DETAILED ACTION
This is a Final Office Action in response to the amendment filed 08/11/2021.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
The amendment filed 08/11/2021 has been entered. 
Status of Claims
Claims 1-20 have been amended. Claims 1-20 are currently pending and have been examined.
Response to Arguments
Claim Rejections 35 U.S.C. § 101:
Applicant’s arguments have been fully considered and are persuasive.  The 35 U.S.C. 101 rejection has been withdrawn based on the claim amendments because the use of computing systems for threat assessment, risk quantification and prediction as recited in the amended claims is not directed to a judicial exception. These features apply any judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception (See PEG 2019 and MPEP 2106.05). Therefore making the claims eligible under 35 USC 101.

Claim Rejections 35 U.S.C. § 103:
The following is the guidance for determining prior art exceptions:
(a) NOVELTY; PRIOR ART.—A person shall be entitled to a patent unless—
(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention; or
(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
(b) EXCEPTIONS.—
(1) DISCLOSURES MADE 1 YEAR OR LESS BEFORE THE EFFECTIVE FILING DATE OF THE CLAIMED INVENTION.—A disclosure made 1 year or less before the effective filing date of a claimed invention shall not be prior art to the claimed invention under subsection (a)(1) if—
(A) the disclosure was made by the inventor or joint inventor or by another who obtained the subject matter disclosed directly or indirectly from the inventor or a joint inventor; or
(B) the subject matter disclosed had, before such disclosure, been publicly disclosed by the inventor or a joint inventor or another who obtained the subject matter disclosed directly or indirectly from the inventor or a joint inventor.

(A) the subject matter disclosed was obtained directly or indirectly from the inventor or a joint inventor;
(B) the subject matter disclosed had, before such subject matter was effectively filed under subsection (a)(2), been publicly disclosed by the inventor or a joint inventor or another who obtained the subject matter disclosed directly or indirectly from the inventor or a joint inventor; or
(C) the subject matter disclosed and the claimed invention, not later than the effective filing date of the claimed invention, were owned by the same person or subject to an obligation of assignment to the same person.
(c) COMMON OWNERSHIP UNDER JOINT RESEARCH AGREEMENTS.—Subject matter disclosed and a claimed invention shall be deemed to have been owned by the same person or subject to an obligation of assignment to the same person in applying the provisions of subsection (b)(2)(C) if—
(1) the subject matter disclosed was developed and the claimed invention was made by, or on behalf of, 1 or more parties to a joint research agreement that was in effect on or before the effective filing date of the claimed invention;
(2) the claimed invention was made as a result of activities undertaken within the scope of the joint research agreement; and
(3) the application for patent for the claimed invention discloses or is amended to disclose the names of the parties to the joint research agreement.

(1) if paragraph (2) does not apply, as of the actual filing date of the patent or the application for patent; or
(2) if the patent or application for patent is entitled to claim a right of priority under section 119, 365(a), 365(b), 386(a), or 386(b), or to claim the benefit of an earlier filing date under section 120, 121, 365(c), or 386(c)  based upon 1 or more prior filed applications for patent, as of the filing date of the earliest such application that describes the subject matter.
Regarding Applicant’s argument about US Pub. No. 2010/0325731 (Evrard) being subject to an Exception under 35U.S.C. 102(b)(2)(A), Examiner notes that Evrard is considered prior art under 102(a)(1) and not 102(a)(2), accordingly the art falls outside the grace period required to be considered an exception. 
Applicant’s arguments regarding the previous rejection have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-
Claim(s) 1- 20 rejected on the ground of nonstatutory double patenting as being unpatentable over claim(s)  1-5, 13-15, 17 of U.S. Pub. No. 2010/0325731
Claims of Instant Application
Claims of US Pub. No. 2010/0325731
1, 3, 8, 10, 14, 16
1, 13, 17
3, 10, 16
2
1, 3, 8, 10, 14, 16
3
3, 10, 16
4, 14
3, 10, 16
5, 15


The chart above maps claims of the instant application to corresponding claims of US Pub. No. 2010/0325731 that are patentably indistinct, though not identical. One of ordinary skill in the art would have recognized the slight differences between the claim language of the corresponding claims as being directed towards intention, slight variations in terminology, or obvious variants of claim elements, and therefore these claims are not patentably distinct from one another despite these slight differences.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.


