DETAILED ACTION
The following is responsive to Applicant’s Response on October 21, 2021 and telephonic communications with Applicant’s Representative conducted on November 5, 2021.  With respect to Applicant’s Response, claims 1–3, 5, 7–9, 11–13, 15, and 17–20 are amended.  With respect to the telephonic communications, Applicant’s Representative approved, by way of the following Examiner’s Amendment, amendments to claims 1, 8, 11, and 20.  Accordingly, claims 1–20 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Christopher Maier on November 5, 2021.

In the Claims:  

1. (Currently Amended) A computer-implemented method of identifying and mitigating information security implicit risks for at least one information system, the method comprising: 
selecting a model for identifying a quantitative residual risk of a risk scenario, wherein the model comprises a plurality of inputs, the plurality of inputs comprising a 
performing, with a processor, a plurality of assessment activities on the at least one information system based on the model and based on at least one anticipated vulnerability of the at least one information system, and determining, with the processor, from the plurality of assessment activities, the threat likelihood of the risk scenario, the business impact of the risk scenario, and the control effectiveness of the risk scenario; 
generating, with the processor, from the model, the quantitative residual risk of the risk scenario; 
generating a residual risk report, wherein generating the residual risk report comprises generating and displaying an implicit risk summary and, following generating and displaying the implicit risk summary, generating and displaying a residual risk summary, the implicit risk summary comprising a combination of threat likelihood data including the threat likelihood of the risk scenario for the at least one information system and business impact data including the business impact of the risk scenario for the at least one information system, the residual risk summary comprising a control effectiveness summary including the control effectiveness of the risk scenario for the at least one information system; 
wherein the implicit risk summary further comprises a plurality of possible controls and a ranking of the plurality of possible controls based on an impact of each of the possible controls on an aggregate control effectiveness score; and 

receiving, from an operator of the at least one information system, via a user interface, an alteration to a set of implemented controls comprising at least one of adding a control or removing the control; 
simulating a simulated effect of the control on an expected loss value, and comparing the simulated effect of the control on the expected loss value to the cost of generating the control; 
outputting a simulation result to the operator based on the simulated effect of the control; and 
modifying the at least one information system by making at least one adjustment to implement an unimplemented control.

8. (Currently Amended) The method of claim [[6]]7, further comprising generating a defined availability probability curve for a duration of the loss of availability of the at least one information system, and generating a range of expected loss values based on the defined availability probability curve.

11. (Currently Amended) A computer program product embodied on a non-transitory computer-readable medium, comprising code executable by a computer having a 
selecting a model for identifying a quantitative residual risk of the risk scenario, wherein the model comprises a plurality of inputs, the plurality of inputs comprising a threat likelihood of the risk scenario, a business impact of the risk scenario, and a control effectiveness of the risk scenario, the risk scenario comprising a threat type and a targetable system; 
performing, with the processor, a plurality of assessment activities on the at least one information system based on the model and based on at least one anticipated vulnerability of the at least one information system, and determining, with the processor, from the plurality of assessment activities, the threat likelihood of the risk scenario, the business impact of the risk scenario, and the control effectiveness of the risk scenario; 
generating, with the processor, from the model, the quantitative residual risk of the risk scenario; 
generating a residual risk report, wherein generating the residual risk report comprises generating and displaying an implicit risk summary and, following generating and displaying the implicit risk summary, generating and displaying a residual risk summary, the implicit risk summary comprising a combination of threat likelihood data including the threat likelihood of the risk scenario for the at least one information system and business impact data including the business impact of the risk scenario for the at least one information system, the residual risk summary comprising a control effectiveness summary including the control effectiveness of the risk scenario for the at least one information system; 

wherein the residual risk summary further comprises a plurality of unimplemented controls different from the plurality of possible controls and a ranking of the plurality of unimplemented controls based on the impact of each of the unimplemented controls on the aggregate control effectiveness score; 
receiving, from an operator of the at least one information system, via a user interface, an alteration to a set of implemented controls comprising at least one of adding a control or removing the control; 
simulating a simulated effect of the control on an expected loss value, and comparing the simulated effect of the control on the expected loss value to the cost of generating the control; 
outputting a simulation result to the operator based on the simulated effect of the control; and 
modifying the at least one information system by making at least one adjustment to implement an unimplemented control.

20. (Currently Amended) An information system configured to identify and mitigate information security implicit risks experienced by the information system, the information system comprising a processor and a memory and configured to perform the steps of: 
selecting a model for identifying a quantitative residual risk of [[the]] a risk scenario, wherein the model comprises a plurality of inputs, the plurality of inputs 
performing, with the processor, a plurality of assessment activities on the information system based on the model and based on at least one anticipated vulnerability of the information system, and determining, with the processor, from the plurality of assessment activities, the threat likelihood of the risk scenario, the business impact of the risk scenario, and the control effectiveness of the risk scenario; 
generating, with the processor, from the model, the quantitative residual risk of the risk scenario; 
generating a residual risk report, wherein generating the residual risk report comprises generating and displaying an implicit risk summary and, following generating and displaying the implicit risk summary, generating and displaying a residual risk summary, the implicit risk summary comprising a combination of threat likelihood data including the threat likelihood of the risk scenario for the information system and business impact data including the business impact of the risk scenario for the information system, the residual risk summary comprising a control effectiveness summary including the control effectiveness of the risk scenario for the information system; 
wherein the implicit risk summary further comprises a plurality of possible controls and a ranking of the plurality of possible controls based on an impact of each of the possible controls on an aggregate control effectiveness score; and 

receiving, from an operator of the information system, via a user interface, an alteration to a set of implemented controls comprising at least one of adding a control or removing the control; 
simulating a simulated effect of the control on an expected loss value, and comparing the simulated effect of the control on the expected loss value to the cost of generating the control; 
outputting a simulation result to the operator based on the simulated effect of the control; and 
modifying the information system by making at least one adjustment to implement an unimplemented control.

REASONS FOR ALLOWANCE
Claims 1–20 are allowed.
The following is an examiner’s statement of reasons for allowance:
Applicant’s Response is sufficient to overcome the previous objection to claims 1, 2, 11, 12, and 20 for informalities.  Accordingly, the previous objection is withdrawn.
Applicant’s Response, in combination with the Examiner’s Amendment presented above, is sufficient to overcome the previous rejection of claims 1–20 under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the 
When considered in view of the remaining claim elements, the prior art of record, either alone or in any combination, does not disclose “generating a residual risk report, wherein generating the residual risk report comprises generating and displaying an implicit risk summary and, following generating and displaying the implicit risk summary, generating and displaying a residual risk summary, …; wherein the implicit risk summary further comprises a plurality of possible controls and a ranking of the plurality of possible controls based on an impact of each of the possible controls on an aggregate control effectiveness score; and wherein the residual risk summary further comprises a plurality of unimplemented controls different from the plurality of possible controls and a ranking of the plurality of unimplemented controls based on the impact of each of the unimplemented controls on the aggregate control effectiveness score,” as substantially recited in independent claims 1, 11, and 20.  
Further, Applicant’s remarks on pages 16–18 of Applicant’s Response are persuasive.  As a result, the previous rejection of claims under 35 U.S.C. 103 is withdrawn; and claims 1–20 are allowable over the prior art of record.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S BROCKINGTON III whose telephone number is (571)270-3400. The examiner can normally be reached M-F, 8am-5pm, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on 571-272-6045. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/WILLIAM S BROCKINGTON III/Primary Examiner, Art Unit 3623