SECURITY SERVICES FOR SMALL BUSINESSES

DETAILED ACTION In a communication received on 17 November 2025, applicants requested reconsideration of the rejection. Claims 46-65 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed have been fully considered but they are not persuasive. With respect to claim 46, the applicants allege, "Pilkington makes no mention of 'user digital health scores are weighted by notional values of enterprise assets stored on or accessible to the enterprise assets.' The Examiner appears to have ... replaced it with 'category risk scores' as found in Pilkington" (page 7) with respect to the claimed limitation(s), "wherein the user digital health scores are weighted by notional values of enterprise assets stored on or accessible to the enterprise assets". The examiner respectfully traverses. The arguments/remarks pertain to whether the cited prior art does not disclose an a notional value weighing digital health scores. The examiner concludes that the cited prior art clearly discloses or suggests weighting according to importance/value without needing to meet exact formula or literal "notional values" Ascertaining the differences between the prior art and the claims at issue requires interpreting the claim language, and considering both the invention and the prior art references as a whole (See 2141.02 "Differences Between Prior art and Claimed Invention). As best understood by the examiner, the broadest reasonable interpretation of the claimed limitation pertains to merely a variable monetary or security importance of the asset and is not interpreted as an exact equation or formula. Applicant does not address the combination of the cited prior art references and rather alleges Pilkington singularly does not disclose the claimed feature. Pilkington however substantially discloses assigning a subjective weighting to risk; Pilkington [0064] recites, "The individual weightings allow different weightings to be applied to the different category types to allow the security threat posed by each category to be leveled relative to each other". Further, Pilkington [0049] recites, "However, the current system provides the ability for the organization to increase the weight for specific named entities such as the valuable server machine with valuable intellectual property". Viewed as a whole of a combination, the claimed feature is suggested because Kuppa [0065] discloses a weighted average when calculating a security score and Guo [0043] disclosing output to a user prompting, informing, and recommending actions to the user about security related data. Pilkington alone substantially discloses the claimed feature and suggests in combination with Kuppa and Guo displaying security related scoring corresponding to enterprise assets with a weights assigned by subjective value to the organization. In conclusion, the applicants argue(s) that the cited prior art does not disclose an a notional value weighing digital health scores. The examiner traverses because the cited prior art clearly discloses or suggests weighting according to importance/value without needing to meet exact formula or literal "notional values". Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 46-65 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuppa et al. (US 2022/0286474 A1) in view of Guo (US 2004/0250107 A1), and further in view of Pilkington et al. (US 20190044969 A1). With respect to claim 46, Kuppa discloses: a computer-implemented method of providing security services to an enterprise (i.e., measuring the effectiveness of security controls such as patch management and intrusion prevention in Kuppa, ¶0044), comprising: computing, for a plurality of users for an enterprise (i.e., assessments of vulnerability for users associated with assets such as configurations of actively running assets and password compliance of users associated with the assets in Kuppa, ¶033), a plurality of user digital health scores based on respective protection statuses (i.e., scoring and assessing and quantifying the effect and/or absence of having a security control installed and active on an asset in Kuppa, ¶0100) for a plurality of enterprise assets owned by respective users (i.e., determining a risk and tradeoff score based on a cyber risk score based on common vulnerability scoring system, CVSS, for an asset mitigated or increased by a relative tradeoff score corresponding to installed security controls in Kuppa, ¶0095, ¶0097-0098, ¶0110, ¶0111) Kuppa discloses stakeholders being provided optimizations of presented risk vs tradeoff values to assess the effectiveness of different security controls against different threats (¶0043-0045). Kuppa do(es) not explicitly disclose displaying through an interface to the user a health score and recommendations to improve the score. Guo, in order to improving users' security awareness, expose potential attacks and make educated decisions (¶0008), discloses: graphically displaying to an enterprise administrator the overall enterprise security status score (i.e., output a score based on security-related settings and reporting whether an antivirus program is up to date; provide security related