DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
The objections to the claims have been withdrawn in light of the amendments to the claims, filed 02/03/26.
Applicant’s arguments with respect to the rejection of the claims under 35 U.S.C. 101 have been fully considered but are not persuasive.
Applicant argues that the claims recite an improvement in technology and/or the technical field of cybersecurity. However, Examiner respectfully disagrees. That is, Applicant first argues that the claims encompass an improvement by reducing the computational burden required to generate cybersecurity courses. However, the Specification recites "A technical problem is that current approaches require significant computing resources, such as processor resources and/or memory resources, to generate cybersecurity training simulations.” (Specification, [0022]). Yet, the claims recite a non-transient computer-readable storage medium and one or more processors to provide and modify cybersecurity simulation and training. Moreover, the claims do not recite the creation of customized phishing related training courses (see Specification, [0021], “Users need customized training, which is not currently being offered because of the resources and computing power needed to create custom training modules for each user.”). There is nothing in the claims to indicate that the cybersecurity training course/modules are customized to a user. Rather, the cybersecurity training course is modified based on the identified change to the cybersecurity simulation.
Second, Applicant argues that the claims encompass modification, which can be done automatically, to the cybersecurity training course in response to identification of a change to the cybersecurity simulation, thereby providing for up-to-date cybersecurity courses which can be computationally efficiently generated and scaled. However, the Specification recites wherein the challenge with providing up-to-date cybersecurity training courses is identifying or detecting a change in a cybersecurity simulation (Specification, [0033-0034]). Yet, the claims do not recite an improvement to identifying a change in the cybersecurity simulation. Moreover, the claims do not recite an automatic modification to the cybersecurity training course.
For these reasons, the claims remain rejected under 35 U.S.C. 101, as presented in detail below.
Applicant’s arguments with respect to the rejections of the claims under 35 U.S.C. 103 have been fully considered and are persuasive. That is, Sadeh-Koniecpol does not disclose or teach, in response to identification of a change to the cybersecurity simulation, modifying the cybersecurity training course to include explanation data relating to a phish and the phish difficulty. Therefore, the previous rejections under 35 U.S.C. 103 have been withdrawn. However, a new ground(s) of rejection has been presented in light of the amendments to the claims, as discussed in detail below.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the Specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 1 recites in part “in response to identification of a change to the cybersecurity simulation, modify the cybersecurity training course to include explanation data relating to the phish and the phish difficulty”. However, the Specification does not disclose wherein the explanation data relating to the phish and the phish difficulty is included in the cybersecurity training course based on the modification to the cybersecurity training course in response to the identification of a change to the cybersecurity simulation (see Specification, [0064], “The difficulty of the phish that was experienced by the user may be displayed to the user in the training course so that the user may be informed as to whether it was a difficulty phish to spot or not and why it was difficult. […] The dynamically generated training course may further provide an explanation to give users advice on how to avoid falling victim to a phish that targets similar emotions or include similar cues.”).
Independent claims 8 and 15 are rejected for the same reasoning.
All dependent claims are rejected by virtue of their dependencies on the independent claims.
No prior art is currently provided in light of the rejection of the claims under 35 U.S.C. 112(a) presented above.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Regarding claim 8, analyzed as representative claim: [Step 1] Claim 8 recites in part “A method”, which falls within the “process” statutory category of invention.
[Step 2A – Prong 1] The claim recites a series of steps which, under their broadest reasonable interpretation, encompass certain methods of organizing human activity (i.e., managing personal behavior or relationships or interactions between people – including social activities, teaching, and following rules or instructions) (see MPEP 2106.04(a)(2)(II)).
Claim 8 recites: A method of providing cybersecurity simulation and training, the method comprising:
generating a cybersecurity simulation comprising a set of simulation elements selected from a simulation and training database, the set of simulation elements being associated with a set of simulation characteristics, the cybersecurity simulation comprising a phish having a phish difficulty (human activity: managing personal behavior or relationships or interactions between people, e.g., teaching);
in response to detection of a cybersecurity simulation completion condition, dynamically generating a cybersecurity training course comprising a set of training elements corresponding to the set of simulation characteristics, the set of training elements selected from the simulation and training database (human activity: managing personal behavior or relationships or interactions between people, e.g., teaching); and
in response to identification of a change to the cybersecurity simulation, modifying the cybersecurity training course to include explanation data relating to the phish and the phish difficulty, the modification being based on the identified change to the cybersecurity simulation (human activity: managing personal behavior or relationships or interactions between people, e.g., teaching).
