DETAILED ACTION
The following is a Non-Final, First Office Action on the Merits in response to communications filed July 31, 2019.  Currently, claims 1–20 are pending.

Information Disclosure Statement
The information disclosure statement filed July 31, 2019 fails to comply with 37 CFR 1.98(a)(2), which requires a legible copy of each cited foreign patent document; each non-patent literature publication or that portion which caused it to be listed; and all other information or that portion which caused it to be listed.  It has been placed in the application file, but the information referred to therein has not been considered.

Claim Objections
Claims 5 and 15 are objected to because of the following informalities:  
MPEP 608.01(m) sets forth that “[e]ach claim begins with a capital letter and ends with a period.”  Claims 5 and 15, however, end with a semicolon.  
Appropriate correction is required.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1–20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 11 recite “the risk scenario” in the “selecting” element.  There is insufficient antecedent basis for this limitation in the claims.  For purposes of examination, the element is interpreted as reciting “selecting a model for identifying a quantitative implicit risk of a risk scenario”.  
Claims 1 and 11 further recite “the contribution” in the “determining … a plurality of control gaps” element.  There is insufficient antecedent basis for this limitation in the claims.  For purposes of examination, the element is interpreted as reciting “a contribution”.
In view of the above, claims 1 and 11 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claims 2–10 and 12–20, which depend from claims 1 and 11, inherit the deficiencies described above.  As a result, claims 2–10 and 12–20 are similarly rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 5 further recites “generating, with a processor”.  However, independent claim 1, from which claim 5 depends, previously recites “a processor”.  As a result, the scope of claim 5 is indefinite because it is unclear whether Applicant intends for “a the processor”.
Claims 6 and 16 further recite “determining, for a residual risk value”.  However, independent claims 1 and 11, from which claims 6 and 16 depend, previously recite “calculating … a residual risk value”.  As a result, the scope of claims 6 and 16 is indefinite because it is unclear whether Applicant intends for “a residual risk value”, as recited in claims 6 and 16, to reference the “residual risk value” of claims 1 and 11 or intends to introduce a second, different residual risk value.  For purposes of examination, claims 6 and 16 are interpreted as reciting “determining, for [[a]] the residual risk value”.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1–4, 6–14, and 16–20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  Specifically, claims 1–4, 6–14, and 16–20 are directed to an abstract idea without additional elements amounting to significantly more than the abstract idea.
With respect to Step 2A Prong One of the framework, claim 1 recites an abstract idea.  Claim 1 includes elements for “selecting a model …”; “determining a plurality of assessment activities to apply …”; “determining from the plurality of assessment 
The limitations above recite an abstract idea.  More particularly, the elements above recite certain methods of organizing human activity because the elements describe a process for determining a residual risk value for a scenario and a plurality of control gaps, which amounts to a fundamental economic practice associated with risk mitigation.  Further, the elements for “determining a plurality of risk assessment activities”, “determining a plurality of control gaps”, and “providing a control effectiveness summary” recite mental processes because the elements describe observations or evaluations that could be practically performed in the mind.  Still further, the elements for “determining the threat likelihood of the risk scenario and the business impact of the risk scenario”, “determining the control effectiveness of the risk scenario”, “calculating a residual risk value”, and “generating an overall residual risk score” recite mathematical concepts because the elements, when considered in view of Applicant’s 
Claim 11 recites substantially similar limitations to those presented with respect to claim 1.  As a result, claim 11 recites an abstract idea under Step 2A Prong One for the same reasons as stated above with respect to claim 1.  Similarly, claims 2, 3, 6–10, 12, 13, and 16–20 further describe the process for determining a residual risk value for a scenario and a plurality of control gaps and recite certain methods of organizing human activity, mental processes, and/or mathematical concepts for the same reasons as stated above with respect to claim 1.  As a result, claims 2, 3, 6–10, 12, 13, and 16–20 recite an abstract idea under Step 2A Prong One for the same reasons as stated above with respect to claim 1.
With respect to Step 2A Prong Two of the framework, claim 1 does not include additional elements that integrate the abstract idea into a practical application.  Claim 1 includes an additional element that does not recite an abstract idea under Step 2A Prong One.  The additional element of claim 1 is the recited processor.  When considered in view of the claim as a whole, the processor does not integrate the abstract idea into a practical application because the processor is a generic computing element that is merely used as a tool to perform the recited abstract idea.  As a result, claim 1 does not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two.
As noted above, claim 11 recites substantially similar limitations to those presented with respect to claim 1.  Although claim 11 further recites a computer-readable medium and a computer having a processor and memory, the recited 
Claims 2, 7, 8, 12, 17, and 18 do not recite any additional elements beyond those recited with respect to independent claims 1 and 11.  As a result, claims 2, 7, 8, 12, 17, and 18 do not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two for the same reasons as stated above with respect to claim 1.
Claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 include additional elements that do not recite an abstract idea under Step 2A Prong One.  More particularly, the additional elements of claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 include the functions for “retrieving” (see claims 3, 4, 6, 9, 13, 14, 16, and 19), “plotting and displaying” (see claims 3, 4, 13, and 14), “transmitting” (see claims 6 and 16), and “receiving” (see claims 10 and 20).  When considered in view of the claims as a whole, the additional elements of claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 do not integrate the abstract idea into a practical application because the additional elements amount to no more than insignificant extrasolution activities to the judicial exception.  As a result, claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 do not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two.