The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim(s) 1/8/14 is/are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 1/8/14 include the amended limitation “receiving by one or more computer agents deployed within a demilitarized zone”, however the specification does not provide any support for this limitation.
Dependent claims 2-7, 9-13, 15-20 inherit the deficiency of independent claims 1/8/14 and are therefore rejected under 112(a) for the same reasons as noted above.
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim(s) 1-20 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim(s) 1/8/14 recite the limitations “the operational improvement network security devices”. There is insufficient antecedent basis for this limitation in the claim. Claims 2-7, 9-13, 15-20 depend directly or indirectly from claims 1/8/14 and fail to cure this deficiency, accordingly these claims are rejected for the same reasons.
Claims 5/12/18 recite the limitation “the extrapolated probabilities”. There is insufficient antecedent basis for this limitation in the claim.
Claims 2/9/15 recite the limitations “each adjusted predicted downtime”. There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. 2010/0325731 (hereinafter; Evrard) in view of US Pub. No. 2008/0022109 (hereinafter; Miyazaki), further in view of US Pub. No. 2016/0248799 (hereinafter; Ng).
Regarding claims 1, 8 and 14, Evrard discloses: 
A method performed by one or more computers to quantify and predict information security risks for the operational improvement network security devices within at least one network infrastructure of an entity, the method comprising; a non-transitory computer readable medium comprising instructions that, when executed by a processing device, cause said  processing device to perform operations comprising; a system, comprising: a memory; and a processor, and a non-transitory computer readable medium, communicatively coupled with a processor, said non-transitory computer readable medium storing instructions which when executed by a processor performs a method comprising: Evrard discloses an apparatus, a method and a system for assessing threat to at least one computer network in which a plurality of systems operate detection of cyber threat in at least [0005], [0013], and [0015].
one or more networks comprising computing systems, a threat assessment system, a system risk calculator, an activity predictor, a predicted loss calculator, a model control system and an analysis and reporting system comprising one or more processors and memory communicatively coupled with the processor and or processors, the memory storing instructions; [0045], [0053], [0057], [0065], Fig. 2 disclose the threat assessment system 11 includes a first module 14 (hereinafter referred to as an "activity predictor") for predicting threat activity affecting the corporate network 1; The threat assessment system 11 includes a second module 19 (hereinafter referred to as a "system risk calculator") for calculating system risk; the system 11 includes a third module 24 (hereinafter referred to as a "predicted loss calculator") for predicting the loss to the organization; the threat assessment system 11 (FIG. 2) is implemented in software on a computer system 35 running an operating system, such as Windows, Linux or Solaris. The computer system 35 includes at least one processor 36, memory 37 and an input/output (I/O) interface 38 operatively connected by a bus 39. The I/O interface 38 is operatively connected to the user input 17 (for example in the form of a keyboard and pointing device), display 29, a network interface 40, storage 41 in the form of hard disk storage and removable storage 42.
