DETAILED ACTION
This communication is a Fist Office Action on the merits in reply to application no. 16/513,784.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 5, 12, and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The claims recite the limitation "the determining of physical threat”.  There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-patentable subject matter. The claims are directed to an abstract idea without significantly more.
With respect to claims 1-20, the independent claims (claims 1, 8 and 14) are directed, in part, to a method, a computer readable medium and a system to identify and measure security information risks in a network infrastructure. Step 1 – First pursuant to step 1 in the January 2019 Guidance, claims 1-7 are directed to a method comprising a series of steps which falls under the statutory category of a process, claims 8-13 are directed to a computer readable medium which falls under the statutory category of an article of manufacture, and claims 14-20 are directed to a system which falls under the statutory category of a machine. However, these claim elements are considered to be abstract ideas because they are directed to a mental process which includes observations or evaluations.
As per Step 2A - Prong 1 of the subject matter eligibility analysis, the claims are directed, in part, to determining… a plurality of assessment variables to apply, the determination of assessment variables being based on at least a determination of whether at least one network infrastructure is vulnerable to a threat type; determining…from the plurality of assessment variables, the threat likelihood of a risk scenario, the business impact for the risk scenario, and mitigation control effectiveness of the risk scenario; determining a network infrastructure of an entity, the entity being coupled to a network infrastructure comprising one or more assets utilized by the entity collecting network infrastructure information regarding the one or more assets; calculating… threat variables for the network infrastructure based upon the one or more asset information, business impact information and mitigation control effectiveness 
As per Step 2A - Prong 2 of the subject matter eligibility analysis, this judicial exception is not integrated into a practical application. In particular, the claim recites additional element – “a processor”; “a computing system”; “network infrastructure”; “a non-transitory computer readable medium”; “a system”; “a memory”. These additional element in both steps are recited at a high-level of generality (i.e., as a generic device performing a generic computer function of receiving and storing data) such that these elements amount no more than mere instructions to apply the exception using a generic computer component. Examiner looks to Applicant’s specification in at least figures 1 and 2 and related text and [0027]; [0065-0066] to understand that the invention may be implemented in a generic environment that  “An IT system may be or include software, such as an operating system, an application or a combination of operating system and application(s). An IT system may be or include hardware, such as server(s), storage, network connections or a combination of one or more hardware elements. As will be explained in more detail later, some types of threat, such as virus, may affect software, and other types of threat, such as fire, may affect hardware and/or software. An IT system can be treated, for the purposes of assessing threats, as a combination of software and hardware.”;  “The threat assessment system 11 (FIG. 2) is implemented in software on a computer system 35 running an operating system, such as Windows, Linux or Solaris. The computer system 35 includes at least one processor 36, memory 37 and an input/output (I/O) interface 38 operatively connected by Accordingly, these additional elements do not integrate the abstract idea into a practical application because they are mere instructions to implement the abstract idea on a computer. 
As per Step 2B of the subject matter eligibility analysis, the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The additional elements are mere instructions to apply the abstract idea on a computer. When considered individually, these claim elements only contribute generic recitations of technical elements to the claims. It is readily apparent, for example, that the claim is not directed to any specific improvements of these elements and the invention is not directed to a technical improvement. When the claims are considered individually and as a whole, the additional elements noted above, appear to merely apply the abstract concept to a technical environment in a very general sense – i.e. a generic computer receives information from another generic computer, processes the information and then sends information back. In addition, when taken as an ordered combination, the ordered combination adds nothing that is not already present as when the elements are taken individually. Their collective functions merely provide generic computer implementation. Therefore, when viewed as a whole, these 
Dependent claims 2-7, 9-13, 15-20 further refine the abstract idea. These claims do not provide a meaningful linking to the judicial exception. Rather, these claims offer further descriptive limitations of elements found in the independent claims and addressed above – such as by describing the nature and content of the data that is received/sent. While these descriptive elements may provide further helpful context for the claimed invention these elements do not serve to confer subject matter eligibility to the invention since their individual and combined significance is still not significantly more than the abstract concepts at the core of the claimed invention
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. 2010/0325731 (hereinafter; Evrard) in view of US Pat. No. 10,015,186 (hereinafter; Tamir).
Regarding claims 1, 8 and 14, Evrard discloses:
A computer-implemented method within a computing system having a processor, of identifying and measuring information security risks for at least one network infrastructure of an entity, the method comprising; a non-transitory computer readable medium comprising instructions that, when executed by a processing device, cause the processing device to perform operations comprising; a system, comprising: a memory; and a processor; and a non-transitory computer readable medium, communicatively coupled with the processor, the non-transitory computer readable medium storing instructions which when executed by the processor performs a method, the method comprising: [e.g. Evrard discloses an apparatus, a method and a 
a model comprising a plurality of inputs, the inputs comprising a threat likelihood for a risk scenario, [e.g. Evrard [0029] discloses estimating a likelihood of an attach for a number of different threats.] a business impact for the risk scenario, [e.g. Evrard [0038] discloses a severity score that measures the impact of a successful threat.] 
