Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/01/2021 has been entered.
Claims 1-19 are under examination.


Allowable Subject Matter
Claim 10 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 and 11-19 are rejected under 35 U.S.C. 103 as being unpatentable over Walheim et al. (US 2018/0020018 A1), Watters et al. (US 2012/0233 698 A1), Ganor (US 2018/0375892 A1) and Iyer et al. (US 2018/0316711 A1).
Regarding claim 1, Walheim et al. discloses An integrated resource landscape system for remediating threats [abs, “Methods and systems are for analyzing and measuring cyber risk using analytical approaches… enable the enterprise leadership to make prudent, informed decisions on how to address individual cyber risks (e.g., determine risk policy) and/or modify existing network deployments or policies”], the system comprising: one or more memory components having computer readable code stored thereon; and one or more processing components operatively coupled to the one or more memory components, wherein the one or more processing components are configured to execute the computer readable code to: access a resource inventory of resources within an organization [par. 0024, “The cyber risk analysis tool may include a data repository and/or memory for storing data used to perform the cyber threat analysis. The data repository may store threat data, infrastructure data, departmental operation data, sentiment data, and/or enterprise information data”, par. 0033]; access a [par. 0024, “The data repository may store threat data”, par. 0040, “The network behavior risk analysis tool may be performed based on known vulnerabilities identified from one or more sources”]; cross referencing the resources with the threat vectors to define threats points within a threat point matrix [par. 0040, par. 0041, “the behavioral analysis may utilize the discovered network architecture to simulate how different types of attacks may affect varying portions of the network architecture and thus expose different types of information assets to one or more vulnerabilities based on the manner in which the information assets are stored in the network architecture”, par. 0043, “The simulated attack may include applying one or more preconfigured threat vectors to the enterprise system. A threat vector may be a cyber threat that may include one or more adversary profiles and/or a vulnerability database”, par. 0044, “The one or more vulnerabilities of the enterprise system may be indexed by affected information assets and/or the threats that may compromise them. For example, a vulnerabilities matrix may be determined based on the network behavioral analysis”, par. 0045, operational unit impact]; a change to a configuration of one of the resources comprises at least other resources to which the resource is connected [par. 0020, par. 0021, “changes in where specific information assets are stored, changes in security protocols on one or more devices, and/or changes in the network architecture may affect the result of the threat analysis”, par. 0033, “Information assets may be identified for each node in the network. In this manner, a granular analysis may be performed where each node is analyzed in accordance with the individual information assets stored on or accessible to that node”]; determine an effect of the change on the threat points within the threat point matrix; [par. 0008, “changes to the underlying network architecture could also be evaluated to determine whether the change would result in a lower cyber-attack system risk”, par. 0020, par. 0021, “changes in where specific information assets are stored, changes in security protocols on one or more devices, and/or changes in the network architecture may affect the result of the threat analysis”];
Walheim et al. does not explicitly disclose determine priorities for the threat points based on the threat points and the controls.  
However Watters et al. teaches determine priorities for the threat points based on the threat points and the controls [par. 0021, “The security risk management tool may present visualizations of the exposure to threats, the projected impact of threats, and/or the projected financial losses from security attacks of an organization based on an analysis of the threat vulnerability and/or susceptibility of the organization to attacks and based on an analysis of the offsetting security countermeasures that the organization has deployed to mitigate security risks posed by the threats”, par. 0032, “This initial deep analysis may comprise identifying valued assets, determining attack vulnerabilities of these valued assets, assigning weights and/or importance values to the security of the subject assets”, par. 0050, “the risk metric represents a forecast financial loss relationship and/or graphical curve for the organization 102, where at least one of the independent variables of the relationship and/or curve is an investment in security measures”, par. 0069, “the revised security risk metric may be presented, for example on the user interface 154 of one of the workstations 142”].  
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Watters et al. into the [Watters et al: par. 0019].