between a public network, or networks and a private network or networks a plurality of inputs, said inputs comprising collected electronic threat and security information from at least publicly available information and monitored network traffic transmitted via a public network, or networks, to a private network, or networks receiving data by one or more software agents, with a plurality of variables said variables indicating at least a time window having a beginning and an end and a determination of assets and sub-assets associated with at least one network infrastructure of an entity; [0025]; Fig. 1 discloses a corporate network 1 is connected to an external network 2, in this case the 
receiving data by one or more software agents, with a  plurality of variables, said data specifying relationships among network infrastructure assets and sub-assets, ([0037] discloses A system category may depend on other categories. For example, a company may have a system which depends on Windows Server 2003 and another system which depends on Windows XP, i.e. two different system categories. Thus, if a threat attacks more than one category, such as all versions of Windows, this can be handled by introducing a third system category, such as Windows, on which both of the other categories, in this example Windows Server 2003 and Windows XP, depend) a frequency of electronic threats identified within network traffic inbound towards a target computer network, ([0011 discloses The observed list of threats may include, for each threat, information identifying at least one system. The observed list of threats may include, for each threat, information identifying frequency of occurrence of the threat. The frequency of occurrence of the threat may include at least one period of time and corresponding frequency of occurrence for the at least one period of time.) containing an identifier, a name, a description of a threat or threats, ([0033] discloses Each observed threat is defined using an identifier, a name, a description of the threat, a business processes dependent for their correct functioning upon network assets and or sub-assets; ([0051] discloses The user can also provide or edit information about threat. For example, they can specify data regarding, extrapolation factors, the IT systems subject to attack, such as its identity, name and category identity, systems categories, such as its identity and name, operational processes, such as its identity, name and value, and process dependencies, such as process identity, system identity, dependency description and dependency level.)
receiving at least one value associated with a security breach for assets and or sub-assets of a network infrastructure of an entity, said entity being coupled to a network infrastructure comprising one or more assets utilized by business processes of an entity; [0051] discloses The user can also provide or edit information about threat. For example, they can specify data regarding, extrapolation factors, the IT systems subject to attack, such as its identity, name and category identity, systems categories, such as its identity and name, operational processes, such as its identity, name and value, and process dependencies, such as process identity, system identity, dependency description and dependency level. [0104-0105] discloses determining downtime for a system based on expected damage level using the value of severity score.
collecting network infrastructure information regarding one or more assets; 
receiving, by an activity predictor, identified electronic threat data within inbound network traffic and receiving collected security information; [0025] discloses the firewall filters incoming traffic; [0046]; Fig. 2 disclose The activity predictor 14 receives the observed threat data 9 from the database 10, for example by retrieving the data automatically or in response to user instruction.
and to combine current data with historical stored threat data, to extrapolate future event frequency and to produce a profile including at least, for each electronic threat, an identifier, a name, a description of a threat, a frequency of occurrence of each electronic threat within a time block, a target or targets, for each threat and a severity score for each target for predicted threat activity; [0033] discloses Each observed threat is defined using an identifier, a name, a description of the threat, a temporal profile specifying frequency of occurrence of the threat, a target (or targets) for the threat and a severity score for the (or each) target; [0046-0048] discloses The activity predictor 14 receives the observed threat data 9 from the database 10, for example by retrieving the data automatically or in response to user instruction, extrapolates future event frequency and produces a profile 13 of predicted threat activity, which includes a list of predicted threats and their expected frequency of occurrence. The predicted threat activity profile 13 may be stored in a database 16. Event frequency can be extrapolated from the historical data using a variety of editable factors which can be based upon advice from security consultants, political factors and so on. Each predicted threat is defined using an identifier, a name, a description, a frequency of occurrence, a 
determining, based on modeling of said data, a predicted level of damage to assets and or sub-assets of a network infrastructure of an entity within a time window, Evrard discloses a severity score that may also be referred to as “damage level” that is a measure of the impact of a successful threat in at least [0033], [0038], and [0104]. 
automatically outputting the continuously updated the predicted future electronic threat profiles into network security device policies generating feedback to network security device security parameters automatically increasing the threat identification capabilities of the said network security devices. [0032] discloses a system 11 for assessing threat uses models threats to the corporate network 1 so as to predict loss 12 arising from these threats and/or to provide feedback 13 to the firewall 3; [0068] discloses In a "live mode", the activity predictor 14 periodically, for example daily, connects to the known threat database 10 (which is preferably continuously updated), retrieves the observed threat profile 9 and produces a new predicted activity 13. The predicted activity 13 is fed back to the firewall 3.