As noted above, claim 11 recites substantially similar limitations to those presented with respect to claim 1.  Although claim 11 further recites a computer-readable medium and a computer having a processor and memory, the recited computer elements do not amount to significantly more than the abstract idea because the computer elements are generic computing elements that are merely used as a tool to perform the recited abstract idea.  Further, looking at the additional elements as an ordered combination adds nothing that is not already present when considering the additional elements individually.  As a result, claim 11 does not include additional elements that amount to significantly more than the abstract idea under Step 2B for the same reasons as stated above with respect to claim 1.
Claims 2, 7, 8, 12, 17, and 18 do not recite any additional elements beyond those recited with respect to independent claims 1 and 11.  As a result, claims 2, 7, 8, 12, 17, and 18 do not include additional elements that amount to significantly more than the abstract idea under Step 2B for the same reasons as stated above.
see e.g. Spec. ¶¶ 83 and94), which describes the additional elements in a manner that indicates that the additional elements are sufficiently well-known.  Further, looking at the additional elements as an ordered combination adds nothing that is not already present when considering the additional elements individually.  As a result, claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 do not include additional elements that amount to significantly more than the abstract idea under Step 2B.
Therefore, the claims are directed to an abstract idea without additional elements amounting to significantly more than the abstract idea.  Accordingly, claims 1–4, 6–14, and 16–20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.

	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1, 5–11, and 15–20 are rejected under 35 U.S.C. 103 as being unpatentable over Williams et al. (U.S. 2013/0253979) in view of Beresnevichiene et al. (U.S. 2011/0252479), and in further view of Lipps et al. (U.S. 2012/0053981).
Claims 1 and 11:  Williams discloses a computer-implemented method of identifying and mitigating information security implicit risks for at least one information system, the method comprising: 
for each of a plurality of predetermined risk scenarios (See Abstract), performing the steps of: 
selecting options for identifying a quantitative implicit risk of the risk scenario, wherein the model comprises a plurality of inputs, the plurality of inputs comprising a threat likelihood of the risk scenario in a plurality of threat likelihoods, a business impact of the risk scenario in a plurality of business impacts, and a control effectiveness of the risk scenario in a plurality of control effectivenesses, the risk scenario comprising at least one threat and a targetable system (See paragraphs 4 and 131–134, wherein threat likelihood, impact, and control maturity inputs are determined for a given scenario, and wherein the selected inputs are utilized in determining residual risk); 
determining, with a processor (See Abstract), a plurality of assessment activities to apply, the determination of the plurality of assessment activities being based on at least a determination of whether the at least one information system is vulnerable to the at least one threat (See paragraphs 39, 42, and 131–143, wherein a risk management 
determining, with the processor, from the plurality of assessment activities, the threat likelihood of the risk scenario and the business impact of the risk scenario, and determining, from the threat likelihood of the risk scenario and the business impact of the risk scenario, an implicit risk score for the risk scenario (See paragraphs 4 and 133–134, wherein a risk index is determined, in part, from the risk impact and risk likelihood); 
determining, with the processor, the control effectiveness of the risk scenario, wherein determining the control effectiveness of the risk scenario comprises automatically executing, with the processor, at least one test on the at least one information system, selecting a control framework, and mapping the plurality of assessment activities and a result of the automatically executed at least one test to the control framework (See paragraphs 110 and 39, wherein control effectiveness is determined based on testing results, and wherein documenting a history of scenarios implicitly discloses a mapping between assessment activities and results; see also paragraphs 39 and 98–102); 
calculating, from the implicit risk score and the control effectiveness, a residual risk value, and adding the residual risk value to a set of residual risk values (See paragraph 134, wherein a residual risk is determined; and paragraph 164, wherein a library of scenarios and their scoring is developed); and 