determining, with the processor, from the plurality of assessment variables, the threat likelihood of the risk scenario, the business impact for the risk scenario, and the mitigation control effectiveness of the risk scenario; [e.g. Evrard [0029] discloses estimating likelihood of an attack, loss to the organization due to the threat (i.e. impact). [0104] discloses the risk calculator takes into account mitigating factors.]
determining a network infrastructure of an entity, the entity being coupled to a network infrastructure comprising one or more assets utilized by the entity; [e.g. Evrard discloses assessing threats to at least one computer network in which a plurality of systems operate.]
collecting network infrastructure information regarding the one or more assets; [e.g. Evrard [0005] discloses determining predicted threat activity for a plurality of systems in a computer network.]  
calculating, by the processor, threat variables for the network infrastructure based upon the one or more asset information, business impact information [e.g. Evrard [0038] discloses a severity score that measures the impact of a successful threat.]  
determining, by the processor, based on the modelling of said variables, a predicted level of damage to the assets of the network infrastructure of an entity. [e.g. Evrard discloses a severity score that may also be referred to as “damage level” that is a measure of the impact of a successful threat.]
Although Evrard discloses identifying and measuring security risks for a network infrastructure, Evrard does not specifically disclose mitigation control effectiveness based on threat type and assessment variables. However, Tamir discloses the following limitations:
and a mitigation control effectiveness for the risk scenario, [e.g. Tamir Col. 7, Lines 9-15 disclose performing remediation work to allow for more effective risk-mitigation and remediation.] the risk scenario comprising a threat type and a targetable network infrastructure; [e.g. Tamir Col. 9, Lines 18-22 disclose associating computer systems with vulnerability types.]
determining, with a processor, a plurality of assessment variables to apply, the determination of assessment variables being based on at least a determination of whether the at least one network infrastructure is vulnerable to the threat type; [e.g. Tamir Col. 6, Lines 10-33 disclose a network topology that includes vulnerabilities associated with impact scores and can also include other data. Each organization has their own weighting or confidentiality, integrity and availability, leading to an organization specific calculation.]
and mitigation control effectiveness information; [e.g. Tamir Col. 7, Lines 9-15 disclose performing remediation work to allow for more effective risk-mitigation and remediation.]

Regarding claims 2, 9 and 15, Evrard discloses:
The method according to claim 1; the non-transitory computer medium of claim 8; the system of claim 14, wherein the determining the effectiveness of mitigation control effectiveness within a network infrastructure of an entity for a security risk comprises: determining if the one or more assets within the network infrastructure of an entity are capable of operation in a safe mode; [e.g. Evrard [0104] discloses the risk calculator can adjust the downtime, by taking into account mitigating factors, such as whether the system can operate in a safe mode and whether back-up systems are available.]
determining if the network infrastructure of an entity includes redundancy capabilities for the one or more assets of the said network infrastructure of an entity; [e.g. Evrard [0104] discloses The risk calculator takes into account mitigating factors, such as whether the system can operate in a safe mode and whether back-up systems (i.e. redundancy capability) are available.]  
multiplying each adjusted downtime of each network infrastructure asset by the frequency of occurrence of the threat to obtain a value of the total downtime for the said threat for each asset variable of safe mode of operation and redundancy capability; [e.g. Evrard [0104] discloses determining downtime for a system based on expected damage level. The risk calculator multiplies each downtime by the frequency of occurrence of a successful threat to obtain a value of the total downtime. The risk calculator 19 can adjust the downtime, for example by taking into account mitigating factors, such as whether the system can operate in a safe mode and whether back-up systems (i.e. redundancy capability) are available.]  
summing the downtime of each asset within a network infrastructure to an accumulated downtime for the network infrastructure of an entity; [e.g. Evrard [0104-0105] disclose] determining downtime for a system based on expected damage level using the value of severity score. The risk calculator adds the downtime to an accumulated downtime for the system category. For each system, the risk calculator adds up downtimes of dependencies of the system categories on which the system depends.]
determining the accumulated downtime for the network infrastructure for each variable of a presence of safe mode operation and, or redundancy capability for each asset within the network infrastructure. [e.g. Evrard [0104-0105] disclose] determining downtime for a system based on expected damage level using the value of severity score. The risk calculator adds the downtime to an accumulated downtime for the system category. For each system, the risk calculator adds up downtimes of dependencies of the system categories on which the system depends. The risk calculator 19 can adjust the downtime, for example by taking into account mitigating factors, such  
Although Evrard discloses identifying and measuring security risks for a network infrastructure and assets that can operate in safe mode or using back-up systems as redundancy capabilities, Evrard does not specifically disclose adjusting severity scores. However, Tamir discloses the following limitations:
adjusting the severity score for each asset within the network infrastructure according to the variables of assets with a safe mode of operation; [e.g. Tamir Col.’ Lines disclose calculating cyber-vulnerability severities and adjusting for client specific topologies and using the adjusted severity scores to allow resources to focus on highest priority remediation tasks.]
adjusting the severity score for each network infrastructure asset according to the variables of assets with redundancy capabilities; [e.g. Tamir Col. 7, Lines 9-15 disclose calculating cyber-vulnerability severities and adjusting for client specific topologies and using the adjusted severity scores to allow resources to focus on highest priority remediation tasks.]