Although Evrard discloses an apparatus and methods for assessing threats, quantifying and predicting information security risks, Evrard does not specifically disclose a demilitarized zone. However, Miyazaki discloses the following limitations:
receiving by one or more computer agents deployed within a demilitarized zone  Miyazaki [0045] discloses providing a firewall device or a demilitarized zone between 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the apparatus and methods for assessing threats to a computer network of Evrard with the demilitarized zone of Miyazaki in order to reduce a threat of unlawful computer access (Miyazaki [0045]) because the references are analogous since they both fall within Applicant's field of endeavor and are reasonably pertinent to the problem with which Applicant is concerned.
Although Evrard discloses an apparatus and methods for assessing threats, quantifying and predicting information security risks and using weighted linear extrapolation or polynomial extrapolation, Evrard does not specifically disclose a plurality of simulations. However, Ng discloses the following limitations:
performing by one or more computers, a plurality of simulations using a method of weighted linear extrapolation or polynomial extrapolation, with a higher weighting of recent data to older data, of values associated with identified electronic threats and security information, to calculate, a distribution of computer-based threats for various time steps within a time window, Ng [0097] discloses the weighting module can assign different weights to variables; variables may be weighted equally, or differently, and the weighting may be static, dynamic, or customizable based on different analysis goals; [0108-0109] disclose simulated security failures against a cyber profile of an entity; the simulated cyber attack in this example tests the sophistication of the entity and is 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the apparatus and methods for assessing threats to a computer network of Evrard with the methods for assessing risk of a cyber security failure in a computer network of Ng in order to reduce the assessed risk and provide one or more recommended computer network changes (Ng abstract) because the references are analogous since they both fall within Applicant's field of endeavor and are reasonably pertinent to the problem with which Applicant is concerned.  
Regarding claims 2, 9 and 15 Evrard discloses: 
The method according to claim 1; the non-transitory computer medium of claim 8; the system of claim 14, wherein determining the effectiveness of electronic threat mitigation control effectiveness within a network infrastructure of an entity for a security risk comprises: determining if the one or more assets and or sub-assets within the network infrastructure of an entity are capable of operation in a safe mode within a set of time blocks, each time block having a beginning and an end; Evrard [0011] discloses information about at least one period of time; [0040] discloses multiple time blocks; [0104] discloses the risk calculator can adjust the downtime, by taking into account mitigating factors, such as whether the system can operate in a safe mode and whether back-up systems are available.
determining a time profile for each target asset or sub-asset of the network infrastructure of the one or more predicted electronic threats, each time profile defined in terms of one or more time blocks and the number of predicted successful electronic threats in each time block; [0040] discloses a time profile expressed as a sequence of elements, each of which has a time block and a count of the observed occurrences of the threat during the block.
adjusting the predicted future electronic threat profiles based upon the ability of a target asset and or sub-asset of an electronic threat predicted to occur in a future period and within a time block having a beginning and an end, to operate in a safe mode, for each asset and or sub-assets within the network infrastructure according to the variables of assets with a safe mode of operation; Evrard [0039] discloses a temporal profile that is used to describe frequency of occurrence of a threat because loss caused by system downtime may vary according to the time and the temporal profile may be visible to and/or editable by a user for some types of threat, such as physical threats; [0104] discloses taking into account mitigating factors, such as whether the system can operate in a safe mode and whether back-up systems are available.
determining if the network infrastructure of an entity includes redundancy capabilities within a set of time blocks, each time block having a beginning and an end for the one or more assets and or sub-assets of the said network infrastructure of an entity; Evrard [0042] discloses multiple time blocks; [0104] discloses The risk calculator takes into account mitigating factors, such as whether the system can operate in a safe mode and whether back-up systems (i.e. redundancy capability) are available.
adjusting the predicted future electronic threat profiles based upon the ability of a target asset and or sub-asset of an electronic threat predicted to occur in a future period and within a time block having a beginning and an end, to operate in a safe mode, for each network infrastructure asset and or sub-asset according to the variables of assets with redundancy capabilities; Evrard [0039] discloses a temporal profile that is used to describe frequency of occurrence of a threat because loss caused by system downtime may vary according to the time and the temporal profile may be visible to and/or editable by a user for some types of threat, such as physical threats; [0104] discloses taking into account mitigating factors, such as whether the system can operate in a safe mode and whether back-up systems (i.e. redundancy capabilities) are available. 