The limitations, under their broadest reasonable interpretation, encompass certain methods of organizing human activity, as shown above. That is, a cybersecurity simulation (e.g., hypothetical scenario, such as a phish) could be generated and presented using a “tabletop method”, where participants can be presented and talk or work through the hypothetical scenario/simulated cybersecurity incident (e.g., in person, through text messaging, or other chat platforms). Thereafter, a cybersecurity training course could be dynamically generated/presented (e.g., lecture, handouts, etc.) after responses to the hypothetical scenario are received. Additionally, the cybersecurity simulation and training course could be modified by a user (e.g., administrator/teacher/etc.) and include an explanation/feedback relating to the hypothetical scenario (phish) and its difficulty. Therefore, the claim encompasses an abstract idea.
[Step 2A – Prong 2] The claim fails to recite additional limitations to integrate the abstract idea into a practical application. The additional limitation of a simulation and training database for storing for selection cybersecurity simulation and cybersecurity training course elements is recited at a high level of generality and encompasses a generic computing component for storing data. Thus, the additional element amounts to no more than mere instructions to apply the abstract idea using a generic computer component and/or generally links the use of the abstract idea to a particular technological environment – e.g., a computing environment. The claim does not recite (i) an improvement to the functionality of a computer or other technology or technical field (See MPEP 2106.05(a)), (ii) a “particular machine” to apply or use the abstract idea (See MPEP 2106.05(b)), (iii) a particular transformation of an article to a different thing or state (See MPEP 2106.05(c)), or (iv) any other meaningful limitation (See MPEP 2106.05(e)). Accordingly, the claim is directed to the abstract idea.
[Step 2B] As discussed above with respect to integration of the abstract idea into a practical application, the claim does not further include additional elements that are sufficient to amount to significantly more than the abstract idea. The database encompasses a generic computing component for performing its routine function (e.g., storing data), and amounts to no more than mere instructions to apply the abstract idea using a generic computer component and/or generally links the use of the abstract idea to a particular technological environment – e.g., a computing environment. Thus, the claim is not patent eligible.
Independent claim 1 recites a system configured for providing cybersecurity simulation and training, the system comprising a non-transient computer-readable storage medium having executable instructions embodied thereon and one or more hardware processors configured to execute the instructions to perform the limitations discussed above. These additional limitations are recited at a high level of generality such that they do not amount to a particular machine or technical improvement thereof, nor do they represent an improvement in any other technology. Rather, the generic manner in which these additional elements are claimed amount to mere instructions to apply the exception using generic computing components and/or generally link the abstract idea to a computer environment. Therefore, the additional limitations do not integrate the abstract idea(s) into a practical application or provide significantly more (i.e., an inventive concept). Independent claim 15, reciting a non-transient computer-readable storage medium having instructions embodied thereon, the instructions being executable by one or more processors to perform the method steps discussed above, is similarly rejected.
Claims 2-7, 9-14, and 16-20 are dependent on claims 1, 8, and 15, respectively, and therefore recite the same abstract idea noted above. While the dependent claims may have a narrower scope than the independent claims, the claims fail to recite additional limitations that would integrate the abstract idea into a practical application or provide significantly more (i.e., an inventive concept). Additionally, while claims 7 and 14 further recite in part providing the user with a link to an external platform with an option to access the cybersecurity training course, this limitation encompasses extra-solution activity (e.g., sending a user to a location (i.e., a link to a text file) to access content/the results of the abstract creation process). Therefore, claims 2-7, 9-14, and 16-20 are also not patent eligible.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
U.S. 10,970,188 B1 – This reference teaches wherein, when a user is unsuccessful in detecting a threat, the user is presented with a training module explaining details related to the simulated vector, which pertains to a difficulty level, wherein the training may include a nature of attack used by the simulated vector, the method and masquerading technique used by the simulated vector, and how the user may detect the threat in the future.
U.S. Pub. 2023/0336588 A1 – This reference teaches wherein a computing device may update a phishing lure generation model, wherein the update may adjust a level of difficulty.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALYSSA N BRANDLEY whose telephone number is (571)272-4280. The examiner can normally be reached M-F: 8:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dmitry Suhol, can be reached at (571)272-4430. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ALYSSA N BRANDLEY/Examiner, Art Unit 3715
/DMITRY SUHOL/Supervisory Patent Examiner, Art Unit 3715