DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
Election/Restrictions
Applicant’s election without traverse of Group I (claims 1-6) in the reply filed on 04/26/2021 is acknowledged. The Applicant has added new system claims 29-34. Claims 7-28 have been cancelled.

Election by Original Presentation
Newly submitted claims 23-34 are directed to an invention that is independent or distinct from the invention originally claimed for the following reasons: The original claims set forth a method provided  in Figure 18 which shows a flowchart of an example synthesis method. Claims 23-28 set forth a computer program product embodied in a computer readable storage medium provided in memory (115). Caims 29-34 set forth a system providing one or more processors.
Since applicant has received an action on the merits for the originally presented invention (i.e., the processor or method), this invention has been constructively elected by original presentation for prosecution on the merits. Accordingly, claims 23-34 are withdrawn from consideration as being directed to a non-elected invention. See 37 CFR 1.142(b)  and MPEP § 821.03.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/07/2021 and 04/14/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.




Response to Arguments

The following issues remain within the application and are presented to be examined upon their merits.

Examiner’s Comments
Intended Use
MPEP 2103 I C

Claim 1 recites, a method, comprising: for each of a plurality of entities in a portfolio, receiving entity data that is indicative of entity attributes; 
determining that the received entity data for at least some of the plurality of entities is missing a portion of the entity data that is required to assess likelihood of cyber security failure; 
determining substitute entity data for the missing portion of the entity data; 
comparing a combination of the received entity data and the substitute entity data for the missing portion of the entity data for each of the plurality of entities to each other; 
using a computer agent configured to utilize the combination of the received entity data and the substitute entity data, 
assessing a likelihood of a cyber security failure in a computer network of an entity of the plurality of entities, wherein the cyber security failure comprises at least one of a cyber attack and a privacy incident, and wherein the assessing of the likelihood of the cyber security failure in the computer network of the entity comprises: 
generating a disaster scenario that comprises elements of a disaster event;
 modeling the disaster scenario against a profile of the entity; and determining, based at least in part on the modeling, a potential amount of damage caused by the security failure; and based at least in part on the assessing of the likelihood of the cyber security failure in the computer network of the entity, 
determining a set of computer network changes to reduce the likelihood of the cyber security failure in the computer network of the entity.”
Claim 2 recites, “wherein determining the substitute entity data comprises: comparing the plurality of entities of the portfolio that is missing a portion of the entity data to entities with complete entity data, and generating a synthesized portfolio, the generating comprising: selecting the entities with complete entity data to replace the plurality of entities that is missing a portion of the entity data based on the comparison, and wherein the entities with complete entity data are within additional portfolios that are similar in entity composition to the synthesized portfolio.”
Claims 3 recites, “further comprising substituting entity data, from the selected entities having the complete entity data, for the portion of the entity data that is missing, such that a likelihood of a cyber security failure for the synthesized portfolio mimics a likelihood of a cyber security failure of other similar portfolios.”
Claim 4 recites, “further comprising based on the synthesized portfolio, generating another synthesized portfolio and calculating a diversity score.”
Claim 5 recites, “further comprising creating a range of diversity scores using a set of resynthesized portfolios.”
Claim 6 recites, “further comprising automatically recommending, based on the assessed likelihood of cyber security failure, at least some of the determined set of computer network changes to reduce the assessed likelihood of the cyber security failure to mitigate the potential amount of damage.”

“Language that suggests or makes a feature or step optional but does not require that feature steps does not limit the scope of a claim under the broadest reasonable claim interpretation. The following types of claim language may raise a question as to its limiting effect: (A) statements of intended use or field of use, including statements of purpose or intended use in the preamble, (B) “adapted to” or “adapted for” clauses, (C) “wherein” or “whereby” clauses, (D) contingent limitations, (E) printed matter, or (F) terms with associated functional language.”[MPEP 2103 I C]



Functional Language
MPEP 2114

Claim 1 recites, “…using a computer configured to utilize

“The recitation of the functional limitation of the claimed invention does not server to differentiate the claims from the prior art. If a prior structure is the same as the claimed structure as described in the Applicant’ specification, then the functional language will not differentiate the claims over the prior art.”[MPEP 2114]

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-6 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.