multiplying each adjusted predicted downtime of each network infrastructure asset and or sub-assets by the frequency of occurrence of the threat predicted to occur in a future period and within a time block having a beginning and an end to obtain a value of the total downtime for the said threat predicted to occur in a future period and within a time block having a beginning and an end for each asset and or sub-asset variable of safe mode of operation and redundancy capability within a time block having a beginning and an end; Evrard [0042] discloses multiple time blocks; [0104] discloses determining downtime for a system based on expected damage level. The risk calculator multiplies each downtime by the frequency of occurrence of a successful threat to obtain a value of the total downtime. The risk calculator 19 can adjust the downtime, for example by taking into account mitigating factors, such as whether the system can operate in a safe mode and whether back-up systems (i.e. redundancy capability) are available.
summing the predicted downtime of each asset and or sub-asset within a network infrastructure and within a series of time blocks having a beginning and an end to arrive at an accumulated downtime for the network infrastructure of an entity for a specified period comprising one or more time blocks; Evrard [0042] discloses multiple time blocks; [0104-0105] discloses determining downtime for a system based on expected damage level using the value of severity score. The risk calculator adds the downtime to an accumulated downtime for the system category. For each system, the risk calculator adds up downtimes of dependencies of the system categories on which the system depends.
determining the predicted accumulated downtime for the network infrastructure for each variable of a presence of safe mode operation and, or redundancy capability for each asset and or sub-asset within the network infrastructure of an entity for a specified period comprising one or more time blocks. Evrard [0042] discloses multiple time blocks; [0104-0105] discloses determining downtime for a system based on expected damage level using the value of severity score. The risk calculator adds the downtime to an accumulated downtime for the system category. For each system, the risk calculator adds up downtimes of dependencies of the system categories on which the system depends. The risk calculator 19 can adjust the downtime, for example by taking into account mitigating factors, such as whether the system can operate in a safe mode and whether back-up systems (i.e. redundancy capability) are available.

The method of claim 1; the non-transitory medium of claim 8; the system of claim 14, wherein the determining of business impact for an electronic threat scenario further comprises; summing by the system risk calculator predicted downtimes of dependencies of the system categories upon which systems depend for operation, and, or the dependencies of the system categories on which system dependencies depend; Evrard [0104-0105] disclose determining downtime for a system based on expected damage level using the value of severity score. The risk calculator adds the downtime to an accumulated downtime for the system category. For each system, the risk calculator adds up downtimes of dependencies of the system categories on which the system depends.
receiving by the predicted loss calculator, system risk and data listing operational businesses processes from a database, to predict loss for each operational business process, aggregating the results for each operational business process, outputting predicted loss data to be stored in a database and, or to a display device; [0029-0030] disclose If the likelihood of an attack succeeding can be estimated for a number of different threats, then this can be combined with knowledge of the logical structure of IT systems 30 (FIG. 3) within the network 1 and knowledge of processes 31 (FIG. 3) dependent on those IT systems 30 (FIG. 3) to predict, for a given period of time, loss to the organisation due to these threats; A module 6 (hereinafter referred to as a "threat analyser") samples incoming traffic 4 and identifies threats using a list 7 of known threats stored in a database 8; [0058] discloses The predicted loss calculator 24 receives the system risk 22 and data 25 listing operational processes from a database 26, then 
adding up, by the predicted loss calculator, for each operational business process, the predicted downtimes of the system categories on which each operational business process depends, determining the duration for which the operational business process is unavailable and multiplying the duration by a value of the operational business process to quantify loss. Evrard [0104-0105] disclose determining downtime for a system based on expected damage level using the value of severity score. The risk calculator adds the downtime to an accumulated downtime for the system category. For each system, the risk calculator adds up downtimes of dependencies of the system categories on which the system depends. The risk calculator multiplies each downtime by the frequency of occurrence of a successful threat to obtain a value of the total downtime.