knowledge via a user interface in Guo, ¶0035, ¶0042); and presenting to the enterprise administrator a plurality of action recommendations to improve the overall enterprise security status score (i.e., output scores and prompt user and recommend corrective actions in Guo, ¶0043). Based on Kuppa in view of Guo, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Guo to improve upon those of Kuppa in order to improving users' security awareness, expose potential attacks and make educated decisions. Kuppa discloses scoring and assessing and quantifying the effect and/or absence of having a security control installed and active on an asset (¶0100). Kuppa and Guo do(es) not explicitly disclose the following. Pilkington, in order to improve awareness of security situation for higher value devices within an enterprise (¶0049), discloses: wherein the user digital health scores are weighted by notional values of enterprise assets stored on or accessible to the enterprise assets (i.e., weightings for individual categories or populations corresponding to the categories may be applied to indicate populations corresponding to certain phones more valuable and therefore weighted more highly in Pilkington, ¶0064); computing, for the enterprise, an overall enterprise security status score based on the plurality of user digital health scores (i.e., computing an aggregate risk score for an overall risk of the population including combinations of different entity types and users in Pilkington, ¶0046). Based on Kuppa in view of Guo, and further in view of Pilkington, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Pilkington to improve upon those of Kuppa in order to improve awareness of security situation for higher value devices within an enterprise. With respect to claim 47, Kuppa discloses: the computer-implemented method of claim 46, wherein the enterprise is a small business (i.e., enterprise may have business requirements to avoid disruption, security control decisions can scale with the growing number of devices in Kuppa, ¶0023-0024, ¶0040). With respect to claim 48, Kuppa discloses: the computer-implemented method of claim 47, wherein the small business has fewer than 250 employees (i.e., various flexibilities with virtual and offsite cloud environments, and a number of users and their bring your own devices increase agility and scale of any organizations which the invention addresses the corresponding security needs in Kuppa, ¶0023-0024). With respect to claim 49, Kuppa discloses: the computer-implemented method of claim 46, wherein a user digital health score is further adjusted according to notional assets of the plurality of enterprise assets (i.e., cloud scanner includes the added attack surface and identifiable risks of virtual and off-site cloud assets to the risk scoring methodology in Kuppa, ¶0023, ¶0026). With respect to claim 50, Kuppa discloses: the computer-implemented method of claim 49, wherein the notional assets are adjustable by an enterprise administrator (i.e., stakeholders deciding on adjusting weightings for the score that impacts an organization with short lived and dynamic cloud and virtual assets in Kuppa, ¶0064). With respect to claim 51, Kuppa discloses: the computer-implemented method of claim 46, wherein a user digital health score is further adjusted according to weights assigned to individual protection statuses for the plurality of enterprise assets (i.e., for each security control applied to an asset, weights according to its ability to mitigate a threat corresponding to prevention, detection, and response parameters impact the security controls impact on the risk score in Kuppa, ¶0064-0066). With respect to claim 52, Kuppa discloses: the computer-implemented method of claim 46, wherein computing a user digital health score comprises computing respective sub-scores for a plurality of protection categories (i.e., scores for particular security control’s ability to mitigate a threat according to prevention, detection, and response in Kuppa, ¶0064), and computing a weighted sum of sub-scores, wherein each sub-score is assigned a relative weight, and a sum of the relative weights is 1.0. (i.e., stakeholders can assign weightings to particular parameters of a risk trade off score, the weights corresponding to prevention, detection, and response sum up to a weight of 1 in Kuppa, ¶0064). With respect to claim 53, Kuppa discloses: the computer-implemented method of claim 52, wherein the plurality of protection categories comprise security (i.e., a cyber risk score determined from identifying a threat or vulnerability in Kuppa, ¶0098-0099). Kuppa discloses a risk and tradeoff score corresponding to the organization weighted by prevention, detection, and response impact of security controls on a particular threat to assets (¶0064-0066). Kuppa do(es) not explicitly disclose the following. Guo, in order to improving users' security awareness, expose potential attacks and make educated decisions (¶0008), discloses: identity (i.e., detection and mitigation of creating guest accounts without proper passwords in Guo, ¶0028), and privacy (i.e., file monitor to prevent files from being accessed