Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsAmerican Family Mutual Insurance Company S I › 18943710
Last updated: May 29, 2026
Application No. 18/943,710

ENVIRONMENTAL RISK MANAGEMENT SYSTEM

Non-Final OA §101§102§103
Filed
Nov 11, 2024
Priority
May 08, 2019 — provisional 62/845,193 +2 more
Examiner
SHEHNI, GHAZAL B
Art Unit
2499
Tech Center
2400 — Computer Networks
Assignee
American Family Mutual Insurance Company S I
OA Round
1 (Non-Final)
87%
Grant Probability
Favorable
1-2
OA Rounds
11m
Est. Remaining
99%
With Interview

Interview Optional

+12.4% interview lift. Interview lift (+12.4%) is below the 15.0% threshold. A written response is recommended.
Based on 1070 resolved cases, 2023–2026

Examiner Intelligence

SHEHNI, GHAZAL B View full profile →
Grants 87% — above average
87%
Career Allowance Rate
934 granted / 1070 resolved
+29.3% vs TC avg
Moderate +12% lift
Without
With
+12.4%
Interview Lift
resolved cases with interview
Typical timeline
2y 5m
Avg Prosecution
26 currently pending
Career history
1098
Total Applications
across all art units

Statute-Specific Performance

§101
2.3%
-37.7% vs TC avg
§103
66.2%
+26.2% vs TC avg
§102
19.4%
-20.6% vs TC avg
§112
2.4%
-37.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 1070 resolved cases

