Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This is in response to the original of July 25, 2019 and preliminary amendments of July 29, 2019.  Claims 8 and 20 have been amended.   Claims 1-23 are pending and have been considered below.

Priority
Acknowledgement is made of no claim of foreign priority.

Drawings
The drawings filed on 07/25/2019 are accepted.

Specification
The amendment to the specification filed on 07/25/2019 is accepted.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

Claims 1, 2, 4, 6-10, 12-14, 16 and 18-22 are rejected under 35 U.S.C. 103 as being unpatentable over Belfiore, JR. et al U.S. 2018/0146004 A1 in view of Murphy et al U.S. 2019/0377867 A1.
Claims 1 and 13:  Belfiore et al teaches a method for managing information technology services, and an information technology service management system, the method comprising: 
a computer system (Fig.8);
 an information technology service manager in the computer system (Fig.8 and 9), wherein the information technology service manager 
receiving, by a computer system, assessment information about a criticality and a group of security factors for an information technology service related to security in an organization (Fig.2, Fig.1 item 115, par.36, 39-40, 52, 62-63 the client technology infrastructure profile 110 can correspond to any critical technology and business objectives of the client. The critical technology can include hardware, software, data, and the like. The threat profiling module 120 determines the threat profile 125 as a function of asset criticality (e.g., determined by the asset evaluation module 105) and particular threats 122 mapped to aspects of the client technology infrastructure profile 110.  The capabilities, for example, may be relevant to the particular technology aspect/asset. Capability may be assessed based upon a variety of factors depending upon the threat actor and/or the technology asset. These factors of threat actor score are combined into a comprehensive threat actor score. The threat scores, relating to both the threat actor score and the asset criticality score, represent anticipated relative impact of a particular threat actor in relation to the particular technology asset based upon the capability (e.g., threat actor score) of the particular threat actor); 
determining, by the computer system, a current security assurance level (current level of protection) for the information technology service based on the assessment information about the group of security factors for the information technology service and performance information about a group of current security controls for the information technology service (par.41-42, the cyber control evaluation module 130 receives and evaluates the client IT infrastructure profile 135 to identify a current level of protection (also referred to as the current control performance). The client IT infrastructure profile 135 may be obtained, for example, through a series of survey questions presented to information technology representative(s) of the organization to identify IT security mechanisms presently in place, such as, in some examples, access protections, encryption mechanisms, firewalls, and other cyber protection tools applied to protect the technology infrastructure 110); 
target control performance) for the information technology service based on the assessment information about the criticality of the information technology service (par.41-44, the cyber control evaluation module 130 determines target control performance based in part upon the threat scores related to each threat identified within the threat profile 125. For example, fewer resources may be allocated to protection of low priority assets of the client technology infrastructure 110 as opposed to the high priority assets of the client technology infrastructure 110. In this manner, in addition to vulnerability assessment 140, the cyber control evaluation module 130 may identify one or more areas of cybersecurity overprotection. The organization, for example, may use areas of cybersecurity overprotection for reallocating budget assets from low priority protection to high priority protection); 
determining, by the computer system, a difference between the current security assurance level and the target security assurance level (par.45,71-75, determining a difference in score between the current control performance and the target score for a given security domain); 
comparing, by the computer system, the difference to a threshold for a desired security assurance level for protecting against an attack on the information technology service (par.45, 71-76, The vulnerability score may be calculated by determining a difference in score between the current control performance and the target score for a given security domain. For example, if the target score is higher than the current control performance for a given security domain, the current control performance may be vulnerable to a cyber-attack. Conversely, if the target score is lower than the current control performance for a given security domain, the current control performance may be receiving a greater allocation of cybersecurity protection budget than recommended. The information in the vulnerability assessment represents an aggregated score across each of the security domains as each vulnerability score relates to a specific level of preparedness within a particular cybersecurity domain in view of identified likely threats to the organization's IT infrastructure. The vulnerability assessment further represents a level of preparedness relative to business objectives of the organization, as described earlier in the development of the threat profile (e.g., the business objectives 112 and threat profile 125 described. The vulnerability assessment, for example, is supplied for review and/or as a contributor to additional analysis. In a particular example, the vulnerability assessment may be provided to the risk evaluation module 145 for use in generating the risk profile report 150, as described in relation to FIG. 1. The risk profile report 150 can provide a comprehensive review of all assessed cyber risks. The risk profile report 150 can include visualizations (e.g., graphs, charts, etc.) comparing the target evaluation to the current control evaluation, as well as visualizations regarding likely threats to various assets of the client technology infrastructure 110); and 