Regarding claims 4, 11 and 17, Evrard discloses:
The method of claim 1; the non-transitory medium of claim 8; the system of claim 14, wherein the prediction of electronic threat probabilities within future periods further comprises; continuously collecting global electronic threat data and identifying threats using a database of known threats with identifying data comprising multiple attacks performed using multiple attack methods directed at multiple targets; [0030] discloses A module 6 (hereinafter referred to as a "threat analyser") samples incoming traffic 4 and identifies threats using a list 7 of known threats stored in a database 8; [0068] discloses In a "live mode", the activity predictor 14 periodically, for example daily, 
receiving data specifying the frequency of occurrence for each individual threat; [0011] discloses The observed list of threats may include, for each threat, information identifying frequency of occurrence of the threat.
receiving data specifying the target of each individual threat; [0033] discloses Each observed threat is defined using an identifier, a name, a description of the threat, a temporal profile specifying frequency of occurrence of the threat, a target (or targets) for the threat and a severity score for the (or each) target.
receiving within the global threat data the activity level for each specified individual threat for a specified period to a present period within time blocks having a beginning and an end; [0011] discloses The frequency of occurrence of the threat may include at least one period of time and corresponding frequency of occurrence for the at least one period of time.
receiving, by the activity predictor, data for electronic threats identified within inbound network traffic of an entity and collected global threat data([0030] discloses A module 6 (hereinafter referred to as a "threat analyser") samples incoming traffic 4 and identifies threats using a list 7 of known threats stored in a database 8) and extrapolating future event frequency based upon currently identified electronic threats, ([0046] discloses The activity predictor 14 receives the observed threat data 9 from the database 10, for example by retrieving the data automatically or in response to user instruction, extrapolates future event frequency and produces a profile 13 of predicted threat activity, which includes a list of predicted threats and their expected frequency of occurrence.) historic electronic threat data identified within inbound network traffic of the entity ([0047] discloses Event frequency can be extrapolated from the historical data) and the activity level for each individual electronic threat within the global electronic threat data,  ([0038] discloses The severity score ("SeverityScore") is a measure of the impact of a successful threat. It is not a measure of the prevalence or exposure to the threat, but rather an indication of the damage that would be caused to the target system. Severity score may also be referred to as "damage level".) in time blocks having a beginning and an end, ([0040] discloses The profile is expressed as a sequence of elements, each of which has a time block and a count of the observed occurrences of the threat during the block.) using weighted linear extrapolation, or other polynomial regression,  ([0071] discloses weighted linear extrapolation is used, although other methods may be used, such as polynomial extrapolation.) 
Although Evrard discloses an apparatus and methods for assessing threats, quantifying and predicting information security risks and using weighted linear extrapolation or polynomial extrapolation, Evrard does not specifically disclose different weightings of data. However, Ng discloses the following limitations:
with a higher weighting of recent data to older data, to create probability distributions for electronic threat activity and automatically feeding the continuously updated predicted electronic threat activity to one or more network security appliances for further refinement of the security appliance rules and continuously enhance the security appliance performance. Ng [0097] discloses the weighting module can assign different weights to variables; variables may be weighted equally, or differently, and the weighting may be static, dynamic, or customizable based on different analysis goals.
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the apparatus and methods for assessing threats to a computer network of Evrard with the methods for assessing risk of a cyber security failure in a computer network of Ng in order to reduce the assessed risk and provide one or more recommended computer network changes (Ng abstract) because the references are analogous since they both fall within Applicant's field of endeavor and are reasonably pertinent to the problem with which Applicant is concerned.
