DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
2.	This action is responsive to the following communication:  Original claims filed 12/19/2018.  This action is made non-final.
3.	Claims 1-20 are pending in the case.  Claims 1, 19 and 20 are independent claims.

Claim Objections 
4.	Claims 12-17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 102
5.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

6.	Claims 1-9 and 18-20 are rejected under 35 U.S.C. 102 as being rejected by anticipated by Bunker (US 20100242114). 
Regarding claim 1, Bunker discloses a computer implemented method, comprising: 

receiving, via the user interface, a risk profile comprising the likelihood and/or impact for each event of a selected group of events of the plurality of pre-defined potential events (FIG. 8, wherein each field contains a risk factor for each of the potential vulnerabilities/events); 
and computing a maturity measurement for the computer system using the risk profile and a database, the database comprising information for a set of practices and relationships between practices the set of practices and events of the plurality of pre-defined potential events (FIG. 14 and FIG. 15, each risk is classified by a report which analyses said risks and provides recommendations in the form of concerns and solutions for each risk vulnerability). 
Regarding claim 19, Bunker discloses a non-transitory computer-readable storage medium comprising instructions that, when executed by a processing device, cause the processing device to: 
generate and output to an I/O device, a user interface comprising a plurality of user input fields for receiving the likelihood and/or impact of a plurality of pre-defined potential events related to a plurality of pre-defined potential vulnerabilities related to a computer system (see FIG. 8 wherein a user interface contains a plurality of fields wherein each field contains a plurality of vulnerabilities/events to a user [exposure area]);

compute a maturity measurement for the computer system using the risk profile and a database, the database comprising information for a set of practices and relationships between practices the set of practices and events of the plurality of pre-defined potential events (FIG. 14 and FIG. 15, each risk is classified by a report which analyses said risks and provides recommendations in the form of concerns and solutions for each risk vulnerability).
Regarding claim 20, Bunker discloses a computer system, comprising: a processing device; and memory in communication with the processing device and storing instructions that, when executed by the processing device, cause the processing device to: 
generate and output to an I/O device, a user interface comprising a plurality of user input fields for receiving the likelihood and/or impact of a plurality of pre-defined potential events related to a plurality of pre-defined potential vulnerabilities related to a computer system (see FIG. 8 wherein a user interface contains a plurality of fields wherein each field contains a plurality of vulnerabilities/events to a user [exposure area]);
receive, via the user interface, a risk profile comprising the likelihood and/or impact for each event of a selected group of events of the plurality of pre-defined potential events (FIG. 8, wherein each field contains a risk factor for each of the potential vulnerabilities/events); and 
compute a maturity measurement for the computer system using the risk profile and a database, the database comprising information for a set of practices and relationships between practices the set of practices and events of the plurality of pre-defined potential events (FIG. 14 
Regarding claim 2, Bunker discloses wherein the likelihood and/or impact for each event of the selected group of events is a separate element of the risk profile (FIG. 5-7, each vulnerability consists of different filtered events and/or elements that contribute to said vulnerability).
Regarding claim 3, Bunker discloses wherein receiving the likelihood and/or impact for each event of the selected group of events comprises receiving the likelihood and the impact for each event of the selected group of events (FIG. 5-7, each vulnerability consists of different filtered events and/or elements that contribute to said vulnerability, see also FIG. 4 wherein risk reports are created from reports generated from the vulnerabilities, also see FIG. 8 wherein each risk is classified in column 820).
Regarding claim 4, Bunker discloses wherein each field of the plurality of user input fields is defined by a unique risk scenario having one vulnerability of the plurality of pre-defined potential vulnerabilities and one event of the plurality of pre-defined potential events (FIG. 8 has at least one risk scenario [exposure], which describes the vulnerability in the description wherein each of the risks/vulnerabilities and risk factors and severity are displayed to the user).
Regarding claim 5, Bunker discloses wherein each field of the plurality of user input fields is defined by a unique risk scenario having one vulnerability of the plurality of pre-defined potential vulnerabilities and one event of the plurality of pre-defined potential events (FIG. 8 has at least one risk scenario [exposure], which describes the vulnerability in the description wherein each of the risks/vulnerabilities and risk factors and severity are displayed to the user). 
Regarding claim 6, Bunker discloses wherein generating and outputting the user interface comprises:
generating a graphical user interface (GUI) comprising a matrix of the user input fields, and wherein the matrix is defined by the set of pre-defined potential vulnerabilities and the set of pre-defined potential events such that each field in the matrix is defined by a unique risk scenario having one of the pre-defined potential vulnerabilities and one of the pre-defined potential events; and outputting the GUI to a display device of the I/O device (see FIG. 8 wherein each vulnerability, event, exposure, risk factor and severity are listed in a matrix type interface each having a unique scenario and pre-defined in their input fields).
Regarding claim 7, Bunker discloses wherein each event of the selected group of events of the risk profile is a unique risk scenario of one vulnerability of the plurality of pre-defined potential vulnerabilities (see at least FIG. 5 wherein there are a plurality of vulnerabilities which are filtered and organized as such and wherein each vulnerability is unique to each other).
Regarding claim 8, Bunker discloses wherein computing the maturity measurement for the computer system comprises mapping certain practices of the set of practices to the unique risk scenarios of the risk profile according to the relationships between practices the set of practices and events of the plurality of pre-defined potential events in the database (FIG. 14 and FIG. 15, each risk is classified by a report which analyses said risks and provides recommendations in the form of concerns and solutions for each risk vulnerability, see also FIG. 5 wherein each vulnerability is mapped according to the set of filters and then each risk is profiled separately).
Regarding claim 9, Bunker discloses wherein each mapped practice of the mapped certain practices is associated with a predefined maturity level in the database, and wherein computing the maturity measurement for the computer system is based on at least the predefined maturity levels of the mapped certain practices (FIG. 14 and FIG. 15, each risk is classified by a report which analyses said risks and provides recommendations in the form of concerns and solutions for each risk vulnerability, see also FIG. 5 wherein each vulnerability is mapped according to the set of filters and then each risk is profiled separately. Moreover, each risk is assessed according to the filtered subset and mapped accordingly to filtered the database, see also paragraph 0032).
Regarding claim 18, Bunker disclose wherein the computer system is a computing device or a computer network comprising at least a plurality of computing devices (see at least FIG. 3 wherein there are a plurality of computing devices that are networked).

