DETAILED ACTION
The following is a Non-Final Office Action in response to communications filed September 30, 2021.  Claims 1, 5, 6, 11, 16, and 20 are amended.  Currently, claims 1–20 are pending.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on September 30, 2021 has been entered.
 
Response to Amendment/Argument
Applicant’s amendments are sufficient to overcome the previous objection to claim 20 for informalities.  Accordingly, the previous objection to claim 20 is withdrawn.
Applicant’s amendments are sufficient to overcome the previous rejection of claims 1–20 under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.  Accordingly, the previous rejection of claims 1–20 under 35 U.S.C. 112(b) is withdrawn.
However, Applicant’s amendments necessitate new grounds of rejection under 35 U.S.C. 112(b), and Examiner directs Applicant to the relevant section below.
With respect to the previous rejection of claims under 35 U.S.C. 101, Applicant’s remarks have been fully considered but are not persuasive.
Applicant first asserts that the claims do not recite certain methods of organizing human activity because the claims do not encompass organizing human activity.  Examiner disagrees.  As previously noted, Examiner asserts that the inclusion of a human actor or activity is not dispositive with respect to a recitation of certain methods of organizing human activity.  Instead, a claim need not embody explicit human activity in order to recite certain methods of human activity or fundamental economic practices.  For example, Applicant submits that the claims of In re Chorna, 656 Fed. App'x 1016, 1021 (Fed. Cir. 2016) (non-precedential) “specifically cover which type of traders on which financial exchange are driving the valuation” and “necessarily rely on particular human interaction” despite representative claims 1 and 16 expressly reciting a “hindsight financial instrument” without any elements that encompass human traders.  
Similarly, the pending claims necessarily rely on human interaction because the claims embody a business risk mitigation framework that expressly relies on manually performed assessment activities.  As a result, Examiner maintains that Applicant’s claims, which recite processes for allowing organizations to mitigate information security risks according to manual assessment activities, recite certain methods of organizing human activity in an analogous manner to the examples identified in MPEP 2106.04(a)(2)(II)(A).   As a result, Applicant’s remarks are not persuasive.
Applicant further argues that “the present claims have been characterized as wholly mental processes that could be practically performed in the mind.”  In particular, 
As asserted previously and below, the elements for “determining … whether the at least one information system is vulnerable to the at least one threat type”, “determining a plurality of risk assessment activities”, “determining a plurality of control gaps”, and “providing a control effectiveness summary” recite mental processes because the elements describe observations or evaluations that could be practically performed in the mind.   Applicant has not presented any arguments with respect to the identified elements.  As a result, Applicant’s argument is not persuasive.
With respect to Step 2A Prong Two, Applicant asserts that the claims include a particular arrangement of components that integrate the abstract idea into a practical application because the claims “better allow an organization to prioritize its finite resources in order to mitigate cyber risk.”  Examiner disagrees and maintains that the claims embody abstract business solutions and do not include additional elements that integrate the abstract idea into a practical application.
MPEP 2106.04(d)(II) states that “Examiners evaluate integration into a practical application by: (1) identifying whether there are any additional elements recited in the claim beyond the judicial exception(s); and (2) evaluating those additional elements individually and in combination to determine whether they integrate the exception into a practical application, using one or more of the considerations introduced in subsection 
As noted below, the additional elements of claim 1 include a processor, a user interface, and steps for collecting information and provide information on the user interface.  Examiner maintains that the additional elements do not integrate the abstract idea into a practical application because the additional elements neither interact with nor impact the abstract elements in a manner that integrates the abstract idea into a practical application.  More particularly, the recited processor and interface are generic computing elements that are merely used as a tool to perform the underlying abstract business process, the step for collecting is an insignificant data gathering activity to the judicial exception, and the step for providing does no more than generically display instructions to a user.  As a result, the additional elements, when considered in view of the claims as a whole, do not embody any improvements in technology or meaningful application of the abstract idea, and Applicant’s argument is not persuasive.  
In view of the above, the previous rejection of claims under 35 U.S.C. 101 is maintained and reasserted below.
With respect to the previous rejection of claims under 35 U.S.C. 103, Applicant’s remarks have been fully considered and are persuasive.  More particularly, Applicant’s remarks on page 27 of Applicant’s Response are persuasive.  Accordingly, the previous rejection of claims under 35 U.S.C. 103 is withdrawn.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1–20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 11 recite “determining … a plurality of assessment activities to apply” and “wherein determining a plurality of assessment activities to apply comprises”.  Examiner submits that the double recitation of “a plurality of assessment activities” renders the scope of the claims indefinite because it is unclear whether Applicant intends for the second plurality of assessment activities to reference the first plurality of assessment activities or intends to introduce a second, different plurality of assessment activities.  For purposes of examination, claims 1 and 11 are interpreted as reciting   “wherein determining [[a]] the plurality of assessment activities to apply comprises””.  
In view of the above, claims 1 and 11 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claims 2–10 and 12–20, which depend from claims 1 and 11, inherit the deficiencies described above.  As a result, claims 2–10 and 12–20 are similarly rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1–4, 6–14, and 16–20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  Specifically, claims 1–4, 6–14, and 16–20 are directed to an abstract idea without additional elements amounting to significantly more than the abstract idea.
With respect to Step 2A Prong One of the framework, claim 1 recites an abstract idea.  Claim 1 includes elements for “selecting a model …”; “determining based on the scope and expectation information, whether the at least one information system is vulnerable to the at least one threat type”; “determining from a set of possible assessment activities, a plurality of assessment activities to apply …, and applying the plurality of assessment activities determined to the at least one information system”; “determining from the plurality of assessment activities, the threat likelihood of the risk scenario and the business impact of the risk scenario, and determining, from the threat likelihood of the risk scenario and the business impact of the risk scenario, an implicit risk score for the risk scenario”; “determining the control effectiveness of the risk scenario …”; “calculating, from the implicit risk score and the control effectiveness, a residual risk value …”; “generating, from the set of residual risk values, an overall 
The limitations above recite an abstract idea.  More particularly, the elements above recite certain methods of organizing human activity because the elements describe a process for determining a residual risk value for a scenario and a plurality of control gaps, which amounts to a fundamental economic practice associated with risk mitigation.  Further, the elements for “determining … whether the at least one information system is vulnerable to the at least one threat type”, “determining a plurality of risk assessment activities”, “determining a plurality of control gaps”, and “providing a control effectiveness summary” recite mental processes because the elements describe observations or evaluations that could be practically performed in the mind.  Still further, the elements for “determining the threat likelihood of the risk scenario and the business impact of the risk scenario”, “determining the control effectiveness of the risk scenario”, “calculating a residual risk value”, and “generating an overall residual risk score” recite mathematical concepts because the elements, when considered in view of Applicant’s Specification, describe mathematical relationships and calculations.  As a result, claim 1 recites an abstract idea under Step 2A Prong One.
Claim 11 recites substantially similar limitations to those presented with respect to claim 1.  As a result, claim 11 recites an abstract idea under Step 2A Prong One for the same reasons as stated above with respect to claim 1.  Similarly, claims 2, 3, 6–10, 12, 13, and 16–20 further describe the process for determining a residual risk value for 
With respect to Step 2A Prong Two of the framework, claim 1 does not include additional elements that integrate the abstract idea into a practical application.  Claim 1 includes additional elements that do not recite an abstract idea under Step 2A Prong One.  The additional elements of claim 1 include the recited processor, a user interface, and steps for collecting information and provide information on the user interface.  When considered in view of the claim as a whole, the additional elements do not integrate the abstract idea into a practical application because the processor and interface are generic computing elements that are merely used as a tool to perform the recited abstract idea, the step for collecting is an insignificant extrasolution activity to the judicial exception, and the step for providing does no more than generally link the use of the abstract idea to a particular technological environment.  As a result, claim 1 does not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two.
As noted above, claim 11 recites substantially similar limitations to those presented with respect to claim 1.  Although claim 11 further recites a computer-readable medium and a computer having a processor and memory, the recited computer elements, when considered in view of the claim as a whole, do not integrate the abstract idea into a practical application because the computer elements are generic 
Claims 2, 7, 8, 12, 17, and 18 do not recite any additional elements beyond those recited with respect to independent claims 1 and 11.  As a result, claims 2, 7, 8, 12, 17, and 18 do not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two for the same reasons as stated above with respect to claim 1.
Claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 include additional elements that do not recite an abstract idea under Step 2A Prong One.  More particularly, the additional elements of claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 include the functions for “retrieving” (see claims 3, 4, 6, 9, 13, 14, 16, and 19), “plotting and displaying” (see claims 3, 4, 13, and 14), “transmitting” (see claims 6 and 16), and “receiving” (see claims 10 and 20).  When considered in view of the claims as a whole, the additional elements of claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 do not integrate the abstract idea into a practical application because the additional elements amount to no more than insignificant extrasolution activities to the judicial exception.  As a result, claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 do not include additional elements that integrate the abstract idea into a practical application under Step 2A Prong Two.
With respect to Step 2B of the framework, claim 1 does not include additional elements amounting to significantly more than the abstract idea.  As noted above, claim 1 includes additional elements that do not recite an abstract idea under Step 2A Prong 
As noted above, claim 11 recites substantially similar limitations to those presented with respect to claim 1.  Although claim 11 further recites a computer-readable medium and a computer having a processor and memory, the recited computer elements do not amount to significantly more than the abstract idea because the computer elements are generic computing elements that are merely used as a tool to perform the recited abstract idea.  Further, looking at the additional elements as an ordered combination adds nothing that is not already present when considering the additional elements individually.  As a result, claim 11 does not include additional elements that amount to significantly more than the abstract idea under Step 2B for the same reasons as stated above with respect to claim 1.