“In Ipsis Verbis”
MPEP 2163.03 V

According to the specification, “[0002]   Various embodiments of the present technology include a method wherein for each of a plurality of entities in a portfolio, receiving entity data that is indicative of attributes of an entity. The method may further include determining that the received entity data for at least some of the plurality of entities is missing a portion of the entity data that is required to perform a cyber risk analysis; synthesizing the missing portion of the entity data; comparing a combination of the received entity data and synthesized missing portion of the entity data for each of the plurality of entities to each other; assessing risk of an entity of the plurality of entities, using a computer agent configured to utilize the combination of the received entity data and the synthesized missing portion of the entity data, wherein the assessing of risk comprises: (i) generating a disaster scenario that comprises elements of a disaster event; (ii) modeling the disaster scenario against a profile of the entity; and (iii) determining theoretical damage based on the modeling;” [as set forth in claim 1]

“An original claim may lack written description support when (1) the claim defines the invention in functional language specifying a desired result but the disclosure fails to sufficiently identify how the function is performed or the result is achieved or (2) a broad genus claim is presented but the disclosure only describes a narrow species with no evidence that the genus is contemplated. The written description requirement is not necessarily met when the claim language appears in ipsis verbis in the specification. ‘Even if a claim is supported by the specification, the language of the specification, to the extent possible, must describe the claimed invention so that one of ordinary skill in the art can recognized what is claimed.”[MPEP 2163.03 V]

Lack of Algorithm
MPEP 2161.01 I

Claim 1 recites, “…generating a disaster scenario that comprises elements of the a disaster event…”
	According to the specification, “[00208]  In some embodiments, the method 1800 can involve the assessment of cyber risk using a disaster scenario modeling sub-method. This can include a step 1825 of assessing risk of an entity of the plurality of entities using a computer agent configured to utilize the combination of the received entity data and the synthesized missing portion of the entity data. In some embodiments, the assessing of risk comprises at least a step 1830 of generating a disaster scenario that comprises elements of a disaster event, a step 1835 of modeling the disaster scenario against a profile of the entity, and also a step 1840 of determining theoretical damage based on the modeling.”
	The specification describes that assessing risk entails generating a disaster scenario but does not provide an algorithm or steps that are taken to generate a disaster scenario that particularly comprises elements of the disaster event. Therefore the specification lacks written description as it does not define the operation of generating a disaster scenario in that the specification does not sufficiently describe how the function is performed or the result of generating a disaster scenario is achieved [see MPEP 2161.01 I].

“In other words, the algorithm or steps/procedure taken to perform the function must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed.” MPEP 2161.01 I



The Claim is broader than the Specification
LizardTech
(e.g., a method claim that does not say what structure performs each step)

Claim 1 recites, “…receiving entity data that is indicative of entity attributes; 
determining that the received entity data for at least some of the plurality of entities is missing a portion of the entity data that is required to assess likelihood of cyber security failure; 
determining substitute entity data for the missing portion of the entity data; 
comparing a combination of the received entity data and the substitute entity data for the missing portion of the entity data for each of the plurality of entities to each other;”

The claim is broader than the specification. The claim is silent to what is receiving the entity data.  
According the specification, 
“[¶0065]   FIG. 2 is a flowchart of an example method 200 that is executed by the system (e.g. system 105), in accordance with the present technology. The method 200 includes the system 105 (for each of a plurality of entities), receiving 205 a set of variables that are indicative of attributes of an entity. These variables can include any number or type of variables that represent the attributes of the entity. [¶0066]   These variables are collected for numerous entities that may belong, in some embodiments, to a particular class or group. For example, the entities could include all employees in a company, all insured customers of an insurance agency, investors in a mutual fund, or other groups.” 

Therefore the operation of receiving is performed by the  diversity analysis system  (105) which comprises a server or cloud-based computing device (FIG. 2)(105). This limitation is thus a sweeping generalization which would entitle the applicant to more than what the applicant had possession over (see LizardTech, Inc., v. Earth Res. Mapping, Inc., 424 F.3d 1336, 1343-46,76 USPQ2d 1724, 1730-33 (Fed. Cir. 2005).