They do not explicitly disclose cross referencing controls from a control inventory with the threat points; and display to a user the threat points within one or more graphical interfaces illustrating the priorities with respect to the threat points alone and integrated with controls, metrics, policies, and rules, wherein the display allows navigation of various elements for connection identification of threats for the resources within an organization.
However Ganor teaches cross referencing controls from a control inventory with the threat points; and display to a user the threat points within one or more graphical interfaces illustrating the priorities with respect to the threat points alone and integrated with controls, metrics, policies, and rules, wherein the display allows navigation of various elements for connection identification of threats for the resources within an organization [abs, “The device is also configured to calculate a risk exposure metric for an asset of the enterprise based on the enterprise activity and whether the enterprise is complying with the security policies and procedures, and output, to the display, a graphical user interface (GUI) identifying the risk exposure metric”, par. 0017, “The GUI may also allow the security personnel to oversee and manage enterprise security from a single location/user interface and/or from multiple locations via multiple user interfaces. In addition, the system may generate recommendations regarding the deployment of resources and also initiate measures to mitigate the risk exposure”, par. 0070, “cyber risk management and strategic planning logic 330 may interface with machine learning and profiling logic 380 to enable an enterprise to align its cyber work plans and security investments to the desired critical business assets' risk exposure… recommend and prioritize courses of actions (e.g., work plans, mitigations, budgets), govern compliance activities and regulation controls, manage day-to-day CISO tasks and responsibilities, including incident follow-up, awareness programs, security controls, policies and procedures, etc”, par. 0087, par. 0092].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ganor into the teaching of Walheim et al. and Watters et al. with the motivation such that appropriate security personnel can define, manage and control all aspects of enterprise security management to minimize and/or prevent the exposure of company assets and to ensure that the enterprise is adhering to the security policies set by governing laws, privacy requirements and regulations and the enterprise's responsible security administrators as taught by Ganor [Ganor: par. 0017].
They do not explicitly disclose receive a change to a configuration of one of the resources, the change comprises at least users that can access the resource, the ability of the resource to perform a task; receive an indication from the user that the effect of the change is acceptable; and implement the change to a configuration of one of the resources.
However, Iyer et al. teaches receive a change to a configuration of one of the resources, the change comprises at least users that can access the resource, the ability of the resource to [par. 0022, “the threat protection system 102 may determine that the configuration setting for the application 128 should be set to turn-off the functionality 130c”, par. 0028, “the threat mitigation and recommendation module 232 may recommend configuration settings for an application which proscribes enablement, disablement, opt-in, opt-out, etc., configuration settings for various application functionalities”, par. 0041, “an operation 525 determines if the threat protection system has approval to change the configuration settings on such other devices used by the user... If it is determined that such approval is available, an operation 530 modifies the configuration settings for the application on other devices. If no approval is available, an operation 540 merely recommends such modification to the user or to an administrator”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Iyer et al. into the teaching of Walheim et al. and Watters et al. and Ganor with the motivation for modifying configuration setting for personalized threat protection for users of one or more software applications as taught by Iyer et al. [Iyer et al.: par. 0040].
Regarding claim 2, the rejection of claim 1 is incorporated.
Ganor further teaches access the control inventory for controls within the organization that mitigate the threat points; define an element matrix based on the cross reference the controls with the threat points; determine priorities for the threat points based on the controls; and display to the user the element matrix within the one or more graphical interfaces [abs, “The device is also configured to calculate a risk exposure metric for an asset of the enterprise based on the enterprise activity and whether the enterprise is complying with the security policies and procedures, and output, to the display, a graphical user interface (GUI) identifying the risk exposure metric”, par. 0017, “The GUI may also allow the security personnel to oversee and manage enterprise security from a single location/user interface and/or from multiple locations via multiple user interfaces. In addition, the system may generate recommendations regarding the deployment of resources and also initiate measures to mitigate the risk exposure”, par. 0070, “cyber risk management and strategic planning logic 330 may interface with machine learning and profiling logic 380 to enable an enterprise to align its cyber work plans and security investments to the desired critical business assets' risk exposure… recommend and prioritize courses of actions (e.g., work plans, mitigations, budgets), govern compliance activities and regulation controls, manage day-to-day CISO tasks and responsibilities, including incident follow-up, awareness programs, security controls, policies and procedures, etc”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ganor into the teaching of Walheim et al. and Watters et al. with the motivation such that appropriate security personnel can define, manage and control all aspects of enterprise security management to minimize and/or prevent the exposure of company assets and to ensure that the enterprise is adhering to the security policies set by governing laws, privacy requirements and regulations and the enterprise's responsible security administrators as taught by Ganor [Ganor: par. 0017].
