DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a Non-Final Office Action in response to communications received on December 04, 2019. Claims 1-11 are pending and addressed below.

Specification
For the record, Examiner acknowledges that the Specification submitted on December 04, 2019 has been accepted.

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: “700” in Fig. 7.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the 

Claim Objections
Claims 1 and 3-11 are objected to because of the following informalities:  
Claim 1 recites the phrase “A computerized-process for implementing Security Assessment For Enterprise (SAFE) Scoring Model comprising a: generating a cybersecurity model:”. It is suggested the phrase be amended to “A computerized-process for implementing Security Assessment For Enterprise (SAFE) Scoring Model comprising [[a]]: generating a cybersecurity model, wherein the generating comprises:” for clarity and consistency. Also, claim 1 recites the phrase “determining an External Score has weight wES.” It is suggested the phrase be amended to “determining an External Score [[has]] with weight wES” for clarity and consistency.
Claim 3 recites the phrase “The computerized method.” It is suggested the phrase be amended to “The computerized-process 
Claim 6 recites the phrase “wherein a machine learning method is used to generate a trained model is used to generate a cyber security recommendation.” It is suggested the phrase be amended to “wherein a machine learning method is used to generate a trained model which is used to generate a cyber security recommendation” for clarity and consistency.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2-11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 2 recites the limitations “a weighted Governance Policy Score, a weighted People Awareness Score, a weighted Cybersecurity Architecture Score, a weighted External Score and a weighted Technology Score.” Claim 1 previously recites determining the same claimed scores in claim 2 with a weight. Therefore, it is unclear if the weighted scores in claim 2 are the same as the weighted scores in claim 1 or if they are different scores. Dependent claims 3-11 are rejected for containing the same indefinite language as parent claim 2 without further remedying the indefinite language.
Claim 5 recites the limitation “the lab experiments.” There is insufficient antecedent basis for this limitation.
Claim 9 recites the limitation “the enterprise.” There is insufficient antecedent basis for this limitation. Claims 10 and 11 are rejected for similar reasons to claim 9. 
Claim 11 recites the limitation “the informational technology assets.” There is insufficient antecedent basis for this limitation.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-5 and 7-11 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 1 recites “generating a cybersecurity model: determining a Governance Policy Score with weight wGPS, determining a People Awareness Score with weight wPAS, determining a Cybersecurity Architecture Score with weight wCAS, determining an External Score has weight wES, and determining a Technology Score with weight wTS”. 
The limitations of determining the various scores to generate the model, as drafted, are a process that, under its broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of a generic computer. That is, other than reciting “computerized-process,” nothing in the claim limitations precludes the steps from practically being performed in the mind. For example, but for the “computerized-process” language, the various “determining” limitations in the context of this claim encompass the user manually calculating the various scores. The claim limitations, under their broadest reasonable interpretation, cover performance of the limitations in the mind but for the recitation of generic computer components. As 
