Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to original filing of May 7, 2020 and examiner initiated interview of February 28, 2022.  Claims 1-22 are pending and have been considered below.

Status of Claims
The following claims have been amended and or cancelled via examiner amendments: Claims 1, 7, 20 have been amended. Claims 2, 4, 10, 11, 14 and 21 has been cancelled.  

Allowable Subject Matter
Claims 1, 3, 5-9, 12, 13, 15-20 and 22 are allowed. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mr. Christopher Duncan, Reg. No. 64,287 on 02/28/2022. An agreement was made on 03/10/2022.   

1.  	(Currently Amended) A method of mitigating cybersecurity vulnerability of a system, comprising:
generating one or more solution candidates for improving the cybersecurity of a system based on a prioritization of cybersecurity maturity criteria and a current cybersecurity maturity of the system, wherein the prioritization is based on rankings and relative weights for security controls of the cybersecurity maturity criteria, and wherein the relative weights for the respective cybersecurity maturity criteria are determined using a rank-weight approach;
for the respective solution candidates, quantifying a transition difficulty to change from the current cybersecurity maturity of the system to a cybersecurity maturity specified by the solution candidate, wherein quantifying the transition difficulty comprises
calculating a present state value reflecting the current cybersecurity maturity of the system,
determining an implementation state value representing implementation of the maturity levels specified by the solution candidate, and
determining a transition state value representing a transition from the present state value to the implementation state value; and
based on the transition difficulties and solution candidates, sending a signal to cause a modification of the system to improve the cybersecurity maturity of the system.

2.  	(Cancelled)

3.  	(Original) The method of claim 1, wherein the prioritization is based on dependencies among security controls of the cybersecurity maturity criteria.

4.	 (Cancelled)

5.	 (Original) A  computer-readable storage device storing computer-executable instructions that, when executed by a computer, cause the computer to perform the method of claim 1. 

6.  	(Original) The method of claim 1, wherein the system is an energy distribution system, and wherein the signal is sent to a controller associated with the energy distribution system.


determining a current cybersecurity maturity of the system based on cybersecurity maturity criteria;
ranking the cybersecurity maturity criteria based on importance of the criteria, wherein the ranking comprises determining relative weights for the cybersecurity maturity criteria using a rank-weight analysis, and wherein the rank-weight analysis comprises at least one of a rank sum analysis, a reciprocal rank analysis, a rank exponent analysis, or a rank order centroid analysis; 
determining, based on the ranked cybersecurity maturity criteria, a plurality of solution candidates for increasing the cybersecurity maturity of the system to a cybersecurity maturity goal, wherein the respective solution candidates specify maturity levels for the respective cybersecurity maturity criteria;
calculating a present state value reflecting the current cybersecurity maturity of the system, wherein the present state value is based on current maturity levels for the cybersecurity maturity criteria;
for the respective solution candidates:
determining an implementation state value representing implementation of the maturity levels specified by the solution candidate; and

based on the transition state values, selecting a solution candidate for use with the system; and
generating a cybersecurity vulnerability mitigation recommendation for modifying the system based on the solution candidate.

8.	(Original) The method of claim 7, further comprising applying one or more filters to the ranked cybersecurity maturity criteria and the cybersecurity maturity goal for the system, and wherein the plurality of solution candidates are determined based on outputs of the applied filters.

9.  	(Original) The method of claim 8, wherein the applied filters consider at least one of: maturity indicator levels of security controls of the respective cybersecurity maturity criteria, time constraints, or resource constraints.

10-11.  (Cancelled)

12.  	(Original) The method of claim 7, further comprising generating a data visualization representing the cybersecurity vulnerability mitigation recommendation.



14.  	(Cancelled). 

15.  	(Original) The method of claim 7, wherein the respective cybersecurity maturity criteria comprise one or more controls, the method further comprising determining dependencies among controls, wherein the dependencies are used in determination of the implementation state values and transition state values. 

16.	(Original) The method of claim 7, wherein the current cybersecurity maturity of the system is determined at least in part based on data obtained by one or more sensors associated with the system.

17.	(Original) The method of claim 7, wherein the respective cybersecurity maturity criteria comprise one or more security controls, wherein the security controls have an integer maturity level range between one and four, and wherein the system is modified to reflect the selected solution candidate based on security controls of the selected solution candidate that have transitioned to a value of four. 