Regarding claim 3, the rejection of claim 1 is incorporated.
Walheim et al. and Watters et al. discloses display to a user the threat points within one or more graphical interfaces illustrating the priorities with respect to the threat points.
They do not explicitly disclose access a metrics inventory for metrics within the organization that indicate how the threat points are measured; cross reference the metrics with the threat points to define an element matrix; determine priorities for the threat points based on the metrics; and  Page 24 of 31 Atty. Docket No. 8504US1.014033.3270display to the user the element matrix within the one or more graphical interfaces illustrating the priorities with respect to the threat points and the metrics.  
However Ganor teaches access a metrics inventory for metrics within the organization that indicate how the threat points are measured; cross reference the metrics with the threat points to define an element matrix; determine priorities for the threat points based on the metrics; and  Page 24 of 31 Atty. Docket No. 8504US1.014033.3270display to the user the element matrix within the one or more graphical interfaces illustrating the priorities with respect to the threat points and the metrics [abs, “The device is also configured to calculate a risk exposure metric for an asset of the enterprise based on the enterprise activity and whether the enterprise is complying with the security policies and procedures, and output, to the display, a graphical user interface (GUI) identifying the risk exposure metric”, par. 0106, “GUI 1000 includes a questions area 1010, and a cyber exposure area 1020. Questions area 1010 includes a number of questions provided to enterprise personnel, such as "How often do you conduct a phishing test/campaign?"; "Did you encounter a cyber incident?"; etc. Cyber exposure area 1020 includes a graphical representation of asset exposure, awareness, defense layers, policy and procedures, regulation compliance, security compliance and threats”, par. 0107, “Questions area 1110 includes additional questions, such as "How many servers are at the company?"; "Do you have network segmentation?"; etc. Questions area 1110 also includes questions regarding types of security devices installed by the enterprise”, par. 0108, “enterprise cyber exposure area 1220 displays the enterprise's exposure and risk scores for assets, awareness, defense layers, policy and procedures, regulation compliance, security operations and threats, along with an overall total score. In this manner, responsible security personnel may view GUI 1200 and quickly identify areas that may need immediate attention based on, for example, the individual score and/or the comparison to peer scores”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ganor into the teaching of Walheim et al. and Watters et al. with the motivation such that appropriate security personnel can define, manage and control all aspects of enterprise security management to minimize and/or prevent the exposure of company assets and to ensure that the enterprise is adhering to the security policies set by governing laws, privacy requirements and regulations and the enterprise's responsible security administrators as taught by Ganor [Ganor: par. 0017].
Regarding claim 4, the rejection of claim 1 is incorporated.
