DETAILED ACTION
The following is a Non-Final Office Action in response to communications filed on April 5, 2021.  Claims 1, 2, and 6–8 are amended.  Accordingly, claims 1–8 and 21 are pending.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on April 5, 2021 has been entered.
 
Response to Amendment/Argument
Applicant’s amendments are sufficient to overcome the previous objection to claims 1 and 4 for informalities.  Accordingly, the previous objection to claims 1 and 4 is withdrawn.
With respect to the previous rejection of claims under 35 U.S.C. 112(a) as failing to comply with the written description requirement, Applicant’s remarks have been fully considered and are persuasive.  As a result, the previous rejection of claims under 35 U.S.C. 112(a) is withdrawn.
Applicant’s amendments are insufficient to overcome the previous rejection of claims under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and 
Examiner acknowledges Applicant’s statement with respect to the previous rejection of claim 21 under 35 U.S.C. 112(d) as being of improper dependent form and maintains the rejection below.
Applicant’s remarks with respect to the previous rejection of claims under 35 U.S.C. 103 have been fully considered but are moot in view of the updated grounds of rejection asserted below.  

Priority
This application repeats a substantial portion of prior Application No. 15/207,395, filed July 11, 2016, and adds disclosure not presented in the prior application. Prior Application No. 15/207,395 does not, however, disclose “using the identified features/characteristics to establish a value at risk for the computer system/asset based in part on network proximity of the computer system/asset to one or more other network-accessible assets with a similar or higher value at risk”, as recited in independent claim 1.  As a result, the pending application has been afforded priority to the effective filing date of February 18, 2019.

Claim Objections
Claim 1 is objected to because of the following informalities:  
Claim 1 recites “using the identified characteristics to establish an intrinsic organizational value at risk for the computer asset based in part on network proximity of the computer asset to one or more other network-accessible assets with comparable or higher intrinsic organizational value at risk”.  Examiner recommends amending the element to recite “one or more other network-accessible assets with a comparable or higher intrinsic organizational value at risk”.
Claim 1 further recites “using the intrinsic organizational value at risk of the computer asset to prioritize allocation of information technology security controls/resources to the network accessible computer asset relative to the one or more other computer assets”.  However, claim 1 previously recites “one or more other network-accessible assets”.  In view of the above, Examiner recommends amending claim 1 to recite “using the intrinsic organizational value at risk of the computer asset to prioritize allocation of information technology security controls/resources to the network accessible computer asset relative to the one or more other network-accessible assets” in order to facilitate claim consistency.
Appropriate correction is required.

Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:



Claims 1–8 and 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 1 recites “[a] method for automatically determining an intrinsic organizational value at risk for a network accessible computer assert”.  Claim 1 subsequently recites “connecting to the network accessible computer asset”.  In view of the recitation of “the network accessible computer asset” in the “connecting” element, Examiner notes that the body of claim 1 utilizes the preamble to satisfy antecedent basis support.  However, despite reciting “an intrinsic organizational value at risk” in the preamble, claim 1 subsequently recites “using the identified characteristics to establish an intrinsic organizational value at risk”.  As a result, the scope of claim 1 is indefinite because it is unclear whether Applicant intends for the “intrinsic organizational value at risk” in the “using” step to reference the preamble or intends to introduce a second, different “intrinsic organizational value at risk”.  
In view of the above, Examiner recommends either amending the claim to recite “connecting to a network accessible computer asset” in order to avoid utilizing the preamble for antecedent basis support or amending the claim to recite “using the identified characteristics to establish [[an]] the intrinsic organizational value at risk”.
Claim 1 further recites “using the identified characteristics to establish an intrinsic organizational value at risk for the computer asset based in part on network proximity of the computer asset to one or more other network-accessible assets with comparable or 
Still further, claim 1 recites “using the intrinsic organizational value at risk of the computer asset to prioritize allocation of information technology security controls/resources”.  Examiner submits that the recitation of “controls/resources” renders the scope of the claim indefinite because it is unclear whether Applicant intends for the recitation to indicate “controls and resources”, “controls or resources”, or “controls and/or resources”.  For purposes of examination, the element is interpreted as reciting “controls and/or resources”.  Clarification is required.
Claims 2–8 and 21, which depend from claim 1, inherit the deficiencies described above.  As a result, claims 2–8 and 21 are similarly rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.