It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the system for measuring security risks of Evrard with the adjusted vulnerability severity scores of Tamir in order to better prioritize remediation work and allow limited resources to focus on highest priority remediation tasks (Tamir Col. 7, Lines 13-15) because the references are analogous since they both fall within Applicant's field of endeavor and are reasonably pertinent to the problem with which Applicant is concerned.  

The method of claim 1; the non-transitory medium of claim 8; the system of claim 14, wherein the determining of business impact for a risk scenario further comprises: summing predicted downtimes of each of the assets upon which the network infrastructure depends for operation to determine a duration for a single asset non- availability; [e.g. Evrard [0104-0105] disclose] determining downtime for a system based on expected damage level using the value of severity score. The risk calculator adds the downtime to an accumulated downtime for the system category. For each system, the risk calculator adds up downtimes of dependencies of the system categories on which the system depends.]
multiplying the duration for which an asset within the network infrastructure is unavailable to quantify the loss of availability of the network infrastructure of an entity. [e.g. Evrard [0104] discloses determining downtime for a system based on expected damage level. The risk calculator multiplies each downtime by the frequency of occurrence of a successful threat to obtain a value of the total downtime.]  
Regarding claims 4, 11 and 17, Evrard discloses:
The method of claim 1; the non-transitory medium of claim 8; the system of claim 14, wherein the determining of threat likelihood for a risk scenario further comprises: receiving global threat data and identifying threats using a database of known threats with identifying data for each threat; 
receiving data specifying the frequency of occurrence for each threat; [e.g. Evrard [0084] discloses obtaining number of viruses (i.e. threats) seen by a target in a period.]
receiving data specifying the target of each threat; [e.g. Evrard [0084] discloses obtaining number of viruses (i.e. threats) seen by a target in a period.]
receiving global threat data specifying the activity level for each specified threat for a specified period to a present period; [e.g. Evrard [0084] discloses obtaining the number of viruses seen by a target in a period from the threat analyzer running an intrusion detection program. The number of new viruses worldwide in a period is obtained from a virus (or other malicious software) information gathering organization, such as The Wildlist Organization (www.wildlist.org). The period, p, may be, for example, one week or four weeks.]
extrapolating data specifying type of threats for a risk scenario to predict future activity levels for each specified threat with a specified asset target. [e.g. Evrard [0046] discloses extrapolating future event frequency and producing a profile of predicted threat activity.]
Regarding claims 5, 12 and 18, Evrard discloses:
The method of claim 1; the non-transitory medium of claim 8; the system of claim 14, wherein the determining of physical threat likelihood for a network infrastructure of an entity for a risk scenario comprises: defining the assets within a network infrastructure according to their physical location; 
defining the types of physical threats that may impact upon the correct operation of the assets within the network infrastructure; [e.g. Evrard [0039] discloses physical location may be used to identify threats to some types of threat, such as fire, flooding, terrorism, power loss and so on.]
receiving user inputs to provide the expected number of disabling physical threats for an asset, with a given time window having a start and an end. [e.g. Evrard [0039] discloses a temporal profile that is used to describe frequency of occurrence of a threat because loss caused by system downtime may vary according to the time and the temporal profile may be visible to and/or editable by a user for some types of threat, such as physical threats.] 
Regarding claims 6, 13 and 19, Evrard discloses:
The method of claim1; the non-transitory medium of claim 8; the system of claim 14, wherein a report, including information for increasing the likelihood of detection of a threat, for the determination of the at least one network infrastructure of the vulnerabilities for each risk scenario is generated. [e.g. Evrard [0029] discloses the threat assessment system operates an activity predictor, periodically, that connects to the threat database and observes the threat profile and produces a new predicted activity. Then a snapshot of the threat profile is taken and a report is produced.] 

The method of claim 2; the system of claim 15, wherein mitigation control corresponds to a software or hardware change to the one or more assets of the network infrastructure that are associated with the commencement of a safe mode of operation and, or a redundancy function. [e.g. Tamir Col. 8, Lines 8-13 disclose the job of remediation can be initiated by a change, problem or incident and may be handled by the appropriate entity and the IT department might handle computer/system issues (i.e. hardware/software change).] 
It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the system for measuring security risks of Evrard with the remediation jobs of Tamir in order to better prioritize remediation work and allow limited resources to focus on highest priority remediation tasks (Tamir Col. 7, Lines 13-15) because the references are analogous since they both fall within Applicant's field of endeavor and are reasonably pertinent to the problem with which Applicant is concerned.  
Conclusion
The following prior art is made of record because it is relevant to the claims but it is not relied upon:
US 2016/0063628 (Kreider et al.)
US 2017/0220801 (Stockdale et al.)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FRANCIS Z SANTIAGO-MERCED whose telephone number is (571)270-5562.  The examiner can normally be reached on M-F 7am-4:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian M. Epstein can be reached on (571) 270-5389.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FRANCIS Z. SANTIAGO MERCED/Examiner, Art Unit 3683                                                                                                                                                                                                        
/BRIAN M EPSTEIN/Supervisory Patent Examiner, Art Unit 3683