DETAILED ACTION
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .2.	This action is responsive to the following communication:  Amendment filed 1/5/22.  This action is made final.
3.	Claims 1-20 are pending in the case.  Claims 1, 19 and 20 are independent claims.

Claim Objections 
4.	Claims 12-17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
5. 	The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

6.	Claim 1-9 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bunker (US 20100242114) in view of Navarro (US 20160299771).

Regarding claim 1, Bunker discloses a computer implemented method, comprising: 
generating and outputting to an I/O device, a user interface comprising a plurality of user input fields for receiving the likelihood and/or impact of a plurality of pre-defined potential events related to a plurality of pre-defined potential vulnerabilities related to a computer system (see FIG. 8 wherein a user interface contains a plurality of fields wherein each field contains a plurality of vulnerabilities/events to a user [exposure area]); 
receiving, via the user interface, a risk profile comprising the likelihood and/or impact for each event of a selected group of events of the plurality of pre-defined potential events (FIG. 8, wherein each field contains a risk factor for each of the potential vulnerabilities/events); 
and computing a maturity measurement for the computer system using the risk profile and a database, the database comprising information for a set of practices and relationships between practices the set of practices and events of the plurality of pre-defined potential events (FIG. 14 and FIG. 15, each risk is classified by a report which analyses said risks and provides recommendations in the form of concerns and solutions for each risk vulnerability). 
Bunker does not disclose wherein the maturity measurement is one of a plurality of predefined maturity levels based on one or more of people using the computer system, processes implemented in the computer system, or technologies of the computer system.
However, Navarro discloses wherein a maturity level may be defined by discrete values relatively to a predefined scale of values. For example, when a technical expert starts working on a user configuration, he will first define a maturity level of 1 for all values of the configuration parameter in the first versions of the user configuration. When he will have performed at least some simulation or design steps, he may modify the maturity level to the 
The combination of Bunker and Navarro would have resulted in the security risk interface of Bunker to incorporate Navarro’s predefined maturity levels. One would have been motivated to have combined the teachings because a user in Bunker would have benefited from using further methods to use predefined levels as Bunker is already utilizing filters and the like to create risk profiles.  As such, it would have been obvious to have combined the references as the resulting invention would have been predictable to one of ordinary skill in the art.
Regarding claim 19, Bunker discloses a non-transitory computer-readable storage medium comprising instructions that, when executed by a processing device, cause the processing device to: 
generate and output to an I/O device, a user interface comprising a plurality of user input fields for receiving the likelihood and/or impact of a plurality of pre-defined potential events related to a plurality of pre-defined potential vulnerabilities related to a computer system (see FIG. 8 wherein a user interface contains a plurality of fields wherein each field contains a plurality of vulnerabilities/events to a user [exposure area]);

compute a maturity measurement for the computer system using the risk profile and a database, the database comprising information for a set of practices and relationships between practices the set of practices and events of the plurality of pre-defined potential events (FIG. 14 and FIG. 15, each risk is classified by a report which analyses said risks and provides recommendations in the form of concerns and solutions for each risk vulnerability).
Bunker does not disclose wherein the maturity measurement is one of a plurality of predefined maturity levels based on one or more of people using the computer system, processes implemented in the computer system, or technologies of the computer system.
However, Navarro discloses wherein a maturity level may be defined by discrete values relatively to a predefined scale of values. For example, when a technical expert starts working on a user configuration, he will first define a maturity level of 1 for all values of the configuration parameter in the first versions of the user configuration. When he will have performed at least some simulation or design steps, he may modify the maturity level to the maturity level 2 to indicate that the set of values is more precisely defined and/or that other technical experts may now rely on the assigned values when working on their side on other user configurations. A maturity level of 3 would be for example representative of a set of values which is considered as technically optimal and/or that the technical expert would probably not change anymore (paragraph 0144).