18.	(Original) The method of claim 7, further comprising modifying the system based on the cybersecurity vulnerability mitigation recommendation.

19.	(Original) The method of claim 18, wherein modifying the system comprises at least one of:  requiring a password, restricting user access, implementing a firewall, implementing or modifying encryption techniques, or modifying user accounts.   

20.  	(Currently Amended) A cybersecurity vulnerability mitigation system, comprising:
a processor; and 
one or more computer-readable storage media storing computer-readable instructions that, when executed by the processor, cause the system to perform operations comprising:
performing a cybersecurity maturity assessment for the system, the assessment identifying current maturity levels for security controls of cybersecurity maturity criteria;
identifying a cybersecurity maturity goal for the system;
prioritizing the cybersecurity maturity criteria, wherein prioritizing comprises ranking the cybersecurity maturity criteria and determining relative weights for the respective criteria using a rank-weight approach;

for the respective solution candidates, quantifying a transition difficulty of modifying the maturity levels of the security controls to the maturity levels specified in the solution candidate, wherein quantifying the transition difficulty comprises:
calculating a present state value reflecting a current cybersecurity maturity of the system,
determining an implementation state value representing implementation of the maturity levels specified by the solution candidate, and
determining a transition state value representing a transition from the present state value to the implementation state value;
based on the transition difficulties, selecting one or more of the solution candidates for use in increasing the cybersecurity maturity of the system; and
generating a data visualization representing the one or more selected solution candidates.
 

	
22.	 (Original) The system of claim 20, wherein the mitigating further comprises determining dependencies among the security controls, wherein the dependencies are used in determination of the quantification of the implementation difficulties. 


Examiner's Statement of Reasons for Allowance
The following is a statement of reasons for the indication of allowable subject matter:  
Regarding Claims 1, 7 and 20:
The Bennett et al U.S. 8,516,594 B2 is directed toward Various baseline security measurements of assets are collected and calculated by the system. A user creates a what-if scenario by changing one or more baseline security measurements. The system generates interactive, animated graphs that compare the baseline security measurements against the what-if scenario. 
The Zandani U.S. 9,426,169 B2 is directed toward a method for cyber-attack risk assessment, the method including operating at least one hardware processor for: collecting global cyber-attack data from a networked resource; collecting organizational profile data from a user, wherein the organizational profile data includes: types of computerized defensive controls employed by the organization, a maturity of each of the computerized defensive controls, and organizational assets 
Hill et al US 8,256,004 B1 teaches a method of identifying threats to an organization and developing a risk score for each of the threats to develop a threat portfolio. A maturity portfolio is developed with a maturity level for controlling maturity levels, where maturity model comprises a control objective for Information and related technology maturity model or a capability maturity model (CMM). A processor is configured to perform the function of mapping information from the threat portfolio to maturity portfolio to develop a control portfolio.
The Milman et al US 2014/0143879 A1 is directed toward gap analysis is performed on security capabilities of a computer system compared to a desired or targeted security model according to one or more security requirement by providing a data structure of security capabilities of a computer system under analysis, wherein each capability is classified in a formal security capability reference model with a mean having a set of attributes and a goal; determining the security capabilities of the deployed system-under-analysis; matching the security capabilities of the deployed system-under-analysis with the security capabilities defined in the data structure; determining one or more gaps in security capabilities 
The Baudoin et al. US 2004/0010709 A1 is cited for teaching a method for assessing an information  security policy and practice of an organization, including determining a risk associated with the information security  policy and practice, collecting information about the information security  policy and practice, generating a rating using a security maturity assessment matrix, the collected information, and the risk associated with the information security policy and practice, generating a list of corrective actions using the rating, executing the list of corrective actions to create a new security information policy and practice, and monitoring the new security information policy and practice.
The Francoeur. US 9294495 B1 is cited for teaching a system that evaluates a security level of a network system. Additionally, examples described herein evaluate a security level of a network system in order to enable a determination of components that can be used to enhance the security level of the network system.
The above prior art references of record do not teach or render obvious the limitations as recited in independent claims 1, 13 and 20  as amended.
Regarding claims 3, 5, 6, 8, 9, 12, 13, 15-19 and 22, the claims are allowable based at least on their depending from an allowable claim.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




Friday, March 18, 2022

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436