In regards to claim language of, “determining that the received entity data for at least some of the plurality of entities is missing a portion of the entity data that is required to assess likelihood of cyber security failure…” 
According to the specification recites, 
“[0031]   FIG. 1 is a high level schematic diagram of a computing architecture (hereinafter architecture 100) of the present technology. The architecture 100 comprises a diversity analysis system 105 (hereinafter also referred to as system 105), which in some embodiments comprises a server or cloud-based computing device configured specifically to perform any of the methods described herein. 
[00176] Referring collectively to FIGs. 16 and 17 that illustrate and disclose methods and systems for exemplary synthetic portfolio analyses. These methods and systems can allow for diversity analyses determinations (as well as related processes) when entity data is incomplete or unavailable. In various embodiments, these determinations are associated with what is referred to as synthetic portfolios. When entity data is complete or nearly complete for each entity within a cyber risk group (as disclosed above), the systems and methods herein can be used for a direct diversity analysis. For example, when considering the cyber risk of a pool of 100 entities (such as 100 companies) and data is readily obtainable for all of these entities, cyber risk is readily calculable and diversity analysis can be performed. 
[00177]  When relevant cyber risk data is missing for a portion of the entities and/or relevant cyber risk data is incomplete for one or more of the entities, the following methods can be used to synthesize relevant data used to fill in the gaps when performing a cyber risk data analysis. In one embodiment, it is assumed that, in a given cyber risk portfolio, a known number of entities has a sufficient amount of entity data to perform a cyber risk analysis, although the portfolio is missing additional entity data for a subset of entities in the cyber risk portfolio. Entity data for these entities with missing data can be inferred/substituted from other similar cyber risk portfolios having similar entities. The entities selected from other cyber risk portfolios can be based on a known diversity within the cyber risk portfolio.”

	Thus the operation of “determining that the received entity data for at least some of the plurality of entities is missing a portion of the entity data…” in light of the disclosure is performed by the diversity analysis system (105) which comprises a server or cloud-based computing device that performs the diversity analyses. Thus, this  limitation is also  a sweeping generalization which would entitle the applicant to more than what the applicant had possession over (see LizardTech, Inc., v. Earth Res. Mapping, Inc., 424 F.3d 1336, 1343-46,76 USPQ2d 1724, 1730-33 (Fed. Cir. 2005).

In regards to the claim language of, “determining substitute entity data for the missing portion of the entity data…” 
	According to the specification,
“…[00177]  When relevant cyber risk data is missing for a portion of the entities and/or relevant cyber risk data is incomplete for one or more of the entities, the following methods can be used to synthesize relevant data used to fill in the gaps when performing a cyber risk data analysis. In one embodiment, it is assumed that, in a given cyber risk portfolio, a known number of entities has a sufficient amount of entity data to perform a cyber risk analysis, although the portfolio is missing additional entity data for a subset of entities in the cyber risk portfolio. Entity data for these entities with missing data can be inferred/substituted from other similar cyber risk portfolios having similar entities.”

Thus the operation of “determining substitute entity data for the missing portion of the entity data…”  in light of the disclosure is performed by the diversity analysis system (105) which comprises a server or cloud-based computing device that performs the diversity analyses. Thus, this  limitation is also  a sweeping generalization which would entitle the applicant to more than what the applicant had possession over (see LizardTech, Inc., v. Earth Res. Mapping, Inc., 424 F.3d 1336, 1343-46,76 USPQ2d 1724, 1730-33 (Fed. Cir. 2005).

In regards to the claim language of, “comparing a combination of the received entity data and the substitute entity data for the missing portion of the entity data for each of the plurality of entities to each other;”
According to the specification, 
“[0063]   The system 105 can also build an entity portfolio for an end user with knowledge gained from an analysis of variables for a plurality of entities. For instance, the system 105 can create a report that informs the end user as to how many and what type of entities a portfolio should have to be balanced in terms of diversity, (e.g., with respect to cyber risk.) For example, the report may indicate that an insurer should have a certain percentage of clients in the banking sector, a certain percentage in the technology sector, and a certain percentage in the medial industry. These sectors of the portfolio are deduced by comparing variables for various entities in a given industry that lead to a suitable diversity score.
[0067]   Next the method 200 includes the system 105 comparing 210 the sets of variables for the plurality of entities to each other, and locating 215 clusters of similar variables shared between two or more of the plurality of entities.”

Thus the operation of “comparing a combination of the received entity data and the substitute entity data for the missing portion of the entity data for each of the plurality of entities to each other;”  in light of the disclosure is performed by the diversity analysis system (105) which comprises a server or cloud-based computing device that performs the diversity analyses. Thus, this  limitation is also  a sweeping generalization which would entitle the applicant to more than what the applicant had possession over (see LizardTech, Inc., v. Earth Res. Mapping, Inc., 424 F.3d 1336, 1343-46,76 USPQ2d 1724, 1730-33 (Fed. Cir. 2005).

