SYSTEMS AND METHODS FOR CYBERTHREAT-RISK EDUCATION AND AWARENESS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims This office action is a response to an amendment filed on 10/21/2025. Claims 1-20 are currently pending, of which claims 1, 19 and 20 are amended. Response to Arguments Applicant’s remarks, see page 7, with respect to the double patenting have been fully considered. The terminal disclaimer filed on 10/21/2025 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US Patent 11914719 has been reviewed and is accepted. The terminal disclaimer has been recorded. As a result, the double patenting rejections are withdrawn. Applicant’s remarks, see pages 7-9, with respect to the rejections under 35 USC 103 have been fully considered. The amended claims overcome the prior rejections; therefore, the rejections have been withdrawn. However, upon further consideration, a new ground(s) of rejection is made, necessitated by the amendments. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 6-8, 11-17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hawthorn et al. (US 2017/0244746), hereinafter Hawthorn, in view of Alohali et al. “The Design and Evaluation of a User-Centric Information Security Risk Assessment and Response Framework”, International Journal of Advanced Computer Science and Applications (IJACSA), Vol. 9, Issue 10, 2018, hereinafter Alohali, further in view of Kumaraguru et al., “Teaching Johnny not to fall for phish”, ACM Transactions on Internet Technology (TOIT), Volume 10, Issue 2, Article No.: 7, Pages 1 – 31, June 10, 2010, hereinafter Kumaraguru. Hawthorn is cited by Applicant in the IDS filed on 01/04/2024. Regarding claim 1, Hawthorn discloses a method comprising: determining a baseline cyberthreat-risk score for a user (Hawthorn, [0036], [0054]: calculating an initial (baseline) risk score for a user); presenting the at least one cyberthreat-education activity via the user interface (Hawthorn, [0036], [0051]: transmitting security and/or training items (cyberthreat-education activities) to the user); receiving, via the user interface, at least one user input associated with the presented at least one cyberthreat-education activity (Hawthorn, [0036], [0051]: receiving feedback and/or response (user input) associated with the presented security and/or training item); generating an updated cyberthreat-risk score at least in part by updating the baseline cyberthreat-risk score after the at least one cyberthreat-education activity has been presented, based at least in part on the at least one user input (Hawthorn, [0036], [0051]: updating the user’s risk score). Hawthorn does not explicitly disclose prior to at least one cyberthreat-education activity for a user based on a user security factor including at least one of: a set of applications installed on a user device; a browsing history of the user of the user device; a degree of password reuse; or whether the user device is a new device for the user; displaying the baseline cyberthreat-risk score prior to the at least one cyberthreat-education activity via a user interface; and displaying the updated cyberthreat-risk score via the user interface. However, Alohali discloses determining a baseline cyberthreat-risk score prior to at least one cyberthreat-education activity for a user based on a user security factor including at least one of (Alohali, pg. 153, col. 2, #8: Risk Aggregator: “The purpose of this process is to evaluate/assess security risks based on information obtained from User-Centric Risk Estimator and System-Based Risk Estimator and generate a risk profile that adapts to users accordingly … This Aggregator will assess and analyze the security risk and determine the final risk score, overall-risk” [Final risk score/overall-risk = baseline cyberthreat-risk score]; pg. 157, col 1, sec. C: Risk Communication Component, par. 1: “Risk Communication, starts by receiving the individualized risk profile form the Risk Aggregator, analyzing it and deciding on the most suitable form of communicating/educating the risk to the user” [i.e. educating the user (cyberthreat-education activity) begins after a risk profile and overall-risk (baseline cyberthreat-risk score) is determined for a user]): a set of applications installed on a user device (Alohali, pg. 153, col. 2, #7: System-based risk estimator: “This is accomplished by checking all installed applications … for known vulnerabilities and calculate a software risk score accordingly. [“all installed applications”= set of applications installed on a user device. The software risk score contributes to overall-risk (baseline cyberthreat-risk score)]); a browsing history of the user of the user device; a degree of password reuse; or whether the user device is a new device for the user. It would have been obvious to one of ordinary skill in the art, having the teachings of Hawthorn and Alohali before him or her before the effective filing date of the claimed invention, to modify a method that determines an initial risk score for a user based on user actions with security and/or training items as taught by Hawthorn, to include determining an initial overall risk score for the user based on a variety of factors including the user’s installed software risks before selecting the training as taught by Alohali. The motivation for doing so would have been to facilitate