Claim Rejections - 35 USC § 103
7.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

8.	Claim 10 and 11 are rejected under 35 U.S.C. 103(a) as being unpatentable over Bunker in view of Vervier (US 20190020674). 
Regarding claim 10, Bunker does not disclose wherein computing the maturity measurement for the computer system comprises summing or averaging the predefined 
However, Vervier discloses wherein in some examples, the systems described herein may calculate a weighted average risk score for an organization by, for each feature used in the assessment, multiplying the ranking of the organization for the feature (e.g., the average number of vulnerable ports per server, the average age of unpatched vulnerabilities in weeks, and/or the average CVSS score of each server) by a predetermined weight assigned to that feature, then summing the total value for all the features and dividing that total by the size of the set of features used to arrive at an overall vulnerability score. In some embodiments, the systems described herein may create vulnerability metrics such as weighted average risk scores for the same set of servers and/or organizations at regular intervals, such as once a week, once a month, and/or once a quarter. In one embodiment, the systems described herein may combine and/or compare vulnerability metrics created at different times (paragraph 0059).
The combination of Bunker and Vervier would have resulted in the security risk interface of Bunker to incorporate Vervier’s teachings of weighing risks together.  One would have been motivated to have combined the teachings because a user in Vervier would have benefited from using further methods to weigh risk assessments as Bunker is already utilizing filters and the like to create risk profiles.  As such, it would have been obvious to have combined the references as the resulting invention would have been predictable to one of ordinary skill in the art.
Regarding claim 11, Bunker does not disclose wherein computing the maturity measurement for the computer system comprises weighting each likelihood and/or impact for each event of the selected group of events with the predefined maturity level of the certain practice mapped to the event such that the maturity measurement is a weighted summation or a weighted average of likelihoods and/or impacts of the selected group of events. 
However, Vervier discloses wherein in some examples, the systems described herein may calculate a weighted average risk score for an organization by, for each feature used in the assessment, multiplying the ranking of the organization for the feature (e.g., the average number of vulnerable ports per server, the average age of unpatched vulnerabilities in weeks, and/or the average CVSS score of each server) by a predetermined weight assigned to that feature, then summing the total value for all the features and dividing that total by the size of the set of features used to arrive at an overall vulnerability score. In some embodiments, the systems described herein may create vulnerability metrics such as weighted average risk scores for the same set of servers and/or organizations at regular intervals, such as once a week, once a month, and/or once a quarter. In one embodiment, the systems described herein may combine and/or compare vulnerability metrics created at different times (paragraph 0059).
The combination of Bunker and Vervier would have resulted in the security risk interface of Bunker to incorporate Vervier’s teachings of weighing risks together.  One would have been motivated to have combined the teachings because a user in Vervier would have benefited from using further methods to weigh risk assessments as Bunker is already utilizing filters and the like to create risk profiles.  As such, it would have been obvious to have combined the references as the resulting invention would have been predictable to one of ordinary skill in the art.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID E CHOI whose telephone number is (571)270-3780.  The examiner can normally be reached on M-F: 7-2, 7-10 (PST). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sherief Badawi can be reached on 571-272-9782.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/DAVID E CHOI/Primary Examiner, Art Unit 2174