Belfiore et al fails to teach, however Murphy et al in the same field of endeavor teaches 
displaying, by the computer system when the difference is greater than the threshold (par.85-86), a graphical indication of a group of additional security controls that, if implemented for the information technology service, results in the difference between the current security assurance level and the target security assurance level being within the desired security assurance level for protecting against the attack on the information technology service (par.100, 129, 137, 146-147, Threat mitigation process 10 may generate 310 a security profile based at least in part, upon system-defined consolidated platform information 236. Through the use of security profile, the user/owner/operator of computing platform 60 may be able to see that e.g., they have a security score of 605 out of a possible score of 1,000, wherein the average customer has a security score of 237. While security profile 350 in shown in the example to include several indicators that may enable a user to compare (in this example) computing platform 60 to other computing platforms, this is for illustrative purposes only and is not intended to be a limitation of this disclosure, as it is understood that other configurations are possible and are considered to be within the scope of this disclosure. threat mitigation process 10 may generate 702 comparison information 750 that compares the current security-relevant capabilities of computing platform 60 to the comparative platform information determined 700 for the comparative platform to identify a threat context indicator for computing platform 60, wherein comparison information 750 may include graphical comparison information 752).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Belfiore, JR.  et al with the additional features of Murphy et al  in order to provide the ability for allowing a third-party to select a training routine for a specific attack of a computing platform, thus defining a selected training routine, as suggested by Murphy et al abstract.
Claim 12:  Belfiore et al teaches a method for managing information technology services, the method comprising: 
determining, by the computer system, a current security assurance level (current level of protection) for the information technology service based on the assessment information about the group of security factors for the information technology service and performance information about a group of current security controls for the information technology service (par.41-42, the cyber control evaluation module 130 receives and evaluates the client IT infrastructure profile 135 to identify a current level of protection (also referred to as the current control performance). The client IT infrastructure profile 135 may be obtained, for example, through a series of survey questions presented to information technology representative(s) of the organization to identify IT security mechanisms presently in place, such as, in some examples, access protections, encryption mechanisms, firewalls, and other cyber protection tools applied to protect the technology infrastructure 110.); 
determining, by the computer system, a target security assurance level (target control performance) for the information technology service based on the assessment information about the criticality of the information technology service (par.41-44, the cyber control evaluation module 130 determines target control performance based in part upon the threat scores related to each threat identified within the threat profile 125. For example, fewer resources may be allocated to protection of low priority assets of the client technology infrastructure 110 as opposed to the high priority assets of the client technology infrastructure 110. In this manner, in addition to vulnerability assessment 140, the cyber control evaluation module 130 may identify one or more areas of cybersecurity overprotection. The organization, for example, may use areas of cybersecurity overprotection for reallocating budget assets from low priority protection to high priority protection); 
par.45,71-75, determining a difference in score between the current control performance and the target score for a given security domain); 
displaying, by the computer system, a graphical representation of a difference between the current security assurance level and the target security assurance level on a display system (par.45, 71-76, The vulnerability score may be calculated by determining a difference in score between the current control performance and the target score for a given security domain. For example, if the target score is higher than the current control performance for a given security domain, the current control performance may be vulnerable to a cyber-attack. Conversely, if the target score is lower than the current control performance for a given security domain, the current control performance may be receiving a greater allocation of cybersecurity protection budget than recommended. The information in the vulnerability assessment represents an aggregated score across each of the security domains as each vulnerability score relates to a specific level of preparedness within a particular cybersecurity domain in view of identified likely threats to the organization's IT infrastructure. The vulnerability assessment further represents a level of preparedness relative to business objectives of the organization, as described earlier in the development of the threat profile (e.g., the business objectives 112 and threat profile 125 described. The vulnerability assessment, for example, is supplied for review and/or as a contributor to additional analysis. In a particular example, the vulnerability assessment may be provided to the risk evaluation module 145 for use in generating the risk profile report 150, as described in relation to FIG. 1. The risk profile report 150 can provide a comprehensive review of all assessed cyber risks. The risk profile report 150 can include visualizations (e.g., graphs, charts, etc.) comparing the target evaluation to the current control evaluation, as well as visualizations regarding likely threats to various assets of the client technology infrastructure 110); and 
Belfiore et al fails to teach, however Murphy et al in the same field of endeavor teaches 