This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – a “computerized-process”. The computerized-process is recited at a high-level of generality (i.e., as a generic computerized-process performing a generic computer function of determining various scores) such that it amounts no more than merely applying the steps using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of a computerized-process to perform the determining steps amounts to no more than merely applying the steps using a generic computer component. Merely applying the steps using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.
Dependent claims 2-5 and 7-11 do not recite additional limitations to remedy ineligibility of parent claim 1. Therefore, claims 2-5 and 7-11 are also considered to be directed towards abstract ideas and are thus, not patent eligible.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 2 are rejected under 35 U.S.C. 103 as being unpatentable over Brier (“Security Evaluation Model based on the Score of Security Mechansisms”) in view of Yampolskiy et al. (U.S. Pub. No. 2016/0173521 and hereinafter referred to as Yampolskiy) in view of Cam (U.S. Pub. No. 2016/0248794).
As to claim 1, Breier discloses a computerized-process for implementing Security Assessment For Enterprise (SAFE) Scoring Model comprising a: 
generating a cybersecurity model (Abstract and sections 3.1-3.3, Breier teaches generating a model for security evaluation of an organization): 
determining a Governance Policy Score with weight wGPS (sections 3.1-3.3, Breier teaches calculating a weighted policy score), and 
determining a Technology Score with weight wTS (sections 3.1-3.3, Breier teaches calculating a weighted asset score.).
PAS, determining a Cybersecurity Architecture Score with weight wCAS, determining an External Score has weight wES as claimed. However, Yampolskiy does disclose 
determining a People Awareness Score with weight wPAS (paragraphs [0004], [0005], [0046], [0048]-[0051], Yampolskiy teaches determining a weighted score indicating a level of awareness of employees),
determining an External Score has weight wES (paragraphs [0004], [0005], [0053], [0054], [0065], [0067], [0070], [0075], Yampolskiy teaches determining a weighted score related to data breaches/leaks.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Breier with the teachings of Yampolskiy for determining the weighted people awareness and external score because this would increase accuracy and security. 
The combination of teachings between Breier and Yampolskiy does not specifically disclose determining a Cybersecurity Architecture Score with weight wCAS as claimed. However, Cam does disclose
determining a Cybersecurity Architecture Score with weight wCAS (paragraphs [0020]-[0021] and [0033]-[0034], Cam teaches calculating a weighted value based on security features employed by nodes.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified invention of 
As to claim 2, the combination of teachings between Breier, Yampolskiy, and Cam disclose the computerized-process of claim 1, wherein the cybersecurity model comprises a weighted Governance Policy Score (sections 3.1-3.3, Breier teaches calculating a weighted policy score), a weighted People Awareness Score (paragraphs [0004], [0005], [0046], [0048]-[0051], Yampolskiy teaches determining a weighted score indicating a level of awareness of employees), a weighted Cybersecurity Architecture Score (paragraphs [0020]-[0021] and [0033]-[0034], Cam teaches calculating a weighted value based on security features employed by nodes), a weighted External Score (paragraphs [0004], [0005], [0053], [0054], [0065], [0067], [0070], [0075], Yampolskiy teaches determining a weighted score related to data breaches/leaks) and a weighted Technology Score (sections 3.1-3.3, Breier teaches calculating a weighted asset score.).
Examiner supplies the same rationale for the combination of the references as in claim 1 above.