Walheim et al. further discloses access a policies inventory for policies within the organization that indicate operation of the threat points; cross reference the policies with the threat points to define an element matrix; determine priorities for the threat points based on the policies [par. 0021, “The cyber risk analysis tool may consider the overall network architecture, the vulnerabilities of the architecture based on security systems and policies”, par. 0029, “The network behavior risk analysis tool 200 may generate (e.g., render) a digital model of the computing infrastructure of the enterprise, for example using data received from the enterprise network 220... The digital model may be generated in part based on one or more network policies (e.g., security polices) determined from the network analysis”, par. 0009, “The cyber risk analysis tool may quantitatively measure the financial and/or reputation impact(s) of cyber risk(s) on an enterprise. The financial and/or reputation impacts of cyber risk may be measured based on deterministic methods, resulting in quantitative risk indicators such that users may establish risk management priorities and/or appropriate expenditures commensurate with exposure. The cyber risk analysis tool (and associated tool) may determine a risk result under certain predetermined attack scenarios with a relatively high level of precision”];  
Watters et al. further teaches display to the user the element matrix within the one or more graphical interfaces illustrating the priorities with respect to the threat points [par. 0021, “The security risk management tool may present visualizations of the exposure to threats”, par. 0036, “one skilled in the art will readily determine a triage scheme and correlation criteria for associating manifest threat vectors to the correlation levels that is effective for discriminating among the varying amounts of interest that the threat intelligence and/or the manifest threat vectors have to the organization 102. The correlation levels may be defined by rules and/or lookup tables that are defined by each organization 102 and stored in the first data store 110 or configured into the first threat router application 114”, par. 0069, “the revised security risk metric may be presented, for example on the user interface 154 of one of the workstations 142”].  
[Watters et al: par. 0019].
They do not explicitly disclose display to the user the element matrix within the one or more graphical interfaces illustrating the priorities with respect to the threat points and the policies.  
However Ganor teaches display to the user the element matrix within the one or more graphical interfaces illustrating the priorities with respect to the threat points and the policies [abs, “The device is also configured to calculate a risk exposure metric for an asset of the enterprise based on the enterprise activity and whether the enterprise is complying with the security policies and procedures, and output, to the display, a graphical user interface (GUI) identifying the risk exposure metric”, par. 0108, “enterprise cyber exposure area 1220 displays the enterprise's exposure and risk scores for assets, awareness, defense layers, policy and procedures, regulation compliance, security operations and threats, along with an overall total score. In this manner, responsible security personnel may view GUI 1200 and quickly identify areas that may need immediate attention based on, for example, the individual score and/or the comparison to peer scores”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ganor into the teaching of Walheim et al. and Watters et al. with the motivation such that appropriate security personnel can define, manage and control all aspects of enterprise security management to minimize and/or prevent the exposure of company assets and to ensure that the enterprise is adhering to the security policies set by governing laws, privacy requirements and regulations and the enterprise's responsible security administrators as taught by Ganor [Ganor: par. 0017].
Regarding claim 5, the rejection of claim 1 is incorporated.
Walheim et al. and Watters et al. discloses display to a user the threat points within one or more graphical interfaces illustrating the priorities with respect to the threat points.
They do not explicitly disclose access a rules inventory for rules outside the organization that indicate operation of the threat points; cross reference the rules with the threat points to define an element matrix; determine priorities for the threat points based on the rules; and display to the user the element matrix within the one or more graphical interfaces illustrating the priorities with respect to the threat points and the rules.  
However Ganor teaches access a rules inventory for rules outside the organization that indicate operation of the threat points; cross reference the rules with the threat points to define an element matrix; determine priorities for the threat points based on the rules; and display to the user the element matrix within the one or more graphical interfaces illustrating the priorities with respect to the threat points and the rules [abs, “The device is also configured to calculate a risk exposure metric for an asset of the enterprise based on the enterprise activity and whether the enterprise is complying with the security policies and procedures, and output, to the display, a graphical user interface (GUI) identifying the risk exposure metric”, par. 0015, “collecting and processing data from multiple sources and quantifying an exposure of a company's assets to various cyber threats and/or level of compliance with regulations and privacy laws”, par. 0108, “enterprise cyber exposure area 1220 displays the enterprise's exposure and risk scores for assets, awareness, defense layers, policy and procedures, regulation compliance, security operations and threats, along with an overall total score. In this manner, responsible security personnel may view GUI 1200 and quickly identify areas that may need immediate attention based on, for example, the individual score and/or the comparison to peer scores”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ganor into the teaching of Walheim et al. and Watters et al. with the motivation such that appropriate security personnel can define, manage and control all aspects of enterprise security management to minimize and/or prevent the exposure of company assets and to ensure that the enterprise is adhering to the security policies set by governing laws, privacy requirements and regulations and the enterprise's responsible security administrators as taught by Ganor [Ganor: par. 0017].