displaying, by the computer system when the difference is greater than the threshold (par.85-86), a graphical indication of a group of additional security controls that, if implemented for the information technology service, results in the difference between the current security assurance level and the target security assurance level being within the desired security assurance level for protecting against the attack on the information technology service (par.100, 129, 137, 146-147, Threat mitigation process 10 may generate 310 a security profile based at least in part, upon system-defined consolidated platform information 236. Through the use of security profile, the user/owner/operator of computing platform 60 may be able to see that e.g., they have a security score of 605 out of a possible score of 1,000, wherein the average customer has a security score of 237. While security profile 350 in shown in the example to include several indicators that may enable a user to compare (in this example) computing platform 60 to other computing platforms, this is for illustrative purposes only and is not intended to be a limitation of this disclosure, as it is understood that other configurations are possible and are considered to be within the scope of this disclosure. threat mitigation process 10 may generate 702 comparison information 750 that compares the current security-relevant capabilities of computing platform 60 to the comparative platform information determined 700 for the comparative platform to identify a threat context indicator for computing platform 60, wherein comparison information 750 may include graphical comparison information 752).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Belfiore, JR.  et al with the additional features of Murphy et al  in order to provide the ability for allowing a third-party to select a training routine for a specific attack of a computing platform, thus defining a selected training routine, as suggested by Murphy et al abstract.
Claims 2 and 14: the combination teaches 
Belfiore et al par.45, Murhy et al, par.129-130, 137). 
The same motivation to modify Belfiore et al in view of Murhy et al applied to claims 1 and 13 above applies here.
Claims 4 and 16: the combination teaches  
wherein displaying, by the computer system when the difference is greater than the threshold, the graphical indication of the group of additional security controls that, if implemented for the information technology service, results in the difference between the current security assurance level and the target security assurance level being within the desired security assurance level for protecting against the attack on the information technology service comprises (Belfiore et al, par.70-76, Murhy et al, par.129-130): 
displaying, by the computer system when the difference is greater than the threshold, the graphical indication of the group of additional security controls that, if implemented for the information technology service, results in the difference between the current security assurance level and the target security assurance level being within the desired security assurance level for protecting against the attack on the information technology service (Belfiore et al, par.70-76, Murhy et al, par.129-130); and 
Belfiore et al, par.45, Murhy et al, par.129-130, 17-138). 
The same motivation to modify Belfiore et al in view of Murhy et al applied to claims 2 and 14 above applies here.
Claims 6 and 18: The method of claim 1 further comprising:
 determining, by the computer system, the group of additional security controls that, if implemented for the information technology service, results in the difference between the current security assurance level and the target security assurance level being within the desired security assurance level for protecting against the attack on the information technology service (Belfiore et al par.70-76, Murhy et al par.129-130). 
The same motivation to modify Belfiore et al in view of Murhy et al applied to claims 1 and 13 above applies here.
Claims 7 and 19: the combination teaches 
wherein determining, by the computer system, the group of additional security controls that, if implemented for the information technology service, results in the difference between the current security assurance level and the target security assurance level being within the desired security assurance Belfiore et al, par.70-76, Murhy et al, par.129-130). 
The same motivation to modify Belfiore et al in view of Murhy et al applied to claims 6 and 18 above applies here.
Claims 8 and 20: the combination teaches the group of current security controls comprises a software security product and wherein determining, by the computer system, the current security assurance level for the information technology service based on the assessment information about the group of security factors for the information technology service and performance information about the group of current security controls for the information technology service comprises: 
determining, by the computer system, the current security assurance level for the information technology service based on the assessment information about the group of security factors for the information technology service and performance information for the software security product for the information technology service, wherein displaying, by the Belfiore et al, par.70-76, Murhy et al, par.129-130):
 displaying, by the computer system when the difference is greater than the threshold, the graphical indication of a group of additional software security products that, if implemented for the information technology service, results in the difference between the current security assurance level and the target security assurance level being within the desired security assurance level for protecting against the attack on the information technology service (Belfiore et al, par.70-76, Murhy et al, par.129-130). 
The same motivation to modify Belfiore et al in view of Murhy et al applied to claims 1 and 13 above applies here.
Claim 9 and 21: the combination teaches 
wherein the group of security factors is selected from at least one of a confidentiality, an integrity, an availability, or a system environment (Belfiord et al, par.52). 
Claim 10 and 22: the combination teaches the method of claim 1,
Belfiore et al, par. 10, 15,34, 41). 

