DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Remarks
In a response filed on February 22, 2021 (the “Response”), Applicant: (1) cancels claim 6; and (2) amends claims 1, 2, 4, 5, 7, 9, 10, 12, 13, 16, 17, 19 and 20.
Claims 1-5 and 7-20 are presented for examination.
Drawings
The drawings were received on February 22, 2021.  These drawings are acceptable.
Specification
The amendment to the specification was received on February 22, 2021.  This amendment to the specification is acceptable.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-5 and 7-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
To be specific, the preamble of claims 1, 9 and 16 are drawn to a “method,” a “system” and a “non-transitory computer-readable medium” for “determining a secured system security risk score,” respectively.  A method, system and non-transitory (Step 1: YES).
Turning to the body of the claims, their limitations further include inter alia the following features:
“receiving…security data corresponding to a security vulnerability of each of a plurality of servers, each of the plurality of servers being associated with a secured system;
determining a server security risk score, for each of the plurality of servers, based on the security data corresponding to a security risk for each of the plurality of servers;
modifying the server security risk score, for each of the plurality of servers, based on a time elapsed since a discovery of each security vulnerability, the modifying including:
determining that a predetermined security time period has elapsed without security data for a first server of the plurality of servers; and
modifying the server security risk score, for the first server, based on determining that the predetermined security time period has elapsed without security data; and
determining the secured system security risk score, associated with the secured system, based on the modified server security risk score for each of the plurality of servers.”

However, Examiner notes that the foregoing limitations can be “performed in the human mind.”  Therefore, Examiner respectfully submits that claims 1, 9 and 16 are directed to an abstract idea.  (Step 2A: YES).
In addition to the foregoing abstract idea, the claims further require that the aforementioned “receiving” function (or step) is performed “on an electronic network….”  And Examiner notes that such a generic application of a mental process to the technological environment of “an electronic network” amounts to no more than data gathering.  However, “mere data-gathering steps cannot make an otherwise nonstatutory claim statutory.”  CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366, 1370 (Fed. Cir. 2011); See also MPEP 2106.05(b)(III).  (Step 2B: NO).

“determining a level of server hosting environment protections according to predetermined criteria; and
modifying the server security risk score, for each of the plurality of servers, based on the determined level of server hosting environment protections.”

However, these limitations are also directed to steps that can be “performed in the human mind.”  Therefore, claims 2, 10 and 17 do not include limitations that amount to significantly more than the foregoing abstract idea of their base claims.  (Step 2B: NO).
Regarding claims 3, 11 and 18, these claims further include the following limitations:
 “determining a system categorization of the secured system; and
modifying the secured system security risk score based upon the system categorization.”

However, these limitations are also directed to steps that can be “performed in the human mind.”  Therefore, claims 3, 11 and 18 do not include limitations that amount to significantly more than the foregoing abstract idea of their base claims.  (Step 2B: NO).
Regarding claims 4, 12 and 19, these claims further include the following limitations:
 “determining a security impact for the secured system; and
Determining at least one of a mitigation priority or a remediation priority for the secured system based upon each associated server risk score and the security impact.”

However, these limitations are also directed to steps that can be “performed in the human mind.”  Therefore, claims 4, 12 and 19 do not include limitations that amount to significantly more than the foregoing abstract idea of their base claims.  (Step 2B: NO).

 “determining that a predetermined security time period has elapsed without at least one of security risk mitigation or remediation for a first server of the plurality of servers; and
modifying the server security risk score, for the first server, based on determining that the predetermined security time period has elapsed without the at least one of security risk mitigation or remediation.”

However, these limitations are also directed to steps that can be “performed in the human mind.”  Therefore, claims 5, 13 and 20 do not include limitations that amount to significantly more than the foregoing abstract idea of their base claims.  (Step 2B: NO).
Regarding claims 7 and 14, these claims further include the following limitations:
 “determining a second secured system security risk score; and
determining an organization risk score, associated with the organization, based on the determined secured system security risk score and the second secured system security risk score.”

However, these limitations are also directed to steps that can be “performed in the human mind.”  Therefore, claims 7 and 14 do not include limitations that amount to significantly more than the foregoing abstract idea of their base claims.  (Step 2B: NO).
Regarding claims 8 and 15, these claims further include the following limitations:
 “displaying indicators corresponding to the secured system, secured system security risk score, plurality of servers, and server security risk score for each of the plurality of servers, on a graphic comprising a plurality of concentric circles.”

These limitations require that “a graphic comprising a plurality of concentric circles” is used for “displaying indicators” of “the secured system, secured system security risk score, plurality of servers, and server security risk score for each of the plurality of servers.” However, merely applying the display (or indication) of such information to the technological environment of “graphics” that include “concentric circles” is simply a data-CyberSource Corp., 654 F.3d 1366 at 1370; MPEP 2106.05(b)(III).  Therefore, claims 8 and 15 do not include limitations that amount to significantly more than the foregoing abstract idea of their base claims.  (Step 2B: NO).
Appropriate correction is required.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kalish Bell whose telephone number is (571) 272-5294.  The examiner can normally be reached on 9am-5pm, M-F.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KALISH K BELL/Examiner, Art Unit 2432


/MORSHED MEHEDI/Primary Examiner, Art Unit 2432