Regarding claim 6, the rejection of claim 1 is incorporated.
Walheim et al. discloses access one or more element inventories for elements [par. 0024, “The cyber risk analysis tool may include a data repository and/or memory for storing data used to perform the cyber threat analysis. The data repository may store threat data, infrastructure data, departmental operation data, sentiment data, and/or enterprise information data”, par. 0033]; cross reference the threat points with the elements to define one or more element matrices [par. 0040, par. 0041, “the behavioral analysis may utilize the discovered network architecture to simulate how different types of attacks may affect varying portions of the network architecture and thus expose different types of information assets to one or more vulnerabilities based on the manner in which the information assets are stored in the network architecture”, par. 0043, “The simulated attack may include applying one or more preconfigured threat vectors to the enterprise system. A threat vector may be a cyber threat that may include one or more adversary profiles and/or a vulnerability database”, par. 0044, “The one or more vulnerabilities of the enterprise system may be indexed by affected information assets and/or the threats that may compromise them. For example, a vulnerabilities matrix may be determined based on the network behavioral analysis”, par. 0045, operational unit impact]; determine priorities for the threat points based on the elements [par. 0050, “the resulting enterprise impact matrix may be filtered, queried, and/or sorted to identify the impact on the enterprise objective of any information asset from any threat on the entire enterprise”, par. 0009, “resulting in quantitative risk indicators such that users may establish risk management priorities and/or appropriate expenditures commensurate with exposure”]; 
Watters et al. further teaches display to the user the one or more element matrices within the one or more graphical interfaces illustrating the priorities with respect to the threat points and the elements [par. 0021, “The security risk management tool may present visualizations of the exposure to threats, the projected impact of threats, and/or the projected financial losses from security attacks of an organization based on an analysis of the threat vulnerability and/or susceptibility of the organization to attacks and based on an analysis of the offsetting security countermeasures that the organization has deployed to mitigate security risks posed by the threats”, par. 0032, “This initial deep analysis may comprise identifying valued assets, determining attack vulnerabilities of these valued assets, assigning weights and/or importance values to the security of the subject assets”, par. 0050, “the risk metric represents a forecast financial loss relationship and/or graphical curve for the organization 102, where at least one of the independent variables of the relationship and/or curve is an investment in security measures”, par. 0069, “the revised security risk metric may be presented, for example on the user interface 154 of one of the workstations 142”].  
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Watters et al. into the teaching of Walheim et al. with the motivation such that a notification can be generated and transmitted to an individual or team in the organization that is responsible for securing the organization against the subject threat. The threat catalog may assign a weight to each threat vector to indicate a range of vulnerability amplitude. The threats stored in the threat catalog can identify the appropriate individual, individuals, team, and/or teams responsible for securing the organization against each cataloged threat as taught by Watters et al. [Watters et al: par. 0019].
They do not explicitly disclose access one or more element inventories for elements comprising at least controls, metrics, policies, and rules for operation of the threat points.
[par. 0015, “collecting and processing data from multiple sources and quantifying an exposure of a company's assets to various cyber threats and/or level of compliance with regulations and privacy laws”, par. 0017, recommendations, par. 0070, recommend and prioritize courses of actions (e.g., work plans, mitigations, budgets), par. 0106, “How often do you conduct a phishing test/campaign?"; "Did you encounter a cyber incident?", par. 0107, "How many servers are at the company?"; "Do you have network segmentation?", par. 0108, “enterprise cyber exposure area 1220 displays the enterprise's exposure and risk scores for assets, awareness, defense layers, policy and procedures, regulation compliance, security operations and threats, along with an overall total score. In this manner, responsible security personnel may view GUI 1200 and quickly identify areas that may need immediate attention based on, for example, the individual score and/or the comparison to peer scores”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ganor into the teaching of Walheim et al. and Watters et al. with the motivation such that appropriate security personnel can define, manage and control all aspects of enterprise security management to minimize and/or prevent the exposure of company assets and to ensure that the enterprise is adhering to the security policies set by governing laws, privacy requirements and regulations and the enterprise's responsible security administrators as taught by Ganor [Ganor: par. 0017].