Claims 3 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Belfiore, JR. et al U.S. 2018/0146004 A1 in view of Murphy et al U.S. 2019/0377867 A1 in further view of O’Reilly et al U.S. 2018/0167414 A1 and Ching et al U.S. 2015/0295779 A1
Claims 3 and 15: the combination teaches  
wherein the graphical representation is selected from at least one of a, a bar graph, a line graph, or a combo chart (Murphy et al, par.138). 
The combination fails to teach, however xyz in the same field of endeavor teaches 
wherein the graphical representation is selected from at least one of a spider chart, a radar chart, a radar graph, an area graph, a histogram, a bar graph, a line graph, or a combo chart (par.87 claims 6, 16, 33). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Belfiore, JR.  et al with the additional features of O’Reilly et al  in order to provide a cybersecurity system that sums and scores one or more cybersecurity controls for O’Reilly et al abstract.
The combination fails to teach, however Ching et al in the same field of endeavor teaches 
wherein the graphical representation is selected from at least one of a spider chart, a radar chart, a radar graph, an area graph, a histogram, a bar graph, a line graph, or a combo chart (par.317). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Belfiore, JR.  et al with the additional features of Ching et al  in order to provide a system that facilitates the processing of network data, as suggested by Ching et al abstract.

Claims 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Belfiore, JR. et al U.S. 2018/0146004 A1 in view of Murphy et al U.S. 2019/0377867 A1 in further view of Martinez et al U.S. 2014/0137257 A1.
Claims 5 and 17: the combination fails to teach, however Martinez et al in the same field of endeavor teaches wherein displaying, by the computer system when the difference is greater than the threshold, the graphical indication of the group of additional security controls that, if implemented for the information technology service, results in the difference between the current security assurance level and 
displaying, by the computer system when the difference is greater than the threshold, the graphical indication with a group of links associated with the group of additional security controls that, if implemented for the information technology service, results in the difference between the current security assurance level and the target security assurance level being within the desired security assurance level for protecting against the attack on the information technology service, wherein the a selection of a link in the group of links initiates implementation of a security control corresponding to the link (par. 140-141, 157-15897-102). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Belfiore, JR.  et al with the additional features of Martinez et al  in order to provide the ability for assessing a risk of one or more assets within an operational technology infrastructure, as suggested by Martinez et al par.2.

Claims 11 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Belfiore, JR. et al U.S. 2018/0146004 A1 in view of Murphy et al U.S. 2019/0377867 A1 in further view of Anthony et al U.S. 2003/0137426 A1.
Claims 11 and 23: the combination fails to teach, however Anthony et al in similar field of endeavor teaches 
wherein the organization is selected from one of an airport authority, an airline, a maintenance service, an aircraft manufacturer, a government agency, a company, and a city (par.2, 5,39, 78) . 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Belfiore, JR.  et al with the additional features of Anthony et al  in order to provide the ability for monitoring and tracking in real-time or at least in near-real-time the activities and movements associated with prescribed personnel, personal property, mobile vehicles, and buildings, as suggested by Anthony et al abstract.

Conclusion
The following prior art are cited to further show the state of the art at the time of applicant’s invention.
Lyer et al U.S. 2020/0162497 A1 prioritized remediation of information security vulnerabilities based on service model aware multi-dimensional security risk scoring.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






Thursday, September 9, 2021
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436