Regarding claim 20, Bunker discloses a computer system, comprising: a processing device; and memory in communication with the processing device and storing instructions that, when executed by the processing device, cause the processing device to: 
generate and output to an I/O device, a user interface comprising a plurality of user input fields for receiving the likelihood and/or impact of a plurality of pre-defined potential events related to a plurality of pre-defined potential vulnerabilities related to a computer system (see FIG. 8 wherein a user interface contains a plurality of fields wherein each field contains a plurality of vulnerabilities/events to a user [exposure area]);
receive, via the user interface, a risk profile comprising the likelihood and/or impact for each event of a selected group of events of the plurality of pre-defined potential events (FIG. 8, wherein each field contains a risk factor for each of the potential vulnerabilities/events); and 
compute a maturity measurement for the computer system using the risk profile and a database, the database comprising information for a set of practices and relationships between practices the set of practices and events of the plurality of pre-defined potential events (FIG. 14 
Bunker does not disclose wherein the maturity measurement is one of a plurality of predefined maturity levels based on one or more of people using the computer system, processes implemented in the computer system, or technologies of the computer system.
However, Navarro discloses wherein a maturity level may be defined by discrete values relatively to a predefined scale of values. For example, when a technical expert starts working on a user configuration, he will first define a maturity level of 1 for all values of the configuration parameter in the first versions of the user configuration. When he will have performed at least some simulation or design steps, he may modify the maturity level to the maturity level 2 to indicate that the set of values is more precisely defined and/or that other technical experts may now rely on the assigned values when working on their side on other user configurations. A maturity level of 3 would be for example representative of a set of values which is considered as technically optimal and/or that the technical expert would probably not change anymore (paragraph 0144).
The combination of Bunker and Navarro would have resulted in the security risk interface of Bunker to incorporate Navarro’s predefined maturity levels. One would have been motivated to have combined the teachings because a user in Bunker would have benefited from using further methods to use predefined levels as Bunker is already utilizing filters and the like to create risk profiles.  As such, it would have been obvious to have combined the references as the resulting invention would have been predictable to one of ordinary skill in the art.
Regarding claim 2, Bunker discloses wherein the likelihood and/or impact for each event of the selected group of events is a separate element of the risk profile (FIG. 5-7, each vulnerability consists of different filtered events and/or elements that contribute to said vulnerability).
Regarding claim 3, Bunker discloses wherein receiving the likelihood and/or impact for each event of the selected group of events comprises receiving the likelihood and the impact for each event of the selected group of events (FIG. 5-7, each vulnerability consists of different filtered events and/or elements that contribute to said vulnerability, see also FIG. 4 wherein risk reports are created from reports generated from the vulnerabilities, also see FIG. 8 wherein each risk is classified in column 820).
Regarding claim 4, Bunker discloses wherein each field of the plurality of user input fields is defined by a unique risk scenario having one vulnerability of the plurality of pre-defined potential vulnerabilities and one event of the plurality of pre-defined potential events (FIG. 8 has at least one risk scenario [exposure], which describes the vulnerability in the description wherein each of the risks/vulnerabilities and risk factors and severity are displayed to the user).
Regarding claim 5, Bunker discloses wherein each field of the plurality of user input fields is defined by a unique risk scenario having one vulnerability of the plurality of pre-defined potential vulnerabilities and one event of the plurality of pre-defined potential events (FIG. 8 has at least one risk scenario [exposure], which describes the vulnerability in the description wherein each of the risks/vulnerabilities and risk factors and severity are displayed to the user). 
Regarding claim 6, Bunker discloses wherein generating and outputting the user interface comprises:

Regarding claim 7, Bunker discloses wherein each event of the selected group of events of the risk profile is a unique risk scenario of one vulnerability of the plurality of pre-defined potential vulnerabilities (see at least FIG. 5 wherein there are a plurality of vulnerabilities which are filtered and organized as such and wherein each vulnerability is unique to each other).
Regarding claim 8, Bunker discloses wherein computing the maturity measurement for the computer system comprises mapping certain practices of the set of practices to the unique risk scenarios of the risk profile according to the relationships between practices the set of practices and events of the plurality of pre-defined potential events in the database (FIG. 14 and FIG. 15, each risk is classified by a report which analyses said risks and provides recommendations in the form of concerns and solutions for each risk vulnerability, see also FIG. 5 wherein each vulnerability is mapped according to the set of filters and then each risk is profiled separately).
Regarding claim 9, Bunker discloses wherein each mapped practice of the mapped certain practices is associated one of the plurality of predefined maturity levels in the database, and wherein computing the maturity measurement for the computer system is based on at 
Further, Navarro discloses wherein a maturity level may be defined by discrete values relatively to a predefined scale of values. For example, when a technical expert starts working on a user configuration, he will first define a maturity level of 1 for all values of the configuration parameter in the first versions of the user configuration. When he will have performed at least some simulation or design steps, he may modify the maturity level to the maturity level 2 to indicate that the set of values is more precisely defined and/or that other technical experts may now rely on the assigned values when working on their side on other user configurations. A maturity level of 3 would be for example representative of a set of values which is considered as technically optimal and/or that the technical expert would probably not change anymore (paragraph 0144).
The combination of Bunker and Navarro would have resulted in the security risk interface of Bunker to incorporate Navarro’s predefined maturity levels. One would have been motivated to have combined the teachings because a user in Bunker would have benefited from using further methods to use predefined levels as Bunker is already utilizing filters and the like to create risk profiles.  As such, it would have been obvious to have combined the 
Regarding claim 18, Bunker disclose wherein the computer system is a computing device or a computer network comprising at least a plurality of computing devices (see at least FIG. 3 wherein there are a plurality of computing devices that are networked).
7.	Claim 10 and 11 are rejected under 35 U.S.C. 103(a) as being unpatentable over Bunker-Navarro in view of Vervier (US 20190020674). 
Regarding claim 10, Bunker does not disclose wherein computing the maturity measurement for the computer system comprises summing or averaging plurality of predefined maturity levels of the mapped certain practices such that the maturity measurement comprises a summation or average of the plurality of predefined maturity levels of the mapped certain practices.
Further, Navarro discloses wherein a maturity level may be defined by discrete values relatively to a predefined scale of values. For example, when a technical expert starts working on a user configuration, he will first define a maturity level of 1 for all values of the configuration parameter in the first versions of the user configuration. When he will have performed at least some simulation or design steps, he may modify the maturity level to the maturity level 2 to indicate that the set of values is more precisely defined and/or that other technical experts may now rely on the assigned values when working on their side on other user configurations. A maturity level of 3 would be for example representative of a set of values which is considered as technically optimal and/or that the technical expert would probably not change anymore (paragraph 0144).

Moreover, Vervier discloses wherein in some examples, the systems described herein may calculate a weighted average risk score for an organization by, for each feature used in the assessment, multiplying the ranking of the organization for the feature (e.g., the average number of vulnerable ports per server, the average age of unpatched vulnerabilities in weeks, and/or the average CVSS score of each server) by a predetermined weight assigned to that feature, then summing the total value for all the features and dividing that total by the size of the set of features used to arrive at an overall vulnerability score. In some embodiments, the systems described herein may create vulnerability metrics such as weighted average risk scores for the same set of servers and/or organizations at regular intervals, such as once a week, once a month, and/or once a quarter. In one embodiment, the systems described herein may combine and/or compare vulnerability metrics created at different times (paragraph 0059).
The combination of Bunker and Vervier would have resulted in the security risk interface of Bunker to incorporate Vervier’s teachings of weighing risks together.  One would have been motivated to have combined the teachings because a user in Vervier would have benefited from using further methods to weigh risk assessments as Bunker is already utilizing filters and 
Regarding claim 11, Bunker does not disclose wherein computing the maturity measurement for the computer system comprises weighting each likelihood and/or impact for each event of the selected group of events with the predefined maturity level of the certain practice mapped to the event such that the maturity measurement is a weighted summation or a weighted average of likelihoods and/or impacts of the selected group of events. 
However, Vervier discloses wherein in some examples, the systems described herein may calculate a weighted average risk score for an organization by, for each feature used in the assessment, multiplying the ranking of the organization for the feature (e.g., the average number of vulnerable ports per server, the average age of unpatched vulnerabilities in weeks, and/or the average CVSS score of each server) by a predetermined weight assigned to that feature, then summing the total value for all the features and dividing that total by the size of the set of features used to arrive at an overall vulnerability score. In some embodiments, the systems described herein may create vulnerability metrics such as weighted average risk scores for the same set of servers and/or organizations at regular intervals, such as once a week, once a month, and/or once a quarter. In one embodiment, the systems described herein may combine and/or compare vulnerability metrics created at different times (paragraph 0059).
The combination of Bunker and Vervier would have resulted in the security risk interface of Bunker to incorporate Vervier’s teachings of weighing risks together.  One would have been motivated to have combined the teachings because a user in Vervier would have benefited .

Response to Amendment
8.	Applicant’s arguments with respect to the amended claims have been considered but are moot in view of the new grounds of rejection.  

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID E CHOI whose telephone number is (571)270-3780.  The 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DAVID E CHOI/Primary Examiner, Art Unit 2174