Office Action

§101 §102 §103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Objections Claim 19 is objected to because of the following informalities: “…calculating a FCC…”. Examiner suggests changing “a FCC…” to “a first correlation coefficient”. Appropriate correction is required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claim 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 1, 16 recite in part process steps which, calculating a risk level indicative of risk in the technology environment based on a first indicator and a second indicator, the first indicator and the second indicator being performance parameters associated with the technology environment, the first indicator comprising a first array of data values over a time period, the second indicator comprising a second array of data values over the time period, wherein calculating the risk level comprises: generating a third array of data values for the time period based on the first array of data values and the second array of data values; and determining the risk level based on the third array of data values; and providing a risk assessment response based on the risk level via a user interface, as drafted, under the broadest reasonable interpretation, are a series of mental processes including an observation, evaluation, judgment or opinion that could be performed in the human mind or with the aid of pencil and paper. If a claim, under its broadest reasonable interpretation, covers a mental process or a mathematical concept but for the recitation of generic computer components, then it falls within the "Mental Process" grouping of abstract ideas. Therefore, claim 1-20 recites an abstract idea. This judicial exception is not integrated into a practical application. In particular, the claim recites – a user interface…a user interface is recited at a high-level of generality, such that it amounts no more than mere instructions to apply the exception using a generic computer component. As described in MPEP 2106.0S(g), limitations that amount to merely adding insignificant extra-solution activity to a judicial exception cannot integrate a judicial exception into a practical application. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, claims 1-20 are directed to a judicial exception. Claims 1-20 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above, determining the risk level based on the third array of data values; and providing a risk assessment response based on the risk level via a user interface, to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Claim 1-20 are not patent eligible. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 12141296. Although the claims at issue are not identical, they are not patentably distinct from each other because Claims of patent application contain every element of claims above instant application or vice versa, and as such they anticipate or anticipated by Instant Application. As to Claims 1, 13, 14, 15, 18, of the Pat. *296 anticipates the claims of the instant application. By way of illustration, consider the respective claim 1 from each disclosure: Claim 1 of the instant application discloses a method of determining risk levels in a technology environment, the method comprising: calculating a risk level indicative of risk in the technology environment based on a first indicator and a second indicator (A method of determining risk levels in a technology environment, the method comprising: calculating a risk level based on a first indicator and a second indicator, claim 1 of *296 patent), the first indicator and the second indicator being performance parameters associated with the technology environment, the first indicator comprising a first array of data values over a time period, the second indicator comprising a second array of data values over the time period (wherein the first indicator comprises a first array of data values and a first risk weight, and the second indicator comprises a second array of data values and a second risk weight, wherein each value of the first array of data values corresponds with a respective value of the second array of data values, claim 1 of *296 patent), wherein calculating the risk level comprises: generating a third array of data values for the time period based on the first array of data values and the second array of data values (generating a third array of data values based on each value in the first array of data values and each value in the second array of data values, claim 1 *296 patent); and determining the risk level based on the third array of data values; and providing a risk assessment response based on the risk level via a user interface (determining the risk level based on the third array of data values, wherein the risk level is indicative of risk in the technology environment; and providing a risk assessment response based on the risk level via a user interface, claim 1 of *296 patent). Independent claims 1, 16 of the instant application are substantially similar to independent claims 1, 15, of the Pat. *296 and are rejected for substantially similar reasons as discussed supra. Likewise, dependent claims 2-15, 17-20 of the instant application are substantially similar to dependent claims 2-12, 16-17, 19-20 (respectively) of the Pat. *296 and are rejected for substantially similar reasons as discussed supra. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1, 2, 3, 10-12, 15-16, 18 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Lee et al (Pub. No. US 2016/0012235). As per claim 1, Lee discloses a method of determining risk levels in a technology environment (assess the potential negative impact on an enterprise from cybersecurity incidents…see par. 7, 35), the method comprising: calculating a risk level indicative of risk in the technology environment based on a first indicator and a second indicator (evaluating the cost or impact to an enterprise (or value at risk) from compromise of particular components of enterprise data…calculate the expected loss (or risk) over time of particular data, computers, or other information resources in an enterprise…see par. 35…data on one or more computers in an enterprise are automatically scanned and analyzed to determine one or more clusters, groupings or generalizations of data (first indicator)…see par.36…converting expert evaluations of value at risk of particular items into estimates or probability expressions (e.g., random variables or vectors) and using those estimates or probability expressions to automatically determine the value at risk (second indicator)…see par. 37), the first indicator and the second indicator being performance parameters associated with the technology environment, the first indicator comprising a first array of data values over a time period (estimated cost to an enterprise of particular data if that data (data on one or more computers in an enterprise are scanned and analyzed to determine one or more clusters, groupings or generalizations of data…the data to be analyzed are classified as structured, see par.36) is compromised in a cybersecurity incident…the chance or likelihood or probability that a cybersecurity incident or particular type of cybersecurity incidents will occur in a given time (e.g., the incident rate)…see par. 32, 36), the second indicator comprising a second array of data values over the time period (expert evaluations of value at risk of particular items into estimates or probability expressions (e.g., random variables or vectors) and using those estimates or probability expressions to automatically determine the value at risk and/or expected loss for all or a subset of data in an enterprise…random variable or probability with a probability distribution indicating the likely generally financial impact of the loss from a cybersecurity incident that occurs in a specified time period involving a particular file, data cluster…see Loss in Table 1…par. 32, 37), wherein calculating the risk level comprises: generating a third array of data values for the time period based on the first array of data values and the second array of data values (for structured data, value at risk clustering can indicate any grouping of structured data records that is used in the calculation of value at risk for records or database files. This should be understood as the value at risk determine for a cluster and then assigned to each member of the cluster for the purposes of determine expected loss and value at risk for computers and other components of the enterprise…a cluster of documents based on a presence history indicating where and when data files are found during an enterprise file scan…used to evaluate cybersecurity risks…an circulation patterns entry can also, include any other data relevant to the histories of data files in the document cluster such as creation and modification dates and users, data file access information, total number of document instances on a particular computer, location (e.g., directory) within a particular computer, see Evaluation Cluster and Circulation Pattern in Table 1…provide statistical estimates and analysis of combined expected loss and risks, such as the overall likely cybersecurity costs to an enterprise, or a department, or a class of devices, or an individual, over a particular period, such as a day, month, year, or decade…see par. 32, 36-37); and determining the risk level based on the third array of data values (see par. 32-33); and providing a risk assessment response based on the risk level via a user interface (modeling may include an interactive user interface where users can modify variables that influence expected loss for different departments and predict the probability of future cybersecurity events using statistical and time series models…the expected loss of an enterprise can be estimated by summing risk over different data types, departments, and computers…expected loss summations can be displayed with ranges represented by confidence intervals…generate visual displays to illustrate different facets of the average annual risk, which includes graphs, charts, and tables for the probability of one or more cybersecurity incidents within an enterprise…see par. 215-216). As per claim 16, Lee discloses a system, comprising: a display configured to present a user interface (UI); and a processor and program logic stored in memory and executed by the processor (see fig.13), the program logic configured to: calculate a risk level indicative of risk in a technology environment based on a first indicator and a second indicator (evaluating the cost or impact to an enterprise (or value at risk) from compromise of particular components of enterprise data…calculate the expected loss (or risk) over time of particular data, computers, or other information resources in an enterprise…see par. 35…data on one or more computers in an enterprise are automatically scanned and analyzed to determine one or more clusters, groupings or generalizations of data (first indicator)…see par.36…converting expert evaluations of value at risk of particular items into estimates or probability expressions (e.g., random variables or vectors) and using those estimates or probability expressions to automatically determine the value at risk (second indicator)…see par. 37), the first indicator and the second indicator being performance parameters associated with the technology environment, the first indicator comprising a first array of data values over a time period (estimated cost to an enterprise of particular data if that data (data on one or more computers in an enterprise are scanned and analyzed to determine one or more clusters, groupings or generalizations of data…the data to be analyzed are classified as structured, see par.36) is compromised in a cybersecurity incident…the chance or likelihood or probability that a cybersecurity incident or particular type of cybersecurity incidents will occur in a given time (e.g., the incident rate)…see par. 32, 36), and the second indicator comprises a second array of data values over the time period (expert evaluations of value at risk of particular items into estimates or probability expressions (e.g., random variables or vectors) and using those estimates or probability expressions to automatically determine the value at risk and/or expected loss for all or a subset of data in an enterprise…random variable or probability with a probability distribution indicating the likely generally financial impact of the loss from a cybersecurity incident that occurs in a specified time period involving a particular file, data cluster…see Loss in Table 1…par. 32, 37), wherein calculating the risk level comprises: generating a third array of data values for the time period based on the first array of data values and the second array of data values (for structured data, value at risk clustering can indicate any grouping of structured data records that is used in the calculation of value at risk for records or database files. This should be understood as the value at risk determine for a cluster and then assigned to each member of the cluster for the purposes of determine expected loss and value at risk for computers and other components of the enterprise…a cluster of documents based on a presence history indicating where and when data files are found during an enterprise file scan…used to evaluate cybersecurity risks…an circulation patterns entry can also, include any other data relevant to the histories of data files in the document cluster such as creation and modification dates and users, data file access information, total number of document instances on a particular computer, location (e.g., directory) within a particular computer, see Evaluation Cluster and Circulation Pattern in Table 1…provide statistical estimates and analysis of combined expected loss and risks, such as the overall likely cybersecurity costs to an enterprise, or a department, or a class of devices, or an individual, over a particular period, such as a day, month, year, or decade…see par. 32, 36-37); and determining the risk level based on the third array of data values (see par. 32-33); and provide a risk assessment response based on the risk level via the UI (modeling may include an interactive user interface where users can modify variables that influence expected loss for different departments and predict the probability of future cybersecurity events using statistical and time series models…the expected loss of an