or emailed according to rules in Guo, ¶0034). Based on Kuppa in view of Guo, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Guo to improve upon those of Kuppa in order to improving users' security awareness, expose potential attacks and make educated decisions. With respect to claim 54, Kuppa discloses: the computer-implemented method of claim 53, wherein a relative weight for security is higher than a relative weight for identity, and the relative weight for identity is higher than the relative weight for privacy (i.e., an ordered weight averaging operation which orders and weighs the criterion and can be adjusted such that prevention may be more important than detection/response; the different weightings can be ordered from largest to smallest relatively in Kuppa, ¶0064, ¶0067). With respect to claim 55, Kuppa discloses: the computer-implemented method of claim 54, further comprising computing for a user a personal digital health score that includes non-enterprise assets (i.e., evaluating the devices on the network include mobile or bring-your-own-devices (byod) that are personal to the user in Kuppa, ¶0021). With respect to claim 56, Kuppa discloses scoring and assessing and quantifying the effect and/or absence of having a security control installed and active on an asset (¶0100). Kuppa and Guo do(es) not explicitly disclose assigning higher weight for one type of entity over another. Pilkington, in order to improve awareness of security situation for higher value devices within an enterprise (¶0049), discloses: the computer-implemented method of claim 55, wherein the relative weights for the personal digital health score are different from the relative weights for the user digital health score (i.e., associating high weight to company device with valuable intellectual property relative to low weight for other assets such as an individual user account/device in Pilkington, ¶0049). Based on Kuppa in view of Guo, and further in view of Pilkington, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Pilkington to improve upon those of Kuppa in order to improve awareness of security situation for higher value devices within an enterprise. With respect to claim 57, Kuppa discloses: the computer-implemented method of claim 46, wherein a user digital health score is computed as a weighted sum of asset protection scores for a plurality of assets owned by the respective users (i.e., assets with different security controls configured, an overall causal effect of each security control can be determined; computing a weighted average as a summation of weighted scores based on the plurality of individuals and assets in Kuppa, ¶0049, ¶0067). Kuppa discloses computing a weighted average as a summation of weighted scores (¶0067). Kuppa do(es) not explicitly disclose Boolean protection statuses. Guo, in order to improving users' security awareness, expose potential attacks and make educated decisions (¶0008), discloses: wherein an asset protection score is computed as a weighted sum of boolean protection statuses for a plurality of protections available to an asset (i.e., reporting an overall health score based on security settings determined to be active or not in Guo, ¶0067). Based on Kuppa in view of Guo, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Guo to improve upon those of Kuppa in order to improving users' security awareness, expose potential attacks and make educated decisions. With respect to claim 58, Kuppa discloses: the computer-implemented method of claim 57, wherein the user digital health score is computed as a ratio relative to a perfect user digital health score (i.e., measurements expressed as probabilities, ratios, or a top score of 1.0 to determine an effectiveness score in Kuppa, ¶0050-0053). With respect to claim 59, Kuppa discloses: the computer-implemented method of claim 46, wherein the enterprise assets are selected from a group consisting of devices, data, storage, business applications, online presence, social media, account credentials, encryption keys, digital certificates, financial assets, crypto assets, e-commerce assets, proprietary data, business identity, and personal identity (i.e., assets to determine a risk to include objects including, computers, phones, tablets, devices, cloud instances, containers in Kuppa, ¶0019). With respect to claim 60, the limitation(s) of claim 60 are similar to those of claim(s) 46. Therefore, claim 60 is rejected with the same reasoning as claim(s) 46. With respect to claim 61, the limitation(s) of claim 61 are similar to those of claim(s) 47. Therefore, claim 61 is rejected with the same reasoning as claim(s) 47. With respect to claim 62, the limitation(s) of claim 62 are similar to those of claim(s) 48. Therefore, claim 62 is rejected with the same reasoning as claim(s) 48. With respect to claim 63, the limitation(s) of claim 63 are similar to those of claim(s) 49. Therefore, claim 63 is rejected with the same reasoning as claim(s) 49. With respect to claim 64, Kuppa discloses: a computing device, personal to a user associated with a small business (i.e., mobile or bring-your-own-device resources in Kuppa, ¶0021), comprising: a