selecting the most appropriate training for the user, thereby improving the accuracy and relevance of the risk scores that are used to drive the user education. Furthermore, the combination of Hawthorn and Alohali does not explicitly disclose displaying the baseline cyberthreat-risk score prior to the at least one cyberthreat-education activity via a user interface; and displaying the updated cyberthreat-risk score via the user interface. However, Kumaraguru discloses displaying the baseline cyberthreat-risk score prior to the at least one cyberthreat-education activity via a user interface (Kumaraguru, pgs. 20-21, sec. 6.1 - Design of Anti-Phishing Phil: Paragraph 2 discloses that training is delivered in rounds and users are presented content and must act within the round; Fig. 6 discloses a screenshot of the end-user UI with “SCORE” and “LIVES” shown on screen [Therefore, the displayed score/lives at the start of the round before the user acts in that round’s activities is the baseline value]); and displaying the updated cyberthreat-risk score via the user interface (Kumaraguru, pg. 22, Table VII: “Immediate feedback. We provide feedback through points, lives and end of round summary”). It would have been obvious to one of ordinary skill in the art, having the teachings of Hawthorn, Alohali and Kumaraguru before him or her before the effective filing date of the claimed invention, to modify a method that determines an initial risk score for a user before selecting training as taught by Hawthorn and Alohali, to include providing immediate feedback to the user regarding their score at the beginning, during and at the end of the training activity as taught by Kumaraguru. The motivation for doing so would have been to improve the effectiveness of the training by helping the user quickly identify and address their weaknesses in cybersecurity practices. Regarding claim 2, Hawthorn and Alohali do not explicitly disclose further comprising: sending, to a user device displaying the user interface, a notification when the updated cyberthreat-risk score changes, wherein the notification includes a summary of reasons the updated cyberthreat-risk score changes. However, Kumaraguru discloses further comprising: sending, to a user device displaying the user interface, a notification when the updated cyberthreat-risk score changes, wherein the notification includes a summary of the updated cyberthreat-risk score changes (Kumaraguru, pg. 21, Fig. 6: the right screen shows the end of round summary indicating the number of correct and incorrect choices). It would have been obvious to one of ordinary skill in the art, having the teachings of Hawthorn, Alohali and Kumaraguru before him or her before the effective filing date of the claimed invention, to modify a method that determines an initial risk score for a user before selecting training as taught by Hawthorn and Alohali, to include providing immediate feedback to the user regarding their score at the beginning, during and at the end of the training activity as taught by Kumaraguru. The motivation for doing so would have been to improve the effectiveness of the training by helping the user quickly identify and address their weaknesses in cybersecurity practices. Regarding claim 3, Hawthorn discloses wherein the user interface is configured to provide personalized recommendations for improving cybersecurity practices for the user based on the updated cyberthreat-risk score (Hawthorn, [0036]: subsequent training item is transmitted to the user system based on the risk score; Fig. 12: example of a training item (personalized recommendation)). Regarding claim 4, Hawthorn discloses further comprising: scheduling, in an automatic manner, future cyberthreat-education activities based on the updated cyberthreat-risk score, wherein the future cyberthreat-education activities are scheduled more frequently based on higher risk scores (Hawthorn, [0212]). Regarding claim 6, Hawthorn discloses wherein the updated cyberthreat-risk score is further based on interactions, by the user, with a simulated phishing email, including actions, by the user, made in response to links and attachments contained within the simulated phishing email (Hawthorn, [0062]: A security item includes a message with a phishing link. User response/interaction with the security item is used to calculate the risk score; [0060]: security and/or training items include emails with malicious attachments; [0052]: security and/or training items include phishing emails). Regarding claim 7, Hawthorn discloses wherein the updated cyberthreat-risk score is used to determine a level of authentication required for the user to access sensitive transactions, wherein higher risk scores result in more stringent authentication requirements (Hawthorn, [0205], [0213]). Regarding claim 8, Hawthorn discloses further comprising: presenting, via the user interface, a variety of cybersecurity challenges to the user (Hawthorn, [0036]: transmitting subsequent security and/or training items to the user system); in response to the user interacting with the variety of the cybersecurity challenges, adjusting the baseline cyberthreat-risk score in real-time (Hawthorn, [0036]: interactions with the subsequent security and/or training items are used to update a user’s risk score). Regarding claim 11, Hawthorn discloses wherein the at