Regarding claims 5, 12 and 18, Evrard discloses:
The method of claim 1; the non-transitory medium of claim 8; the system of claim 14, wherein the calculation of loss for each of the business processes dependent upon the downtime of the network infrastructure of an entity for an electronic threat scenario comprises; receiving, by the system risk calculator, an identification of the target assets at risk of being attacked wherein each of the target assets may instantiate in multiple technology layers within a network infrastructure; [0033] discloses a temporal profile specifying a target or targets for the threat; [0061]; Fig. 3 disclose there may be additional levels of system category 33 such that one or more system categories 33 in a lower level may depend on a system category in a higher level. Thus, a system 30 may 
receiving the extrapolated probabilities of identified electronic threats within the inbound network traffic of an entity occurring and the probability of time distributions of occurrence of the identified electronic threats; [0046] discloses The activity predictor 14 receives the observed threat data 9 from the database 10, for example by retrieving the data automatically or in response to user instruction, extrapolates future event frequency and produces a profile 13 of predicted threat activity, which includes a list of predicted threats and their expected frequency of occurrence; [0093] discloses activity predictor provides the predicted number of viruses contacted by target with time profile. 
applying system risk values to system categories related to the network-infrastructure by dependencies; [0051] discloses The user can also provide or edit information about threat. For example, they can specify data regarding, extrapolation factors, the IT systems subject to attack, such as its identity, name and category identity, systems categories, such as its identity and name, operational processes, such as its identity, name and value, and process dependencies, such as process identity, system identity, dependency description and dependency level.
and applying a value of a business process dependent upon said network- infrastructure. [0059] discloses Each process is defined by identity and a name, value in terms of the cost of downtime. The dependency of each process on an underlying IT 
Regarding claims 6, 13 and 19, Evrard discloses 
The method of claim 1; the non-transitory medium of claim 8; the system of claim 14, further comprising one or more reports, including information for increasing the likelihood of detection of a threat, on predicted loss, an aggregate loss value for each process, estimated annual downtime, and an estimated annual downtime with the associated annual predicted loss is, or are generated by a threat assessment system. [0064] discloses The threat assessment system 11 can output a report of the predicted loss, e.g. an aggregate value at risk, to the organisation for each process in terms of process name, estimated annual downtime and predicted loss.
Regarding claims 7 and 20, Although Evrard discloses an apparatus and methods for assessing threats, quantifying and predicting information security risks and the commencement of a safe mode of operation and or a redundancy function, Evrard does not specifically disclose a plurality of simulations. However, Ng discloses the following limitations:
The method of claim 2; the system of claim 14, wherein electronic threat mitigation control corresponds to calculating a risk exposure value by the threat assessment system for a given configuration of a private network, recalculating the risk value after a simulated change to a software or hardware change to the one or more assets of the private network infrastructure using the model control system to generate one or more simulations and determine a risk exposure value to mitigate the potential effects of the predicted electronic threats through the commencement of a safe mode of operation and, or a redundancy function. Ng [0108-0109] disclose simulated security failures against a cyber profile of an entity; the simulated cyber attack in this example tests the sophistication of the entity and is affected by the motivation regarding the entity; the system can be used to change technical aspects of the entity, including content distribution.
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the apparatus and methods for assessing threats to a computer network of Evrard with the methods for assessing risk of a cyber security failure in a computer network of Ng in order to reduce the assessed risk and provide one or more recommended computer network changes (Ng abstract) because the references are analogous since they both fall within Applicant's field of endeavor and are reasonably pertinent to the problem with which Applicant is concerned.  
Conclusion
The following is prior art made of record but not relied upon:
US Pub. No. 2016/0063628 (Kreider et al.) discloses technology for detecting undesirable data packets in a data communications network.
US Pub. No. 2017/0220801 (Stockdale et al.) discloses a method for detecting cyber-threats to a computer system.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to FRANCIS Z SANTIAGO-MERCED whose telephone number is (571)270-5562. The examiner can normally be reached M-F 7am-4:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian M. Epstein can be reached on (571) 270-5389. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for 





/FRANCIS Z. SANTIAGO MERCED/Examiner, Art Unit 3683                                                                                                                                                                                                        

/BRIAN M EPSTEIN/Supervisory Patent Examiner, Art Unit 3683