enterprise can be estimated by summing risk over different data types, departments, and computers…expected loss summations can be displayed with ranges represented by confidence intervals…generate visual displays to illustrate different facets of the average annual risk, which includes graphs, charts, and tables for the probability of one or more cybersecurity incidents within an enterprise…see par. 215-216). As per claim 2, Lee discloses wherein generating the third array of data values comprises determining a summed weights table from the first array of data values and the second array of data values (see par. 172). As per claim 3, Lee discloses wherein generating the third array of data values comprises: determining each value in the first array of data values that is greater than a first threshold value and each value in the second array of data values that is greater than a second threshold value; and generating the third array of data values based on each value in the first array of data values that is greater than the first threshold value and each value in the second array of data values that is greater than the second threshold value (see par. 185-189). As per claim 10, Lee discloses determining a first threshold value for the first indicator, wherein determining the first threshold value comprises: determining a median value for the data values in the first array of data values; determining a standard deviation of the data values in the first array of data values; and generating the first threshold value for the first indicator based on the median value and the standard deviation (see par. 185-189). As per claim 11, Lee discloses wherein determining the risk level comprises: determining percentiles of the third array of data values; and generating the risk level based on one of the values of the third array of data values and the percentiles of the third array of data values, wherein the one of the values of the third array of data values is indicative of risk at a present time (see par. 228, 230). As per claim 12, Lee discloses wherein each one of the first array of data values corresponds to a value of the first indicator during the time period, and each one of the second array of data values corresponds to a value of the second indicator the time period (see par. 32, 36-37). As per claim 15, Lee discloses wherein generating the third array of data values comprises: comparing the first array of data values to a first threshold value and comparing the second array of data values to a second threshold value; and generating the third array of data values based on the comparing the first array of data values to the first threshold value and comparing the second array of data values to the second threshold value (see par. 189-191). As per claim 18, Lee discloses wherein the first array of data values corresponds to a first set of events and the second array of data values corresponds to a second set of events (see par. 227-229). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 4-9, 13, 14, 17, 19, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al (Pub. No. US 2016/0012235) in view of Alnajem (Pub. No. US 2017/0300911) As per claim 4, Lee does not explicitly disclose wherein the first array of data values comprises a first risk weight and the second array of data values comprises a second risk weight, further comprising updating the first risk weight and the second risk weight by: accessing a fourth indicator that comprises a fourth array of data values, wherein each value of the fourth array of data values corresponds to a respective value of the third array of data values; and calculating a first correlation coefficient (FCC) between the third array of data values and the fourth array of data values. However Alnajem discloses wherein the first array of data values comprises a first risk weight and the second array of data values comprises a second risk weight, further comprising updating the first risk weight and the second risk weight by: accessing a fourth indicator that comprises a fourth array of data values, wherein each value of the fourth array of data values corresponds to a respective value of the third array of data values; and calculating a first correlation coefficient (FCC) between the third array of data values and the fourth array of data values (…when computing an overall (i.e. aggregated) risk value based on multiple risk factors, the correlation (i.e. the dependency relationship) among multiple risk factors should be considered…the most common measure of dependency among risk factors is called the Pearson's correlation coefficient. The Pearson's correlation is a pairwise correlation, that is, it is defined between two risk factors…given two risk factors, R.sub.i and R.sub.j, their pairwise correlation…see par. 173-174). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Alnajem in Lee for including the above limitations because one ordinary skill in the art would recognize a correlation coefficient is the most commonly used way to quantify the interdependence relationship among various risk factors, see Alnajem, par. 173. As per claim 5, the combination of Lee and Alnajem discloses wherein updating the first risk weight and the second risk weight further comprises: incrementing the first risk weight; and responsive to incrementing the first risk weight, calculating a second correlation coefficient (SCC) between the third array of data values and the fourth array of data values (Alnajem: see par. 176-177). The motivation for claim 5 is the same motivation as in claim 4 above. As per claim 6, the combination of Lee and Alnajem discloses wherein updating the first risk weight and the second risk weight further comprises: determining that the SCC is less than the FCC; in response to determining that the SCC is less than the FCC, decrementing one of the values from the first array of data values; and calculating a third correlation coefficient between the third array of data values and the fourth array of data values (Alnajem: see par. 177-180). The motivation for claim 6 is the same motivation as in claim 4 above. As per claim 7, the combination of Lee and Alnajem discloses wherein updating the first risk weight and the second risk weight further comprises: determining that the third correlation coefficient is greater than the FCC; and assigning the decremented first risk weight as an updated first risk weight (Alnajem: see par. 176-180). The motivation for claim 7 is the same motivation as in claim 4 above. As per claim 8, the combination of Lee and Alnajem discloses wherein updating the first risk weight and the second risk weight further comprises: determining that the SCC is greater than the FCC; and assigning the incremented first risk weight as an updated first risk weight (Alnajem: see par. 176-180). The motivation for claim 8 is the same motivation as in claim 4 above. As per claim 9, the combination of Lee and Alnajem discloses wherein an access point is automatically reset based on the risk assessment response (Alnajem: see par. 547). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Alnajem in Lee for including the above limitations because one ordinary skill in the art would recognize it would further enhance the security and assurance of the system, see Alnajem, par. 547. As per claim 13, the combination of Lee and Alnajem discloses wherein generating the third array of data values comprises: summing a value of a first risk weight for each value in the first array of data values that is above a first value threshold with a respective value of a second risk weight for each value in the second array of data values that is above a second value threshold; and creating the third array of data values, wherein each value of the third array of data values comprises a summed weights array and each value of the summed weights array corresponds to one of the values of the first array of data values and one of the values of the second array of data values (Alnajem: see par. 344-345). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Alnajem in Lee for including the above limitations because one ordinary skill in the art would recognize it would further improve efficiency of distribution of patterns in the transformation, see Alnajem, par. 335. As per claim 14, the combination of Lee and Alnajem discloses wherein the first indicator is a tracked variable associated with pending updates or changes to the associated with the technology environment, and the second indicator is indicative of a number of warnings associated with one or more applications in the technology environment (…transaction session system is comprised of a session server and a session timer…the session server is a conventional server that interacts with authentication server, risk computation system and session timer to keep track of the length of time that a particular end user financial transaction session has taken…session timer is a conventional timer which is used to time the particular end user financial transaction session…if authentication server sends a request to the end user to enter a further authentication and the end user is a fraudulent end user who does not know the further authentication information that is needed, session server, in conjunction with session timer, will interact with authentication server and risk computation system to inform the end user that the time to enter the further authentication information has elapsed and the particular end user financial transaction session will be immediately terminated…see par. 654). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Alnajem in Lee for including the above limitations because one ordinary skill in the art would recognize it would further enhance the security by averting a fraudulent transaction by the system, see Alnajem, par. 654. As per claim 17, the combination of Lee and Alnajem discloses wherein generating the third array of data values comprises: assigning a value of a first risk weight to each data value of the first array of data values that is above a first threshold value; assigning a value of a second risk weight to each data value of the second array of data values that is above a second threshold value; and summing together the assigned values of the first array of data values and the assigned values of the second array of data values to create the third array of data values, the third array of data values being an array of summed weights (Alnajem: see par. 344-345). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Alnajem in Lee for including the above limitations because one ordinary skill in the art would recognize it would further improve efficiency of distribution of patterns in the transformation, see Alnajem, par. 335. As per claim 19, the combination of Lee and Alnajem discloses wherein the first array of data values comprises a first risk weight and the second array of data values comprises a second risk weight, further comprising updating the first risk weight and the second risk weight by calculating a FCC between a fourth array of data values and the third array of data values (Alnajem: see par. 173-174). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Alnajem in Lee for including the above limitations because one ordinary skill in the art would recognize a correlation coefficient is the most commonly used way to quantify the interdependence relationship among various risk factors, see Alnajem, par. 173. As per claim 20, the combination of Lee and Alnajem discloses wherein generating the third array of data values comprises summing a value of a first risk weight for each value in the first array of data values that is above a first value threshold with a respective value of a second risk weight for each value in the second array of data values that is above a second value threshold for a plurality of incremental steps in the time period (Alnajem: see par. 479, 506-507). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Alnajem in Lee for including the above limitations because one ordinary skill in the art would recognize it would further improve efficiency of distribution of patterns in the transformation, see Alnajem, par. 335. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892). The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to monitor and control risk, allowing technology environments to be efficiently managed. Yampolskiy et al (Pub. No. US 20160173521); “Calculating and Benchmarking an Entity’s Cybersecurity Risk Score”; -Teaches calculating a security score…indicative of a level of cybersecurity in a corporate entity, see par. 4-5……security score can be calculated for each of the different types of collected information based on security information extracted from the collection information…see par. 69…calculated security scores can be assigned weights based on a correlation between the extracted security information and its impact on the overall cybersecurity risk of an entity…the correlation used to determine the weights can be identified from analysis of one or more previously-breached entities in the same industry as the entity for which a security score is being evaluated…see par. 75 Baikalov et al (Pub. No. US 2016/0226905); “Risk Scoring for Threat Assessment”; -Teaches calculate entity risk, and to compare the risk levels of different entities…see par. 38. Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499
Read full office action

Prosecution Timeline

Nov 11, 2024
Application Filed
May 06, 2026
Non-Final Rejection mailed — §101, §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/432,296
Patent 12632575
HIERARCHICAL WORKSPACE ORCHESTRATION
2y 3m to grant Granted May 19, 2026
18/441,308
Patent 12632535
SYSTEMS AND METHODS FOR A PLATFORM AS A SERVICE ORCHESTRATOR
2y 3m to grant Granted May 19, 2026
18/482,679
Patent 12632536
TRUSTED EXECUTION ENVIRONMENT CONSTRUCTION METHODS, APPARATUSES, AND DEVICES
2y 7m to grant Granted May 19, 2026
18/583,025
Patent 12632557
System and method for improving security of software development life cycles
2y 2m to grant Granted May 19, 2026
18/703,325
Patent 12632538
ENCLAVE CLONING
2y 1m to grant Granted May 19, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
87%
Grant Probability
99%
With Interview (+12.4%)
2y 5m (~11m remaining)
Median Time to Grant
Low
PTA Risk
Based on 1070 resolved cases by this examiner. Grant probability derived from career allowance rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month