Claims 3, 4, 6, 8, 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Breier, Yampolskiy, and Cam as applied to claim 2 above, and further in view of Kothari et al. (U.S. Patent No. 7,752,125 and hereinafter referred to as Kothari).
claim 3, the combination of teachings between Breier, Yampolskiy, and Cam disclose the computerized method of claim 2. The combination of teachings between Breier, Yampolskiy, and Cam does not specifically disclose wherein the cybersecurity model is trained using a set of continuous feedback as claimed. However, Kothari does disclose
wherein the cybersecurity model is trained using a set of continuous feedback (col. 1 lines 16-18 and col. 7 lines 17-29, Kothari teaches continuously training a model with feedback related to enterprise risk assessment.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified invention of Breier with the teachings of Kothari for having the cybersecurity model be trained using a set of continuous feedback because this would increase accuracy and security.
As to claim 4, the combination of teachings between Breier, Yampolskiy, Cam and Kothari disclose the computerized method of claim 3, wherein the set of continuous feedback comprises a dataset provided by a set of experts based on field experience (col. 1 lines 16-18 and col. 7 lines 17-29, Kothari teaches continuously training with expert feedback.).
Examiner supplies the same rationale for the combination of the references as in claim 3 above.
As to claim 6, the combination of teachings between Breier, Yampolskiy, Cam and Kothari disclose the computerized method of claim 3, wherein a (sections 3.2, Breier teaches providing recommendations. paragraphs [0041], [0060] and [0087], Yampolskiy teaches providing recommendations and using machine learning.).
As to claim 8, the combination of teachings between Breier, Yampolskiy, Cam and Kothari disclose the computerized method of claim 3, wherein the Cybersecurity Architecture Score is derived from an analysis of a usage of specified enterprise level cybersecurity products used to provide a set of security controls (paragraphs [0020]-[0021] and [0033]-[0034], Cam teaches calculating a weighted value based on security features/products employed by nodes.).
As to claim 10, the combination of teachings between Breier, Yampolskiy, Cam and Kothari disclose the computerized method of claim 3, wherein the External score indicates a strength of the enterprise in cyber defense against a disclosure of security information from an external source (paragraphs [0004], [0005], [0053], [0054], [0065], [0067], [0070], [0075], Yampolskiy teaches determining a weighted score related to data breaches/leaks.).
As to claim 11, the combination of teachings between Breier, Yampolskiy, Cam and Kothari disclose the computerized method of claim 3, wherein the Technology Score is based on a risk associated with the informational technology assets of the enterprise (sections 3.1-3.3, Breier teaches calculating a weighted asset score.).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Breier, Yampolskiy, Cam and Kothari as applied to claim 3 above, and further in view of Kirsche et al. (U.S. Patent No. 11,182,695 and hereinafter referred to as Kirsche).
As to claim 5, the combination of teachings between Breier, Yampolskiy, Cam and Kothari disclose the computerized method of claim 3. The combination of teachings between Breier, Yampolskiy, Cam and Kothari does not specifically disclose wherein the set of continuous feedback comprises a dataset provided by a set of the lab experiments as claimed. However, Kirsche does disclose
wherein the set of continuous feedback comprises a dataset provided by a set of the lab experiments (col. 5 lines 57-64 and col. 6 line 22 – col. 7 line 6, Kirsche teaches feedback training a model using experiment results.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified invention of Breier with the teachings of Kirsche for having the set of continuous feedback comprise a dataset provided by a set of the lab experiments because this would increase accuracy and security.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Breier, Yampolskiy, Cam and Kothari as applied to claim 3 above, and further in view of Tiller et al. (U.S. Patent No. 7,299,504 and hereinafter referred to as Tiller).
As to claim 7, the combination of teachings between Breier, Yampolskiy, Cam and Kothari disclose the computerized method of claim 3. The combination of teachings between Breier, Yampolskiy, Cam and Kothari does not specifically 
wherein the Governance Policy Score comprises a scoring of a set of Governance Policies derived from a set of auditor reports (col. 10 lines 1-15 and lines 42-62, Tiller teaches determining a policy score based on auditor assessments.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified invention of Breier with the teachings of Tiller for having the Governance Policy Score comprise scoring of a set of Governance Policies derived from a set of auditor reports because this would increase accuracy and security.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Breier, Yampolskiy, Cam and Kothari as applied to claim 3 above, and further in view of Hawthorn et al. (U.S. Pub. No. 2017/0244746 and hereinafter referred to as Hawthorn).
As to claim 9, the combination of teachings between Breier, Yampolskiy, Cam and Kothari disclose the computerized method of claim 3. The combination of teachings between Breier, Yampolskiy, Cam and Kothari does not specifically disclose wherein the People Awareness Score comprises an assessment of an Information Security Awareness Campaigns launched in the enterprise with an intent to train employees to govern their actions in various situations that makes 
wherein the People Awareness Score comprises an assessment of an Information Security Awareness Campaigns launched in the enterprise with an intent to train employees to govern their actions in various situations that makes the enterprise vulnerable to a cyber-attack (paragraphs [0004], [0007] and [0116], Hawthorn teaches a risk score related to training employees.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified invention of Breier with the teachings of Hawthorn for having the People Awareness Score comprise an assessment of an Information Security Awareness Campaigns launched in the enterprise with an intent to train employees to govern their actions in various situations that makes the enterprise vulnerable to a cyber-attack because this would increase security.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Yu (U.S. Pub. No. 2017/0180408) – cited for teaching security scores for assessing the efficacy of security technologies – paragraph [0038]
Vinnakota et al. (U.S. Pub. No. 2016/0012360) – cited for teaching assessing security governance of an enterprise – paragraph [0006]

Any inquiry concerning this communication or earlier communications from the examiner should be directed to THADDEUS J PLECHA whose telephone number is (571)270-7506. The examiner can normally be reached M-F 8-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/THADDEUS J PLECHA/Examiner, Art Unit 2438