Beresnevichiene discloses selecting a model for a risk scenario comprising at least one threat type (See paragraphs 27–28 and 54, wherein model selection is disclosed; and FIG. 6 and paragraph 47, wherein threats are categorized according to objective for modeling and evaluation purposes);
generating, from the set of residual risk indicators, an overall residual risk score (See FIG. 13 and paragraph 66, wherein an overall residual risk is calculated from a set of control options); 
determining, from the plurality of control effectivenesses and the set of residual risk values, a plurality of control gaps based on the contribution of each of the plurality of control effectivenesses to the overall residual risk score (See paragraph 42, wherein control gaps are determined from the plurality of controls); and 
providing a control effectiveness summary, the control effectiveness summary comprising the plurality of control gaps displayed (See paragraph 42, wherein control gap recommendations are disclosed, and wherein the recommendations are implicitly displayed in view of paragraph 20).
Williams discloses a system directed to evaluating risk scenarios in order to manage risk.  Similarly, Beresnevichiene discloses a system directed to analyzing and mitigating risks.  Each reference discloses a system directed to risk evaluation and management.  The technique of determining control gaps is applicable to the system of 
One of ordinary skill in the art would have recognized that applying the known technique of Beresnevichiene would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of Beresnevichiene to the teachings of Williams would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate risk management into similar systems.  Further, applying control gap analysis to Williams would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow more detailed analysis and more reliable results.  Williams and Beresnevichiene do not expressly disclose the remaining claim elements.
Lipps discloses controls in a ranked order (See paragraph 173, wherein control gaps are prioritized).
As disclosed above, Williams discloses a system directed to evaluating risk scenarios in order to manage risk, and Beresnevichiene discloses a system directed to analyzing and mitigating risks.  Lipps discloses a system directed to assessing and managing risks.  Each reference discloses a system directed to risk evaluation and management.  The technique of rank ordering control gaps is applicable to the systems of Williams and Beresnevichiene as they each share characteristics and capabilities; namely, they are directed to risk management.
One of ordinary skill in the art would have recognized that applying the known technique of Lipps would have yielded predictable results and resulted in an improved 
With respect to claim 11, Williams further discloses a computer-readable medium embodiment (See paragraphs 172–173 and 175).
Claims 5 and 15:  Williams does not expressly disclose the elements of claim 5.
Beresnevichiene discloses generating, with a processor, based on the set of residual risk values, at least one recommendation for reducing one or more of the set of residual risk values by making at least one adjustment to the at least one information system, the at least one adjustment being specifically identified in the recommendation (See paragraphs 42 and 58, wherein recommendations for risk gaps are identified and presented during customer engagements); 
transmitting, with the processor, the at least one recommendation to an operator of the at least one information system (See paragraphs 42 and 58, wherein recommendations for risk gaps are identified and presented during customer engagements); and 
modifying the at least one information system by making the at least one adjustment (See paragraphs 42 and 58, wherein recommendations are implemented).

