DETAILED ACTION
The following is a Final Office Action in response to communications filed on January 25, 2020.  Claims 1–8 are amended.  Accordingly, claims 1–8 and 21 are pending.

Response to Amendment/Argument
Applicant’s amendments are sufficient to overcome the previous objection to claims 1 and 4 for informalities.  Accordingly, the previous objection to claims 1 and 4 is withdrawn.
With respect to the previous rejection of claims under 35 U.S.C. 112(a) as failing to comply with the written description requirement, Applicant’s remarks have been fully considered but are not persuasive.  Specifically, Applicant asserts that the claims comply with the written description requirement because one of ordinary skill in the art “would understand network proximity to have the plain an ordinary meaning of a measure of the relatedness or distance across a network between two networked assets.”  Examiner disagrees.
Although Examiner agrees that one of skill in the art would understand the definition of proximity, Examiner maintains that Applicant’s Specification does not fully set forth the process used by Applicant to establish a value at risk based in part on network proximity in such a manner as to convey possession of the invention for the same reasons as asserted previously and below.  Further, Applicant has not presented any arguments or rationale explaining how Applicant uses proximity in establishing a 
Applicant’s amendments are insufficient to overcome the previous rejection of claims under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.  Although Applicant’s amendments address some of the asserted instances of indefiniteness, Applicant’s amendments are insufficient in addressing each issue.  As a result, the previous rejection under 35 U.S.C. 112(b) is maintained, and Examiner directs Applicant to the relevant section below for further clarification.
Examiner acknowledges Applicant’s statement with respect to the previous rejection of claim 21 under 35 U.S.C. 112(d) as being of improper dependent form and maintains the rejection below.
Applicant’s remarks with respect to the previous rejection of claims under 35 U.S.C. 103 have been fully considered but are not persuasive.  
Applicant first asserts that the cited combination of references does not disclose a “value at risk” because the references do not take into account the value of an asset.  Examiner disagrees.  Examiner asserts that, under a broadest reasonable interpretation of the claim in view of Applicant’s Specification, the claimed “value at risk” does not necessary reflect an intrinsic value of the asset.  For example, paragraph 14 of Applicant’s Specification states that “the value at risk represents a measure of relative organizational risk exposure or loss potential in the event of compromise”.  Examiner further notes that the claims do not necessarily impart any monetary value or worth-based limitations on the recited “value at risk”.  Instead, the claims broadly analyze 
Examiner further notes that Applicant has argued against the references individually and without consideration for the combination as a whole.  Specifically, Applicant has argued against Blake and Lipps individually and has not presented any arguments with respect to either Cole or the combination of references.  Examiner directs Applicant to MPEP 2145(IV), which sets forth that “[o]ne cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., Inc., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).”  As a result, Applicant’s arguments with respect to claim 1 are not persuasive.
Examiner maintains that claim 1 is rejected over a combination of Blake, in view of Lipps, and in further view of Cole and Giakouminakis.  Examiner maintains that the combination of Blake, Lipps, Cole, and Giakouminakis disclose the elements of claim 1 because, although Blake and Lipps address risks with respect to general assets/resources, Cole expressly discloses risks with respect to network accessible computer systems or assets, and Giakouminakis discloses establishing risk values according to network proximity.  As a result, the combination of references discloses the elements as presented.  
Finally, Applicant asserts that the asserted combination under 35 U.S.C. 103 is improper in view of the commercial success associated with the claimed invention.  
Accordingly, Applicant’s remarks are not persuasive, and the rejection of record is maintained and reasserted below.

Priority
This application repeats a substantial portion of prior Application No. 15/207,395, filed July 11, 2016, and adds disclosure not presented in the prior application. Prior Application No. 15/207,395 does not, however, disclose “using the identified features/characteristics to establish a value at risk for the computer system/asset based in part on network proximity of the computer system/asset to one or more other network-accessible assets with a similar or higher value at risk”, as recited in independent claim 1.  As a result, the pending application has been afforded priority to the effective filing date of February 18, 2019.

Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):


The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1–8 and 21 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.
MPEP 2163(I) sets forth that, in order “[t]o satisfy the written description requirement, a patent specification must describe the claimed invention in sufficient detail that one skilled in the art can reasonably conclude that the inventor had possession of the claimed invention,” and further states that “[a]n applicant shows possession of the claimed invention by describing the claimed invention with all of its limitations using such descriptive means as words, structures, figures, diagrams, and formulas that fully set forth the claimed invention.”
Claim 1 recites “using the identified features/characteristics to establish a value at risk for the computer system/asset based in part on network proximity of the computer system/asset to one or more other network-accessible assets with a similar or e.g., ¶¶ 6, 14, 24, and 30), Applicant’s specification does not specifically describe how network proximity is used in establishing a value at risk.  Further, Applicant’s specification does not disclose how other, proximate network-accessible assets with a similar or higher value at risk could be identified or selected for use because the value at risk for the computer system/asset is unknown.
In view of the above, Applicant’s specification does not fully set forth the claimed invention in such a ways as to reasonably convey that Applicant had possession of the invention.  Accordingly, claim 1 is rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement.
Claims 2–8 and 21, which depend from claim 1, inherit the deficiencies described above.  As a result, claims 2–8 and 21 are similarly rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement.

Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1–8 and 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and 
Claim 1 recites “using the identified characteristics to establish a value at risk for the computer asset based in part on network proximity of the computer asset to one or more other network-accessible assets with a similar or higher value at risk” and subsequently recites “using the value at risk of the computer asset to prioritize allocation … relative to other computer assets with different values at risk”.  Examiner submits that the consecutive recitations of “one or more other network-accessible assets” and “other computer assets” renders the scope of claim 1 indefinite because it is unclear whether Applicant intends for the recitation of “other computer assets” to reference the “one or more other network-accessible assets” or intends to introduce separate, different “other … assets”.  For purposes of examination, the recitation of “other computer assets” has been interpreted as introducing separate, different “other … assets”.
Further, the term "similar" in the first “using” element of claim 1 is a relative term which renders the claim indefinite.  The term "similar" is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.  As a result, the scope of claim 1 is indefinite.
Claims 2–8 and 21, which depend from claim 1, inherit the deficiencies described above.  As a result, claims 2–8 and 21 are similarly rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Further, claim 6 recites “wherein identified indicators of security mechanisms associated with the computer asset”; claim 7 recites “wherein identified indicators of types of sensitive computer asset functionality provided”; and claim 8 recites “wherein identified indicators of computer asset subject”.  Examiner notes that claim 1, upon which claims 6–8 depend, does not recite characteristics associated with security mechanisms, types of sensitive functionality, or computer asset subject.  As a result, claims 6–8 are indefinite because it is unclear whether Applicant intends for claims 6–8 to further modify the identified characteristics of claim 1 or identify new, different characteristics.  For purposes of examination, Examiner has interpreted claims 6–8 as referencing characteristics identified by the “analyzing” step of claim 1.

Claim Rejections - 35 USC § 112(d)
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 21 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Specifically, the claim would fail the dependent claim test under MPEP 608.01(n)(III) because claim 21 does not require all of the limitations .  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1–8 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Blake et al. (U.S. 2016/0105457) in view of Lipps et al. (U.S. 2012/0053981), and in further view of Cole et al. (U.S. 2004/0015728) and Giakouminakis et al. (U.S. 2013/0074188).
Claims 1 and 21:  Blake discloses a method for automatically determining a value at risk for a network accessible computer system/asset for prioritization of security controls, the method comprising: 

analyzing the collected data using at least one of machine learning models, regular expressions, text string matching, natural language understanding, image processing, and text analysis to identify, without accessing sensitive data itself, characteristics indicating at least one of mechanisms for accessing sensitive data, mechanisms for collecting sensitive data, storage of sensitive data, presentation of sensitive data, sensitive data input mechanisms, sensitive data subjects, sensitive functionality subjects, sensitive functionality, and indicia of security features of the computer asset (See paragraphs 27-28, wherein electronic communications are parsed to identify mechanisms for circumventing security measures, which equates to accessing sensitive data and/or indicia of security features; see also paragraph 4, wherein keyword matching is disclosed and paragraphs 39-42, wherein monitored risk features/characteristics are disclosed); and
using the identified asset characteristics to establish a value at risk for the computer asset (See paragraph 32, wherein a risk rating module receives risk data and determines an overall risk).  Blake does not expressly disclose the remaining claim elements.
Lipps discloses using the value at risk of the computer asset to prioritize allocation of information technology security controls/resources to the network accessible computer asset relative to other computer assets with different security values at risk (See paragraphs 197-198, wherein controls are mapped to risks based on 
Blake discloses a system directed to monitoring assets to identify risk.  Similarly, Lipps discloses a system directed to assessing and prioritizing risks.  Each reference discloses a system directed to risk management.  The technique of prioritizing controls is applicable to the system of Blake as they both share characteristics and capabilities, namely, they are directed to risk management.
One of ordinary skill in the art would have recognized that applying the known technique of Lipps would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of Lipps to the teachings of Blake would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate risk management into similar systems.  Further, applying control priority to Blake would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow more detailed analysis and improved risk management results.  Blake and Lipps do not expressly disclose the remaining claim elements.
Cole discloses connecting to the network accessible computer asset using a network identifier (See paragraph 12, wherein networks are accessed using computer names or unique identifiers); and 
communicating with the computer asset using respective network protocols (See paragraph 12, wherein computers are monitored using standard protocols) 
As disclosed above, Blake discloses a system directed to monitoring assets to identify risk, and Lipps discloses a system directed to assessing and prioritizing risks.  
One of ordinary skill in the art would have recognized that applying the known technique of Cole would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of Cole to the teachings of Blake and Lipps would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate risk management into similar systems.  Further, applying identifier and protocol-based communications to Blake and Lipps would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow more detailed analysis and improved risk management.  Blake, Lipps, and Cole do not expressly disclose the remaining claim elements.
Giakouminakis discloses using the identified characteristics to establish a value at risk for the computer asset based in part on network proximity of the computer asset to one or more other network-accessible assets with a similar or higher value at risk (See paragraphs 36 and 48–51, wherein a risk value may be determined based on the proximity of the connection between the asset and other connected assets, and wherein connected assets implicitly have similar risk values).
As disclosed above, Blake discloses a system directed to monitoring assets to identify risk, Lipps discloses a system directed to assessing and prioritizing risks, and 
One of ordinary skill in the art would have recognized that applying the known technique of Giakouminakis would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of Giakouminakis to the teachings of Blake, Lipps, and Cole would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate risk management into similar systems.  Further, applying identifier and protocol-based communications to Blake, Lipps, and Cole would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow more detailed analysis and improved risk management.  
With respect to claim 21, Blake further discloses a computer program product comprising a computer readable medium and instructions stored in the medium that when executed by a machine cause the machine to perform steps (See paragraph 18).
Claim 2:  Although Blake discloses establishing a value at risk using identified characteristics (See citations above), Blake does not disclose the remaining elements of claim 2.