Regarding claim 7, the rejection of claim 6 is incorporated.
[par. 0016, “generate an estimated risk exposure for a company/enterprise's assets based on the enterprise's security measures and display that risk exposure to a user. In one implementation, the user, via a workstation/client system, may request a cyber security work plan that will reduce the risk associated with the enterprise's assets. The system/server receives the user request, which may include identifiers associated with the assets and a desired exposure level for the assets. The system generates an optimized work plan based on the requested assets' exposure level. The system may also estimate resource expenditures, including manpower expenditures in terms of time and monetary expenditures which may include costs of new equipment, etc., to achieve the requested exposure level”, par. 0102, “user interface logic 310 may allow the user to identify particular activities that may be performed, such as changing a policy, adding a firewall, etc. Cyber risk management and strategic planning logic 330 may then calculate a predicted change in assets' exposure based on the activity being performed. In this manner, a CISO may identify particular activities that may be contemplated within the enterprise and determine an asset risk level reduction if the activity is actually performed”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ganor into the teaching of Walheim et al. and Watters et al. with the motivation such that appropriate security personnel can define, manage and control all aspects of enterprise security management to minimize [Ganor: par. 0017].
Regarding claim 8, the rejection of claim 6 is incorporated.
Walheim et al. further discloses receive a change to at least one element of the elements; access a relational database that stores nodes for relationships between the elements [par. 0033, “Information assets may be identified for each node in the network. In this manner, a granular analysis may be performed where each node is analyzed in accordance with the individual information assets stored on or accessible to that node”, par. 0034, representations of information assets may include relational databases]; determine the nodes affected by the change to the at least one element; identify other elements associated with the nodes within the relational database [par. 0008, “changes to the underlying network architecture could also be evaluated to determine whether the change would result in a lower cyber-attack system risk”, par. 0020, par. 0021, “changes in where specific information assets are stored, changes in security protocols on one or more devices, and/or changes in the network architecture may affect the result of the threat analysis”, par. 0033, “Information assets may be identified for each node in the network. In this manner, a granular analysis may be performed where each node is analyzed in accordance with the individual information assets stored on or accessible to that node”, par. 0034, representations of information assets may include relational databases];
 Watters et al. further teaches display the elements associated with the nodes to the user through a user computer system [par. 0021, “The security risk management tool may present visualizations of the exposure to threats, the projected impact of threats, and/or the projected financial losses from security attacks of an organization based on an analysis of the threat vulnerability and/or susceptibility of the organization to attacks and based on an analysis of the offsetting security countermeasures that the organization has deployed to mitigate security risks posed by the threats”, par. 0032, “This initial deep analysis may comprise identifying valued assets, determining attack vulnerabilities of these valued assets, assigning weights and/or importance values to the security of the subject assets”, par. 0050, “the risk metric represents a forecast financial loss relationship and/or graphical curve for the organization 102, where at least one of the independent variables of the relationship and/or curve is an investment in security measures”, par. 0069, “the revised security risk metric may be presented, for example on the user interface 154 of one of the workstations 142”].  
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Watters et al. into the teaching of Walheim et al. with the motivation such that a notification can be generated and transmitted to an individual or team in the organization that is responsible for securing the organization against the subject threat. The threat catalog may assign a weight to each threat vector to indicate a range of vulnerability amplitude. The threats stored in the threat catalog can identify the appropriate individual, individuals, team, and/or teams responsible for securing the organization against each cataloged threat as taught by Watters et al. [Watters et al: par. 0019].