Claims 6 and 16:  Williams discloses the computer-implemented method of claim 5, wherein the method further comprises: determining, for a residual risk value in the set of residual risk values, an attack-system pairing (See paragraphs 163–164 and 42, wherein vulnerability-component pairs are disclosed).  Williams does not expressly disclose the remaining elements.
Beresnevichiene discloses retrieving, from a recommendation library, a retrieved recommendation corresponding to the risk (See paragraphs 42 and 58, wherein recommendations are retrieved from a plurality of recommendation/control options); and 
transmitting the retrieved recommendation to the operator of the at least one information system (See paragraphs 42 and 58, wherein recommendations are implicitly transmitted/implemented).
One of ordinary skill in the art would have recognized that applying the known technique of Beresnevichiene would have yielded predictable results and resulted in an improved system for the same reasons as stated with respect to claim 1.
Claims 7 and 17:  Williams discloses the computer-implemented method of claim 5, wherein the method further comprises: determining when the at least one adjustment has been made; and automatically scheduling a second execution of the computer-implemented method when the at least one adjustment has been made (See paragraphs 111 and 132, wherein new risks scores are updated in view of new control states).
Claims 8 and 18:  Williams discloses the computer-implemented method of claim 1, wherein the method further comprises: determining when a predetermined amount of time has passed; and automatically scheduling a second execution of the computer-implemented method when the predetermined amount of time has passed (See paragraphs 104 and 156, wherein control framework content is updated at defined intervals).
Claims 9 and 19:  Williams discloses the computer-implemented method of claim 8, wherein the method further comprises: retrieving at least one assessment activity result for at least one other information system before the predetermined amount of time has passed; and updating the assessment based on the at least one assessment activity result (See paragraphs 111 and 132, wherein new risks scores are updated in view of new control states).  Williams does not expressly disclose the remaining claim elements.
Beresnevichiene discloses updating the model (See FIG. 6, wherein a modeling template is implicitly updated based on assessment activities).
One of ordinary skill in the art would have recognized that applying the known technique of Beresnevichiene would have yielded predictable results and resulted in an improved system for the same reasons as stated with respect to claim 1.
Claims 10 and 20:  Williams discloses the computer-implemented method of claim 1, wherein the step of providing the control effectiveness summary further comprises: receiving at least one hypothetical modification from an operator of the at least one information system; and adjusting the control effectiveness summary including at least one control in the plurality of controls and generating a hypothetical residual risk 
Beresnevichiene discloses control gaps (See paragraph 42).
One of ordinary skill in the art would have recognized that applying the known technique of Beresnevichiene would have yielded predictable results and resulted in an improved system for the same reasons as stated with respect to claim 1.
	
Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Williams et al. (U.S. 2013/0253979) in view of Beresnevichiene et al. (U.S. 2011/0252479), and in further view of Lipps et al. (U.S. 2012/0053981) and Peterson (U.S. 2066/0116898).
Claims 2 and 12:  As disclosed above, Williams, Beresnevichiene, and Lipps disclose the elements of claim 1.
Williams discloses the computer-implemented method of claim 1, wherein the step of generating, from the set of residual risk values, the overall residual risk score further comprises generating, from the plurality of control effectivenesses and the control framework, a score (See paragraph 154), wherein generating the compliance alignment score comprises: 
assigning each control type a different weight, and adjusting each control effectiveness value by the weight of its alignment level; and summing the control effectiveness values (See paragraph 154, wherein a control effectiveness measure is determined as a weighted average of each type of control, and wherein each control 
Peterson discloses classifying each control in the plurality of controls as having a certain alignment level, wherein the alignment level is one of: a primary control, a secondary control, and a tertiary control (See paragraph 108, wherein controls are classified as primary or secondary).
As disclosed above, Williams discloses a system directed to evaluating risk scenarios in order to manage risk, Beresnevichiene discloses a system directed to analyzing and mitigating risks, and Lipps discloses a system directed to assessing and managing risks.  Peterson discloses a system directed to assessing and managing reputational risk.  Each reference discloses a system directed to risk evaluation and management.  The technique of classifying control alignment is applicable to the systems of Williams, Beresnevichiene, and Lipps as they each share characteristics and capabilities; namely, they are directed to risk management.
One of ordinary skill in the art would have recognized that applying the known technique of Lipps would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of Lipps to the teachings of Williams, Beresnevichiene, and Lipps would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate risk management into similar systems.  Further, applying control alignment classification to Williams, Beresnevichiene, and Lipps would 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S BROCKINGTON III whose telephone number is (571)270-3400.  The examiner can normally be reached on M-F, 8am-5pm, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on 571-272-6045.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 






/WILLIAM S BROCKINGTON III/           Primary Examiner, Art Unit 3623