Claim Rejections - 35 USC § 112(d)
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:


Claim 21 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Specifically, the claim would fail the dependent claim test under MPEP 608.01(n)(III) because claim 21 does not require all of the limitations of base claim 1.  For example, claim 21 requires mere possession of a cd-rom or other computer readable medium with software and does not require performing the steps of claim 1 with the cd-rom or medium because claim 21 merely recites storing instructions to perform the method of claim 1.  Specifically, claim 21 does not require actually performing the method of claim 1.  However, one must actually perform the claimed steps in order to meet claim 1.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1–8 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Blake et al. (U.S. 2016/0105457) in view of Lipps et al. (U.S. 2012/0053981), and in further view of Schrecker et al. (U.S. 2013/0247205) and Giakouminakis et al. (U.S. 2013/0074188).
Claims 1 and 21:  Blake discloses a method for automatically determining a value at risk for a network accessible computer system/asset for prioritization of security controls, the method comprising: 
collecting data returned from the computer asset (See paragraph 27, wherein electronic communications are received from one or more computing devices); 
analyzing the collected data using at least one of machine learning models, regular expressions, text string matching, natural language understanding, image processing, and text analysis to identify, without accessing sensitive data itself, characteristics indicating at least one of mechanisms for accessing sensitive data, mechanisms for collecting sensitive data, storage of sensitive data, presentation of sensitive data, sensitive data input mechanisms, sensitive data subjects, sensitive functionality subjects, sensitive functionality, and indicia of security features of the computer asset (See paragraphs 27-28, wherein electronic communications are parsed to identify mechanisms for circumventing security measures, which equates to accessing sensitive data and/or indicia of security features; see also paragraph 4, wherein keyword matching is disclosed and paragraphs 39-42, wherein monitored risk features/characteristics are disclosed); and
using the identified asset characteristics to establish a value at risk for the computer asset (See paragraph 32, wherein a risk rating module receives risk data and 
Lipps discloses using the value at risk of the computer asset to prioritize allocation of information technology security controls/resources to the network accessible computer asset relative to the one or more other computer assets with different security values at risk (See paragraphs 197-198, wherein controls are mapped to risks based on a risk priority score; see also claim 13, wherein controls are identified in response to risk priority).
Blake discloses a system directed to monitoring assets to identify risk.  Similarly, Lipps discloses a system directed to assessing and prioritizing risks.  Each reference discloses a system directed to risk management.  The technique of prioritizing controls is applicable to the system of Blake as they both share characteristics and capabilities, namely, they are directed to risk management.
One of ordinary skill in the art would have recognized that applying the known technique of Lipps would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of Lipps to the teachings of Blake would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate risk management into similar systems.  Further, applying control priority to Blake would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow more detailed analysis and improved risk management results.  Blake and Lipps do not expressly disclose the remaining claim elements.