Regarding claim 11, the rejection of claim 1 is incorporated.
[par. 0024, “The data repository may organize and/or categorize each type of information. For example, data and/or results of each of the analyses of the cyber risk analysis tool may be stored and/or formatted for further analysis”].
Regarding claim 12, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 13, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 15, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Walheim et al. (US 2018/0020018 A1), Watters et al. (US 2012/0233 698 A1), Ganor (US 2018/0375892 A1) and Iyer et al. (US 2018/0316711 A1) as applied to claims 1-8 and 11-19 above, and further in view of Comeaux et al. (US 10,567,402 B1).
Regarding claim 9, the rejection of claim 8 is incorporated.
Walheim et al. further discloses determine the threat points based on the nodes affected by the change to the at least one of the elements par. 0008, “changes to the underlying network architecture could also be evaluated to determine whether the change would result in a lower cyber-attack system risk”, par. 0020, par. 0021, “changes in where specific information assets are stored, changes in security protocols on one or more devices, and/or changes in the network architecture may affect the result of the threat analysis”, par. 0033, “Information assets may be identified for each node in the network. In this manner, a granular analysis may be performed where each node is analyzed in accordance with the individual information assets stored on or accessible to that node”, par. 0034, representations of information assets may include relational databases];
They do not explicitly disclose determine updated priorities for the threat points based on the nodes affected by the change to the at least one of the elements; and display to the user the one or more element matrices within the one or more graphical interfaces illustrating the updated priorities with respect to the threat points and the elements.  
However Comeaux et al. teaches determine updated priorities for the threat points based on the change to the at least one of the elements; and display to the user the one or more element matrices within the one or more graphical interfaces illustrating the updated [col. 18, lines 12-20, “the security server 101 or a server hosting the sub-database of the integrated alert database 104 may update the risk score of the integrated alert based on the type of threat and then sort the integrated alerts according to the updated risk score, such that the integrated alerts may be presented on a graphical user interface (GUI) of the analyst computer 107 in order of priority as indicated by the updated relative risk scores”].  
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Comeaux et al. into the teaching of Walheim et al., Watters et al. and Ganor with the motivation to allow ensure that the right customer, is worked by the right analyst, at the right time, to maximize fraud prevention and minimize customer impact as taught by Comeaux et al. [Comeaux et al.: abs.].





Response to Arguments

Applicant’s arguments, filed on 03/01/2021, with respect to rejection under 35 USC § 103 have been fully considered but the arguments are directed towards the newly added limitations. New reference has been provided to address those limitations, and the rejection is incorporated herein.



Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20120143650 A1		METHOD AND SYSTEM OF ASSESSING AND MANAGING RISK ASSOCIATED WITH COMPROMISED NETWORK ASSETS
US 20170346846 A1		SECURITY THREAT INFORMATION GATHERING AND INCIDENT REPORTING SYSTEMS AND METHODS
US 20080262895 A1		BUSINESS RESILIENCE SYSTEMS AND METHODS
US 20170346839 A1		SIMILARITY SEARCH FOR DISCOVERING MULTIPLE VECTOR ATTACKS
US 20180137288 A1		SYSTEM AND METHOD FOR MODELING SECURITY THREATS TO PRIORITIZE THREAT REMEDIATION SCHEDULING
US 9537884 B1		Assessment of cyber threats
US 20070180490 A1		System and method for policy management
US 20180189697 A1		METHODS AND APPARATUS FOR PROCESSING THREAT METRICS TO DETERMINE A RISK OF LOSS DUE TO THE COMPROMISE OF AN ORGANIZATION ASSET
US 20110231221 A1		AUTOMATED RISK ASSESSMENT AND MANAGEMENT
US 20110252479 A1		METHOD FOR ANALYZING RISK

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JASON CHIANG/Primary Examiner, Art Unit 2431