DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/10/2022 has been entered.
 
Response to Arguments
Applicant's arguments filed 01/10/2022 have been fully considered but they are not persuasive.

A – Applicant argues: On page 8 of Remarks (01/10/2022) “That is, according to the express language of independent claim 1 and the other pending independent claims:
	the “actions to improve the cybersecurity risk score” are based on “data indicative of potential cybersecurity threats to the entity;”
	and the “”data indicative of potential cybersecurity threats to the entity” is identified by “non-intrusively searching.”

In sharp contrast, the data used by Ide to determine a pass / fail score during an authentication process is identified using “intrusive” searching, which is distinguished from the claimed “non-intrusive” searching throughout the specification. Ide’s workstation assessment agent scans an end user work station (referred to as a host) itself to identify vulnerabilities:…  (Ide, paragraph 52)
Performing a series of checks on a workstation obviously requires that permission first be obtained to do so, and therefore, would be an intrusive search. As articulated in the 

A – The Examiner respectfully disagrees: 
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Sidagni is used for the concepts of “actions to improve the cybersecurity risk score”, “data indicative of potential cybersecurity threats to the entity” and “non-intrusively searching… for data indicative of potential cybersecurity threats to the entity”.
The combination of Sidagni-Ide teach the limitations and are obvious to combine because the concepts are well-known.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5, 7, 8, 10-12, 14, 15 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Sidagni, (US Publication No. 2014/0047545), and further in view of Ide et al., (US Publication No. 2006/0272011), hereinafter “Ide”.

Regarding claims 1, 8 and 15, Sidagni disclose
identifying, by one or more processors, parameters for quantifying the cybersecurity risk level of the entity, where the parameters comprise information identifying the entity [Sidagni, paragraph 45, perform network scans]; 
non-intrusively searching, based on the parameters, by the one or more processors, for data indicative of potential cybersecurity threats to the entity [Sidagni, paragraph 45, perform network scans, non-intrusive for threats].

Sidagni does not specifically disclose, however Ide teaches
calculating, by the one or more processors, a cybersecurity risk score for the entity based, at least in part, on the data indicative of cybersecurity threats to the entity [Ide, paragraphs 48-51, 64-66, Table 1, item 6, identify if there is a risk and inform the user
presenting, by the one or more processors, data representative of the cybersecurity risk score and one or more actions to improve the cybersecurity risk score, where the one or more actions are based on the data indicative of potential cybersecurity threats to the entity [Ide, paragraphs 48-51, 64-66, Table 1, item 6, present risk to user].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the data relating to the outcome of the risk assessment to a user in order for the user to determine a course of action to ensure the security of the system.

Regarding claims 5, 12 and 18, Sidagni-Ide further discloses
initiating operations to intrusively search for a portion of the data indicative of cybersecurity threats to the entity [Ide, Abstract, paragraphs 64-66].

Regarding claims 7, 14, Sidagni-Ide further discloses
where the data indicative of cybersecurity threats to the entity comprises at least one type of data selected from the list consisting of: malware infections, breach history, domain name system (DNS) health, social media data, botnet infections, application vulnerabilities, network exploits, patching cadence, and leaked employee credentials [Sidagni, paragraph 49, malware injections].

Regarding claim 10, Sidagni-Ide further discloses
where the operations further comprise receiving information that identifies at least one action of the one or more actions that has been completed [Ide, Abstract, paragraphs 50-51, Table I, information is received what actions needed to bring system into compliance and allow system access].

Regarding claim 11, Sidagni-Ide further discloses
where the operations further comprise updating the cybersecurity risk score based on the information that identifies the at least one action that has been completed [Ide, Abstract, paragraphs 50-51, Table I, information is received what actions needed to bring system into compliance and allow system access].

Regarding claim 17, Sidagni-Ide further discloses
where the one or more processors are configured to determine: receiving information that identifies at least one action of the one or more actions that has been completed [Ide, Abstract, paragraphs 50-51, Table I, information is received what actions needed to bring system into compliance and allow system access]; and updating the cybersecurity risk score based on the information that identifies the at least one action that has been completed [Ide, Abstract, paragraphs 50-51, Table I, information is received what actions needed to bring system into compliance and allow system access].

Regarding claim 19, Sidagni-Ide further discloses
where the one or more processors are configured to: generate an interactive scorecard comprising scorecard information representative of the cybersecurity risk score for the entity, the scorecard information comprising: a list of primary factors affecting the cybersecurity risk of the entity; and a list of secondary factors affecting the cybersecurity risk of the entity; and presenting the interactive scorecard to a user via a user interface [Ide, Abstract, paragraphs 50-51, Table I, information is received what actions needed to bring system into compliance and allow system access].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the data to the user on what the corrective action is which would be obvious to include any primary and secondary factors (include all factors) in order to provide a secure system when accessing the internal network.

Claims 2-4, 6, 9, 13, 16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sidagni-Ide as applied to claims 1, 8 and 15 above, and further in view of McGovern, (US Publication No. 2009/0024663).

Regarding claims 2, 9 and 16, Sidagni-Ide does not specifically disclose
categorizing the entity according to the entity's size; and 
determining a cybersecurity ranking for the entity based, at least in part, on a benchmarking of the entity's cybersecurity risk score against at least one other entity's cybersecurity risk score, where the entity and the at least one other entity are in the same category according to their size.
However, McGovern teaches that a size of a system or entity may be determined [McGovern, paragraph 18] and further determine a score for a risk, although not specific in comparing to another entity of the same size, as a size of an entity is tracked the comparison would be obvious to accomplish [McGovern, paragraphs 50-51 and 58-59].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the size of entities being monitored and further comparing a score of similar size entities as one of the variables.

Regarding claim 3, Sidagni-Ide-McGovern further discloses
monitoring one or more sources of the data indicative of cybersecurity threats to the entity in real-time [McGovern, paragraph 24]; and
generating an alert based on changes to the cybersecurity risk score of the entity based on the monitoring [McGovern, paragraph 24, early warning].

Regarding claim 4, Sidagni-Ide-McGovern further discloses
predicting one or more breaches based on the monitoring [McGovern, paragraphs 50-52, summarizing the assessment conclusion].

Regarding claim 6, Sidagni-Ide-McGovern further discloses
normalizing the risk score based, at least in part, on the data indicative of cybersecurity threats to the entity and a size of the entity [McGovern, paragraph 56, scores may be normalized or transformed through weighting, aggregating, scaling, and paragraph 59].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the size of entities and provide a normalized score in order to compare the same type of entities for security purposes.

Regarding claim 13, Sidagni-Ide-McGovern further discloses
where the operations further comprise normalizing the cybersecurity risk score [McGovern, paragraph 56, scores may be normalized or transformed through weighting, aggregating, scaling, paragraph 59].

Regarding claim 20, Sidagni-Ide-McGovern further discloses
where at least a portion of the data indicative of cybersecurity threats to the entity is collected from publicly accessible data sources [McGovern, paragraph 18].


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM J GOODCHILD whose telephone number is (571)270-1589. The examiner can normally be reached M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/William J. Goodchild/Primary Examiner, Art Unit 2433