per claim 17, COFFEY et al further teach a memory device storing instructions, that when executed, cause a processor (see col.32, lines 8-37, which describes that “[e]mbodiments of the invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention). It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. b. Per claim 2, COFFEY et al with LAWSON and XIE et al teach the method of claim 1, LAWSON further teaches the risk evaluation further including: grouping a plurality of user participants having a shared attribute into a segment; evaluating a risk trend for the segment based on the risk score for the plurality of user participants; and generating the notification regarding the risk trend for the segment (col.7 lines 61-67, col.9 line 64-col.10 line 6, col.10 lines 30-67, col.11 lines 15-22—identifying key patterns and trends in the data, evaluating and analyzing metrics to combine with patterns of behavior and life data, combining sets of metrics based on anomaly scores and threat alerts). Claims 10 and 19 contain limitations that are substantially equivalent to the limitations of claim 2, and are therefore rejected under same basis. c. Per claim 3, COFFEY et al with LAWSON and XIE et al teach the method of claim 1, COFFEY et al further teach the risk evaluation further including: generating the risk score based on a probabilistic graphical model (col.14 lines 34-49, col.15 lines 22-43, col.15 line 56-col.16 line 67, col.17 lines 20-55—risk score and probability distribution function and temporal models for quantifying risk assessment; LAWSON: col.8 lines 50-63, col.12 line 50-col.13 line 19—Bayesian probabilistic analysis modeling, Bayesian network (BN) is a graphical representation of cause-and-effect relationships within a problem domain, graphically rendering anomaly scores). d. Per claim 4, COFFEY et al with LAWSON and XIE et al teach the method of claim 3, LAWSON further teaches the method further comprising: modeling the activity data as input nodes; generating the insight based on an internal node receiving causal input from the input nodes; and generating the risk score based on an output node receiving causal input from a plurality of internal nodes (col.7 lines 46-60—modeling to spot behavior on the computing systems that fall outside the parameters set by a moving benchmark; col.8 lines 25-49, col.9 lines 15-28—correlating causal links between activities to supply this input into the cyber-threat module, which can also factor this network activity link to a particular email causal link analysis into its determination of the threat risk parameter; cyber threat defense system monitoring email activity and network activity to feed this data to correlate causal links between these activities to supply this input into the cyber threat analysis). Claim 12 contains limitations that are substantially equivalent to the limitations of claim 4, and are therefore rejected under same basis. e. Per claim 5, COFFEY et al with LAWSON and XIE et al teach the method of claim 4, LAWSON further teaches the method further comprising: modeling the plurality of internal nodes and the output node based on conditional probability tables, with a conditional probability table defining a probability of a value for a corresponding node based on values from parent nodes that provide causal input to the corresponding node (col.7 lines 28-36, col.9 lines 39-44—assigning probability of a given cyber threat hypothesis including abnormal behavior or suspicious activity, modeling including threat risk parameter score or probability indicative of the threat level; col.12 lines 50-61, col.16 lines 34-42—Bayesian mathematical model and probabilistic approach for detecting behavioral change in computers). Claims 13 and 18 contain limitations that are substantially equivalent to the limitations of claim 5, and are therefore rejected under same basis. f. Per claim 6, COFFEY et al with LAWSON and XIE et al teach the method of claim 4, LAWSON further teaches the method further comprising: modeling the CBN to include: a first input node representing the activity data for the user participant; and a second input node representing a risk modifier value for the user participant, wherein certain values for the second input node amplify a risk associated with the first input node (col.7 lines 28-36, col.9 lines 39-44—assigning probability of a given cyber threat hypothesis including abnormal behavior or suspicious activity, modeling including threat risk parameter score or probability indicative of the threat level; col.12 lines 50-61, col.16 lines 34-42—Bayesian mathematical model and probabilistic approach for detecting behavioral change in computers; col.23 lines 41-49—using a k-mean s model applied to a modified term frequency). g. Per claim 7, COFFEY et al with LAWSON and XIE et al teach the method of claim 4, LAWSON further teaches the method further comprising: modeling the CBN to include: the plurality of internal nodes, each internal node corresponding to one of a plurality of risk categories; and the output node configured to generate the risk score representing an aggregate risk for the user participant across all risk categories (col.2 lines 11-67, col.10 lines 48-58, col.23 lines 50-59—classifying and categorizing of threat risk for determining score, metrics are combined and passed through machine learning algorithms to produce a single anomaly score; col.17 line 59-col.18 line 15—Bayesian framework allows the cyber security appliance to integrate a huge number of weak indicators or low threat values of potentially anomalous network behavior to produce a single clear overall measure of these correlated anomalies to determine how likely a network device is to be compromised). h. Per claim 8, COFFEY et al with LAWSON and XIE et al teach the method of claim 1, LAWSON further teaches the risk evaluation further including: implementing an action plan to reduce risk, including: identifying activity data having a value that corresponds to elevated risk; accessing a data structure of remedial actions based on a type of the activity data; and implementing a remedial action associated with the type of the activity data (col.3 lines 1-20, col.7 lines 61-67, col.8 line 33-col.9 line 14, col.9 lines 39-44, col.24 line 45-col.25 line 61—determining categories and types of cyber threats, threat levels, threshold exceeded event and appropriate response actions, autonomous action and response module implements actions to reduce risks; COFFEY et al: col.29 lines 3-52—automatically provision auto-prevention policies enforcement tools). Claims 16 and 20 contain limitations that are substantially equivalent to the limitations of claim 8, and are therefore rejected under same basis. i. Per claim 11, COFFEY et al with LAWSON and XIE et al teach the apparatus of claim 9, LAWSON further teaches comprising the processor further configured to: implement an integration service to gather and normal the activity data, including: obtain the activity data from a plurality of third-party sources via application program interface (API) calls; and convert the activity data from source formats corresponding to each of the plurality of third-party sources into a standard format; and store the activity data in the standard format to a data structure (col.6 lines 54-59, col.12 lines 10-17, col.25 lines 3-19—Open Source APIs, conversion of data into a safe format and storage). j. Per claim 14, COFFEY et al with LAWSON and XIE et al teach the apparatus of claim 10, LAWSON further teaches comprising the processor further configured to: implement a notification service to provide the notification, including: determine to provide a notification based on the risk score; generate a human-parsable notification message based on the risk score; and select a notification medium from a plurality of notification mediums by which to provide the notification (col.10 lines 30-67, col.26 lines 35-44—generating notifications and alerts based on the anomaly score, types of notifications triggered by anomalies). k. Per claim 15, COFFEY et al with LAWSON and XIE et al teach the apparatus of claim 10, LAWSON further teaches comprising the processor further configured to: receive a user request for information via a web application; and provide information regarding the insight via the web application (col.28 lines 46-60—receiving client request via web browser based applications; COFFEY et al—col.9 line 16-col.10 line 37, col.10 line 53-col.11 line 3, col.26 lines 52-65—user behavior information associated with user request). Conclusion VI. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: US 2020/0274894; USPN 12170902. VII. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KRISTIE D SHINGLES whose telephone number is (571)272-3888. The examiner can normally be reached on Monday-Thursday 10am-7pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal Divecha can be reached on 571-272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KRISTIE D SHINGLES/ Primary Examiner, Art Unit 2453