As noted above, claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 include additional elements for “retrieving”, “plotting and displaying”, “transmitting”, and “receiving”.  The additional elements of claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 do not amount to significantly more than the abstract idea because the functions for “retrieving”, “transmitting”, and “receiving” amount to no more than well-understood, routine, and conventional computer functions in view of MPEP 2106.05(d)(II), wherein receiving, transmitting, and retrieving are identified as well-understood, routine, and conventional functions; and the functions for “plotting and displaying” similarly amount to no more than well-understood, routine, and conventional computer functions in view of Applicant’s Specification (see e.g. Spec. ¶¶ 83 and 94), which describes the additional elements in a manner that indicates that the additional elements are sufficiently well-known.  Further, looking at the additional elements as an ordered combination adds nothing that is not already present when considering the additional elements individually.  As a result, claims 3, 4, 6, 9, 10, 13, 14, 16, 19, and 20 do not include additional elements that amount to significantly more than the abstract idea under Step 2B.
Therefore, the claims are directed to an abstract idea without additional elements amounting to significantly more than the abstract idea.  Accordingly, claims 1–4, 6–14, 

Conclusion
The following prior art is made of record and not relied upon but is considered pertinent to applicant's disclosure:
Hoernecke et al. (U.S. 2017/0098086) discloses a system for assessing application risks according to manual and automatic testing.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S BROCKINGTON III whose telephone number is (571)270-3400.  The examiner can normally be reached on M-F, 8am-5pm, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on 571-272-6045.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/WILLIAM S BROCKINGTON III/Primary Examiner, Art Unit 3623