processor circuit; a memory, comprising personal data and business data (i.e., network devices such as laptops, mobiles, tablets, wearables, and bring your own devices, byod with corresponding data in Kuppa, ¶0021); and a small business security agent (i.e., agent, light weight program, with sufficient privileges to collect system data to report to a management system in Kuppa, ¶0025), comprising instructions stored on the memory to instruct the processor circuit to: compute an enterprise digital health score (i.e., scoring and assessing and quantifying the effect and/or absence of having a security control installed and active on an asset in Kuppa, ¶0100) according to an observed presence of available protections for the business data (i.e., assessing and quantifying the effect of a security control being installed or active or the prospective effect of the security control that is not installed to determine a cyber risk score for a target asset in Kuppa, ¶0100-0101) Kuppa discloses a risk and tradeoff score corresponding to the organization weighted by prevention, detection, and response impact of security controls on a particular threat to assets (¶0064-0066). Kuppa do(es) not explicitly disclose the following. Guo, in order to improving users' security awareness, expose potential attacks and make educated decisions (¶0008), discloses: compute a personal digital health score according to an observed presence of available protections (i.e., output a score based on security-related settings and reporting whether an antivirus program is up to date; provide security related knowledge via a user interface in Guo, ¶0035, ¶0042) for the personal data (i.e., detection and mitigation of creating guest accounts without proper passwords; file monitor to prevent files from being accessed or emailed according to rules in Guo, ¶0028, ¶0034); send to the small business the enterprise digital health score (i.e., output scores and prompt user and recommend corrective actions in Guo, ¶0043); and display to the user the personal digital health score (i.e., output a score based on security-related settings and reporting whether an antivirus program is up to date; provide security related knowledge via a user interface in Guo, ¶0035, ¶0042), along with actionable factors that affect the personal digital health score (i.e., output scores and prompt user and recommend corrective actions in Guo, ¶0043). Based on Kuppa in view of Guo, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Guo to improve upon those of Kuppa in order to improving users' security awareness, expose potential attacks and make educated decisions. Kuppa discloses scoring and assessing and quantifying the effect and/or absence of having a security control installed and active on an asset (¶0100). Kuppa and Guo do(es) not explicitly disclose the following. Pilkington, in order to improve awareness of security situation for higher value devices within an enterprise (¶0049), discloses: wherein the business data are proprietary to the small business (i.e., defines business vulnerability for entities, computing devices, user accounts, user, with regards to industrial espionage suggesting proprietary data in Pilkington, ¶0052), wherein the enterprise digital health score is weighted according to notional values for the business data; (i.e., weightings for individual categories or populations corresponding to the categories may be applied to indicate populations corresponding to certain phones more valuable and therefore weighted more highly in Pilkington, ¶0064). Based on Kuppa in view of Guo, and further in view of Pilkington, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Pilkington to improve upon those of Kuppa in order to improve awareness of security situation for higher value devices within an enterprise. With respect to claim 65, Kuppa discloses a risk and tradeoff score corresponding to the organization weighted by prevention, detection, and response impact of security controls on a particular threat to assets (¶0064-0066). Kuppa do(es) not explicitly disclose the following. Guo, in order to improving users' security awareness, expose potential attacks and make educated decisions (¶0008), discloses: the computing device of claim 64, wherein the small business security agent further comprises instructions to receive from a small business administrator an action directive to improve the enterprise digital health score, and to carry out the action directive on the computing device (i.e., allowing the user to make a decision and to perform the actions for the user in Guo, ¶0033). Based on Kuppa in view of Guo, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Guo to improve upon those of Kuppa in order to improving users' security awareness, expose potential attacks and make educated decisions. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHERMAN L LIN whose telephone number is (571)270-7446. The examiner can normally be reached Monday through Friday 9:00 AM - 5:00 PM (Eastern). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Sherman Lin 3/15/2026 /S. L./Examiner, Art Unit 2447 /JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447