One of ordinary skill in the art would have recognized that applying the known technique of Lipps would have yielded predictable results and resulted in an improved system for the same reasons as stated above with respect to claim 1.  
Claim 3:  Examiner notes that claim 3 is directed to a method claim.  However, claim 3 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 3 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein the collected data comprises at least one of: network communications, HTTP headers, Network communication protocol headers, HTTP cookies, URLs, HTML, text, images, computer code, videos, files, data files, data, executable files, JavaScript, and configurations (See paragraph 27, wherein text information is collected).
Claim 4:  Examiner notes that claim 4 is directed to a method claim.  However, claim 4 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 4 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein indicators of one or more of types of sensitive data directly accessible through the computer asset include at least one of: name, personal identification number (PIN), account number, birth date. physical 
Claim 5:  Examiner notes that claim 5 is directed to a method claim.  However, claim 5 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 5 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein the collected data comprises identified indicators of one or more of types of sensitive data collected by the computer asset, including at least one of: name, personal identification number (PIN), account number, birth date, physical address, email address, computer asset identifier, telephone number, social media identifier, user identifier, password, authentication credential, personal characteristics, identification numbers of personally owned assets, employment information, education information, medical information, transaction history, free form text, email messages, social media messages, and call recordings (See paragraph 36, wherein employment information is disclosed as resume and job search indicators).
Claim 6:  Examiner notes that claim 6 is directed to a method claim.  However, claim 6 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 6 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein identified indicators of security mechanisms associated with the computer asset, includes at least one of: data encryption mechanism, communications encryption mechanism, authentication mechanism, user id input field, password input field, second-factor authentication input field, captcha, security question, secure cookies, fraud monitoring code, malware detection code, reference to offers of security features, claim of security certification or security testing, and use of HTTP security headers (See paragraph 42, wherein access authorization controls disclose authentication mechanisms).
Claim 7:  Examiner notes that claim 7 is directed to a method claim.  However, claim 7 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 7 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein identified indicators of types of sensitive computer asset functionality provided, including at least one of: file transfer, email communications, chat communications, remote access, remote control, money transfer, file system, file storage, database, data storage, system administration, mobile access gateway, system configuration, content editing, E-commerce, querying data, accessing data, information access, media streaming (e.g., video, sound), and read only configuration (See paragraph 40, wherein file transfer indicators are identified).
Claim 8:  Examiner notes that claim 8 is directed to a method claim.  However, claim 8 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 8 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein identified indicators of computer asset subject includes at least one of: consumer banking, commercial banking, stock trading, financial account data, personally-identifiable data, personal health record data, internal corporate data, automobiles, prescription drugs, real estate, retail, E-commerce, natural resources, customer support, email, animals, investments, and health care (See paragraph 40, wherein confidential or sensitive information discloses internal corporate data).

Conclusion
The following prior art is made of record and not relied upon but is considered pertinent to Applicant’s disclosure:
Ahuja et al. (U.S. 2018/0351988) discloses a system directed to assessing asset criticality and prioritizing risk measures according to asset business value (See paragraphs 16 and 19–20); and
Schrecker et al. (U.S. 2013/0247205) discloses a system directed to calculating assert risks according to asset business value (See paragraph 6).
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S BROCKINGTON III whose telephone number is (571)270-3400.  The examiner can normally be reached on M-F, 8am-5pm, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on 571-272-6045.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  





/WILLIAM S BROCKINGTON III/Primary Examiner, Art Unit 3623