least one cyberthreat-education activity includes a series of interactive scenarios that simulate real-world cyberattack vectors, and user input includes decisions, by the user, made within the series of the interactive scenarios (Hawthorn, [0054]: training items include scenario-based challenge response applications (interactive scenarios) to obtain feedback regarding the user’s knowledge and/or proficiency). Regarding claim 12, Hawthorn discloses wherein determining the baseline cyberthreat-risk score further comprises: analyzing a frequency of password changes, made by the user, across multiple online accounts associated with the user (Hawthorn, [0170], [0180]: sensors detect user behavior/activities, such as how often the user changes his password, as the user interacts with an interaction item); and assessing security practices of the user based at least in part on the frequency of the password changes (Hawthorn, [0184]: user properties associated with the user that has interacted with a security and/or training item, such as existing usernames, passwords, security questions, etc., are collected and transmitted to a risk assessment manager; [0062]: risk assessment manager uses user property data to calculate a risk score). Regarding claim 13, Hawthorn discloses wherein generating the updated cyberthreat-risk score further comprises: identifying risky actions taken by the user in the at least one cyberthreat-education activity (Hawthorn, [0207]: determining based on feedback from a campaign (cyberthreat education activity) that a user accesses social media platforms with a particular frequency (risky behavior)); and increasing the updated cyberthreat-risk score based on a frequency of the risky actions (Hawthorn, [0207]: increasing the risk score). Regarding claim 14, Hawthorn discloses further comprising: providing, to the user via the user interface, steps for the user to take to lessen the baseline cyberthreat-risk score, wherein the steps result in a reduction in successful fraudulent activity (Hawthorn, [0080]: training items include guidance for reducing security risks; [0005]: security risks include interacting with a phishing attack (fraudulent activity); [0193]: if a user consistently acts with a security and/or training item in a positive way, the user’s risk score decreases). Regarding claim 15, Hawthorn discloses further comprising: incorporating feedback regarding selections made by the user with content in the at least one cyberthreat-education activity (Hawthorn, [0054]: user feedback/responses to security and/or training items are stored as security and/or training item interaction data, respectively, and are used to determine a sophistication level of subsequently transmitted security and/or training items). Regarding claim 16, Hawthorn discloses further comprising: launching a simulated phone call to the user, wherein the simulated phone call includes playing cyberattack audio clips to the user (Hawthorn, [0157], [0160]). Regarding claim 17, Hawthorn discloses further comprising: monitoring responses, by the user, to the simulated phone call, wherein the responses include at least one of a spoken response, a typed response, or a multiple-choice option response (Hawthorn, [0160]). Regarding claim 19, the limitations have been addressed in the rejection of claim 1, and furthermore, Hawthorn discloses a system comprising: at least one processor (Hawthorn, [0248]); and one or more non-transitory computer readable storage media containing instructions executable by the at least one processor for causing the at least one processor to perform operations (Hawthorn, [0248]). Regarding claim 20, the limitations have been addressed in the rejection of claim 1, and furthermore, Hawthorn discloses one or more non-transitory computer readable storage media containing instructions executable by at least one processor for causing the at least one processor to perform operations (Hawthorn, [0248]). Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Hawthorn in view of Alohali and Kumaraguru, further in view of Chakra et al. (US 2020/0112582), hereinafter Chakra. Regarding claim 5, Hawthorn, Alohali and Kumaraguru do not explicitly disclose further comprising: prompting the user to review and update security settings on social media accounts when the updated cyberthreat-risk score exceeds a predetermined threshold. However, Chakra discloses further comprising: prompting the user to review and update security settings on social media accounts when the updated cyberthreat-risk score exceeds a predetermined threshold (Chakra, [0041], [0038]: notification to update user configuration and settings is sent to a user with a group member score above an average score (threshold)). It would have been obvious to one of ordinary skill in the art, having the teachings of Hawthorn, Alohali, Kumaraguru and Chakra before him or her before the effective filing date of the claimed invention, to modify a method for determining and displaying a risk score to a user as taught by Hawthorn, Alohali and Kumaraguru, to include notifying the user to update configuration and settings when their score is above a group average score as taught by Chakra. The motivation for doing so would have been to allow the user to take action to improve their security posture, potentially preventing them from becoming a target. Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Hawthorn in view of Alohali and Kumaraguru, further in view of Morton et al. (US 2019/0083876), hereinafter Morton. Regarding claim 9, Hawthorn, Alohali and Kumaraguru do not explicitly disclose further comprising: generating incentives to the user for engaging with the at least one cyberthreat-education activity, wherein the incentives are based on progress the user makes in reducing the baseline cyberthreat-risk score. However, Morton discloses further comprising: generating incentives to the user for engaging with the at least one cyberthreat-education activity, wherein the incentives are based on progress the user makes in reducing the baseline cyberthreat-risk score (Morton, [0086], [0092]: rewards for going from Apprentice (baseline) to Journeyman, Master, etc. (i.e., making progress/reducing the baseline)). It would have been obvious to one of ordinary skill in the art, having the teachings of Hawthorn, Alohali, Kumaraguru and Morton before him or her before the effective filing date of the claimed invention, to modify a method for determining and displaying a risk score to a user based on user actions with security and/or training items as taught by Hawthorn, Alohali and Kumaraguru, to include offering recognition and rewards based on improved performance as taught by Morton. The motivation for doing so would have been to make it interesting and engaging for the user’s training (Morton, [0086]). Regarding claim 10, Hawthorn, Alohali and Kumaraguru do not explicitly disclose further comprising: awarding, via the user interface, the user with digital badges representing different levels of cybersecurity proficiency, wherein each digital badge corresponds to a range of cyberthreat-risk scores. However, Morton discloses further comprising: awarding, via the user interface, the user with digital badges representing different levels of cybersecurity proficiency, wherein each digital badge corresponds to a range of cyberthreat-risk scores (Morton, [0086], [0089], [0538]). It would have been obvious to one of ordinary skill in the art, having the teachings of Hawthorn, Alohali, Kumaraguru and Morton before him or her before the effective filing date of the claimed invention, to modify a method for determining and displaying a risk score to a user based on user actions with security and/or training items as taught by Hawthorn, Alohali and Kumaraguru, to include offering recognition and rewards for based on improved performance as taught by Morton. The motivation for doing so would have been to make it interesting and engaging for the user’s training (Morton, [0086]). Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Hawthorn in view of Alohali and Kumaraguru, further in view of Sites (US 2021/0136110). Regarding claim 18, Hawthorn discloses further comprising: based on the monitored responses to the simulated phone call, determining if the user agreed to provide sensitive personal data (Hawthorn, [0160], [0169]: user action with a mock social engineering call is monitored); and wherein providing the sensitive personal data further comprises: updating the updated cyberthreat-risk score (Hawthorn, [0193]: when a user acts with a security and/or training item in a negative way, the user’s risk score is increased); and providing, via the user interface, additional cyberthreat-education activity related to phishing attacks via a phone call (Hawthorn, [0036]: subsequent security and/or training item is transmitted to the user based on the determined risk score; [0052]: security and/or training items include security threats such as voice phishing messages). Hawthorn, Alohali and Kumaraguru do not explicitly disclose including a bad actor posing as a representative of a financial-services institution. However, Sites discloses including a bad actor posing as a representative of a financial-services institution (Sites, [0211]: training models are created based on a user’s behavior in a campaign after the user has failed a previous phishing campaign; [0010]: models are established for a predetermined persona (bad actor); [0011]: a type of persona is a financial institution representative). It would have been obvious to one of ordinary skill in the art, having the teachings of Hawthorn, Alohali, Kumaraguru and Sites before him or her before the effective filing date of the claimed invention, to modify a method for determining and displaying a risk score to a user based on user actions with security and/or training items as taught by Hawthorn, Alohali and Kumaraguru, to include utilizing a specific type of persona for the user as taught by Sites. The motivation for doing so would have been to select a persona that meets a criteria or threshold for a rate of success for a user (Sites, [0130]), in order to increase the effectiveness of teaching a user how to recognize threats (Sites, [0004]). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to LESA M KENNEDY whose telephone number is (571)431-0704. The examiner can normally be reached on Monday-Wednesday 9:30 am - 5:30 pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on (571) 270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. The examiner also requests, in response to this Office Action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application. /LESA M KENNEDY/Primary Examiner, Art Unit 2458