Dependent claims 2-6 inherit the same deficiency and are rejected for the same reason.

“’The Federal Circuit has explained that a specification cannot always support expansive claim language and satisfy the requirements of 35 U.S.C. 112 "merely by clearly describing one embodiment of the thing claimed.’ LizardTech v. Earth Resource Mapping, Inc., 424 F.3d 1336, 1346, 76 USPQ2d 1731, 1733 (Fed. Cir. 2005). The issue is whether a person skilled in the art would understand applicant to have invented, and been in possession of, the invention as broadly claimed. In LizardTech, claims to a generic method of making a seamless discrete wavelet transformation (DWT) were held invalid under 35 U.S.C. 112, first paragraph, because the specification taught only one particular method for making a seamless DWT and there was no evidence that the specification contemplated a more generic method. ‘[T]he description of one method for creating a seamless DWT does not entitle the inventor . . . to claim any and all means for achieving that objective.’ LizardTech, 424 F.3d at 1346, 76 USPQ2d at 1733.” MPEP 2161.01 I


The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-6 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Lack of Antecedent Basis
MPEP 2173.05(e)

Claim 1 recites, “…the security failure…” There is insufficient antecedent basis for this limitation in the claim.

“A claim is indefinite when it contains words or phrases whose meaning is unclear. In re Packard, 751 F.3d 1307, 1314, 110 USPQ2d 1785, 1789 (Fed. Cir. 2014). The lack of clarity could arise where a claim refers to "said lever" or "the lever," where the claim contains no earlier recitation or limitation of a lever and where it would be unclear as to what element the limitation was making reference.” MPEP 2173.05(e)





Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-6 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by MARTINEZ et al (US 2014/0137257) 
 Claim 1 recites MARTINEZ discloses a method comprising a method [0008], comprising: for each of a plurality of entities in a portfolio, 
receiving entity data that is indicative of entity attributes [¶0009-lines 11-20], [0010, lines ; 
determining that the received entity data for at least some of the plurality of entities is missing a portion of the entity data that is required to assess likelihood of cyber security failure; [0129-lines 12-16]
determining substitute entity data for the missing portion of the entity data; [0129-lines 12-16]
comparing a combination of the received entity data and the substitute entity data for the missing portion of the entity data for each of the plurality of entities to each other; [0192-0193]
using a computer agent configured to utilize the combination of the received entity data and the substitute entity data, [0259]
assessing a likelihood of a cyber security failure in a computer network of an entity of the plurality of entities, wherein the cyber security failure comprises at least one of a cyber attack and a privacy incident [0009], , and wherein the assessing of the likelihood of the cyber security failure in the computer network of the entity comprises: 
generating a disaster scenario that comprises elements of a disaster event;[0096]
 modeling the disaster scenario against a profile of the entity [0049], [0141]; and 
determining, based at least in part on the modeling, a potential amount of damage caused by the security failure;
 and based at least in part on the assessing of the likelihood of the cyber security failure in the computer network of the entity, 

Claim 2 recites, “wherein determining the substitute entity data comprises: comparing the plurality of entities of the portfolio that is missing a portion of the entity data to entities with complete entity data, and generating a synthesized portfolio, the generating comprising: selecting the entities with complete entity data to replace the plurality of entities that is missing a portion of the entity data based on the comparison, and wherein the entities with complete entity data are within additional portfolios that are similar in entity composition to the synthesized portfolio.(FIG. 10)(1004)(1006) [0130]
Claims 3 recites, “further comprising substituting entity data, from the selected entities having the complete entity data, for the portion of the entity data that is missing, such that a likelihood of a cyber security failure for the synthesized portfolio mimics a likelihood of a cyber security failure of other similar portfolios. [0130]
Claim 4 recites, “further comprising based on the synthesized portfolio, generating another synthesized portfolio and calculating a diversity score. [0129-lines 12-16]
Claim 5 recites, further comprising creating a range of diversity scores using a set of resynthesized portfolios.[260, liens 6-11]
Claim 6 recites, further comprising automatically recommending, based on the assessed likelihood of cyber security failure, at least some of the determined set of computer network changes to reduce the assessed likelihood of the cyber security failure to mitigate the potential amount of damage [0058], [0134], [0140].













Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL S FELTEN whose telephone number is (571)272-6742.  The examiner can normally be reached on Flex.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin L Hewitt can be reached on 5712726709.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DANIEL S FELTEN/               Primary Examiner, Art Unit 3692