communicating with the computer asset using respective network protocols (See paragraphs 59 and 63, wherein sensors communicate with assets using IP address ranges); and
using the identified characteristics to establish an intrinsic organizational value at risk for the computer asset based in part on proximity of the computer asset to one or more other network-accessible assets with comparable or higher intrinsic organizational value at risk (See paragraphs 82–84, wherein a risk metric is determined for an asset from a criticality score that is derived from the business value of the asset, and wherein criticality is determined from a hierarchy of assets).
As disclosed above, Blake discloses a system directed to monitoring assets to identify risk, and Lipps discloses a system directed to assessing and prioritizing risks.  Similarly, Schrecker discloses a system directed to calculating quantitative asset risk.  Each reference discloses a system directed to risk management.  The technique of communicating with computers using network identifiers and protocols to determine an organizational value at risk is applicable to the systems of Blake and Lipps as they each share characteristics and capabilities; namely, they are directed to risk management.
One of ordinary skill in the art would have recognized that applying the known technique of Schrecker would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of 
Giakouminakis discloses using the identified characteristics to establish a value at risk for the computer asset based in part on network proximity of the computer asset to one or more other network-accessible assets with comparable or higher value at risk (See paragraphs 36 and 48–51, wherein a risk value may be determined based on the proximity of the connection between the asset and other connected assets, and wherein connected assets implicitly have comparable risk values).
As disclosed above, Blake discloses a system directed to monitoring assets to identify risk, Lipps discloses a system directed to assessing and prioritizing risks, and Schrecker discloses a system directed to calculating quantitative asset risk.  Giakouminakis discloses a system directed to risk scoring vulnerabilities.  Each reference discloses a system directed to risk management.  The technique of establishing risks based on proximity is applicable to the systems of Blake, Lipps, and Schrecker as they each share characteristics and capabilities; namely, they are directed to risk management.
One of ordinary skill in the art would have recognized that applying the known technique of Giakouminakis would have yielded predictable results and resulted in an 
With respect to claim 21, Blake further discloses a computer program product comprising a computer readable medium and instructions stored in the medium that when executed by a machine cause the machine to perform steps (See paragraph 18).
Claim 2:  Although Blake discloses establishing a value at risk using identified characteristics (See citations above), Blake does not disclose the remaining elements of claim 2.
Lipps discloses wherein establishing the value at risk of the computer system/asset includes assigning a weight to each identified asset characteristic and combining the weights into an overall value at risk (See paragraph 82, wherein a risk score is determined by weighting each factor).
One of ordinary skill in the art would have recognized that applying the known technique of Lipps would have yielded predictable results and resulted in an improved system for the same reasons as stated above with respect to claim 1.  
Claim 3:  Examiner notes that claim 3 is directed to a method claim.  However, claim 3 does not include any limitations that further limit the claimed method steps.  As 
Blake discloses the method of claim 1, wherein the collected data comprises at least one of: network communications, HTTP headers, Network communication protocol headers, HTTP cookies, URLs, HTML, text, images, computer code, videos, files, data files, data, executable files, JavaScript, and configurations (See paragraph 27, wherein text information is collected).
Claim 4:  Examiner notes that claim 4 is directed to a method claim.  However, claim 4 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 4 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein indicators of one or more of types of sensitive data directly accessible through the computer asset include at least one of: name, personal identification number (PIN), account number, birth date. physical address, email address, computer asset identifier, telephone number, social media identifier, user identifier, password, authentication credential, personal characteristics, identification numbers of personally owned assets, employment information, education information, medical information, transaction history, free form text, email messages, social media messages, and call recordings (See paragraph 27, wherein emails are indicators of sensitive data; see also paragraphs 39-40, wherein employment information is disclosed in the context of searching for a new job, and wherein user names are implicitly identified with respect to authentication levels).
Claim 5:  Examiner notes that claim 5 is directed to a method claim.  However, claim 5 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 5 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein the collected data comprises identified indicators of one or more of types of sensitive data collected by the computer asset, including at least one of: name, personal identification number (PIN), account number, birth date, physical address, email address, computer asset identifier, telephone number, social media identifier, user identifier, password, authentication credential, personal characteristics, identification numbers of personally owned assets, employment information, education information, medical information, transaction history, free form text, email messages, social media messages, and call recordings (See paragraph 36, wherein employment information is disclosed as resume and job search indicators).
Claim 6:  Examiner notes that claim 6 is directed to a method claim.  However, claim 6 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 6 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein the identified characteristics include indicators of security mechanisms associated with the computer asset, includes at least one of: data encryption mechanism, communications encryption mechanism, authentication mechanism, user id input field, password input field, second-factor authentication input field, captcha, security question, secure cookies, fraud monitoring 
Claim 7:  Examiner notes that claim 7 is directed to a method claim.  However, claim 7 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 7 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein the identified characteristics include indicators of types of sensitive computer asset functionality provided, including at least one of: file transfer, email communications, chat communications, remote access, remote control, money transfer, file system, file storage, database, data storage, system administration, mobile access gateway, system configuration, content editing, E-commerce, querying data, accessing data, information access, media streaming (e.g., video, sound), and read only configuration (See paragraph 40, wherein file transfer indicators are identified).
Claim 8:  Examiner notes that claim 8 is directed to a method claim.  However, claim 8 does not include any limitations that further limit the claimed method steps.  As a result, the elements of claim 8 have been afforded limited patentable weight, and the elements have been addressed solely for purposes of compact prosecution.
Blake discloses the method of claim 1, wherein the identified characteristics include indicators of computer asset subject includes at least one of: consumer banking, commercial banking, stock trading, financial account data, personally-identifiable data, personal health record data, internal corporate data, automobiles, prescription drugs, 

Conclusion 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S BROCKINGTON III whose telephone number is (571)270-3400.  The examiner can normally be reached on M-F, 8am-5pm, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on 571-272-6045.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 





/WILLIAM S BROCKINGTON III/Primary Examiner, Art Unit 3623