DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
Applicant’s election without traverse of  Group I (claims 1-21) in the reply filed on 02/07/2022 is acknowledged.

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119 and/or 35 U.S.C. 120 is acknowledged. 

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 04/14/2021, 03/02/2021, and 12/30/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Status of Claims
The following is a Non-Final Office Action in response to response filed on 02/07/2022.
Claims 22-29 are withdrawn. Claims 1-21 re considered in this Office Action. Claims 1-21 are currently pending. 

Specification
The disclosure is objected to because it contains an embedded hyperlink and/or other form of browser-executable code. See specification page 42 line 25. Applicant is required to delete the embedded hyperlink and/or other form of browser-executable code; references to websites should be limited to the top-level domain name without any prefix such as http:// or other browser-executable code. See MPEP § 608.01.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-patentable subject matter.  The claims are directed to an abstract idea without significantly more.
Claims 1-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  The judicial exception is not integrated into a practical application.  The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  The eligibility analysis in support of these findings is provided below, in accordance with the “2019 Revised Patent Subject Matter Eligibility Guidance” (published on 1/7/2019 in Fed. Register, Vol. 84, No. 4 at pgs. 50-57, hereinafter referred to as the “2019 PEG”).
With respect to Step 1 of the eligibility inquiry (as explained in MPEP 2106), it is first noted that the method (claims 1-18) and method (claim 20) are directed to an eligible categories of subject matter (i.e., process, machine, and article of manufacture respectively).  Thus, Step 1 is satisfied. However, claims 19 and 21 are directed to “A computer-readable storage device storing computer-executable instructions that, when executed by a computer, cause the computer to,” The broadest reasonable interpretation of a claim Nuijten, 500 F.3rd 1346, 1356-57. Therefore claim 19 and 21 do not fall within one of the statutory categories under §101 and therefore the claim fails Step 1 of the eligibility inquiry.  However, because claims 19 and 21 could be amended to include the term “non-transitory" to the Claims to satisfy Step 1, the claims are further analyzed (along with claims 1-9) under Step 2 of the eligibility inquiry.
With respect to Step 2, and in particular Step 2A Prong One of 2019 PEG, it is next noted that the claims recite an abstract idea by reciting concepts that can be performed in the human mind or by pen and paper such as   observations, evaluations, judgments, and opinions, which falls into the “Mental processes” group within the enumerated groupings of abstract ideas set forth in the 2019 PEG. The limitations reciting the abstract idea are highlighted in italics and the limitation directed to additional elements highlighted in bold, as set forth in exemplary claim 1, are: A method, comprising: accessing an organizational framework describing an organization, wherein the organizational framework comprises one or more relational matrices defining matrixed interdependencies between business functions, business processes, engineering applications, assets, responsible entities, and facilities of the organization; and using the relational matrices to compute a criticality of an asset, engineering application, or business process, and using a computed criticality to compute a value at risk or a value of a consequence to the organization. Method claim 19 recites substantially the same limitation as computer program product claim 1 and therefore subject to the same rationale.  
The limitations reciting the abstract idea are highlighted in italics and the limitation directed to additional elements highlighted in bold, as set forth in exemplary claim 20, are: A method, comprising: Page 5 of 831694-EAttorney Reference Number 23-104960-01 Application Number 17/067,374 providing an organizational framework comprising a set of matrixed interdependencies between one or more cybersecurity maturity models, responsible business functions and business processes, engineering applications, assets, responsible entities, and facilities of the organization; propagating a cybersecurity threat scenario through the assets of the organizational framework; and quantifying a risk to assets and engineering applications impacted by the cybersecurity threat scenario based on a consequence score derived from asset and engineering application criticalities. Method claim 21 recites substantially the same limitation as computer program product claim 20 and therefore subject to the same rationale.  
With respect to Step 2A Prong Two of the 2019 PEG, the judicial exception is not integrated into a practical application.  The additional elements are directed to a computer-readable storage device storing computer-executable instructions that, when executed by a computer, cause the computer to perform to implement the abstract idea.  However, these elements fail to integrate the abstract idea into a practical application because they fail to provide an improvement to the functioning of a computer or to any other technology or technical field, fail to apply the exception with a particular machine, fail to effect a transformation of a particular article to a different state or thing, and fail to apply/use the abstract idea in a meaningful way beyond generally linking the use of the judicial exception to a particular technological environment. Furthermore, these elements have been fully considered, however they are directed to the use of generic computing elements (Applicant’s Specification paragraph, “Fig. 10 … The processing units 1010, 101515 execute computer-executable instructions. A processing unit can be a general-purpose central processing unit (CPU), processor in an application-specific integrated circuit (ASIC), or any other type of processor. In a multi-processing system, multiple processing units execute computer-executable instructions to increase processing power”) to perform the abstract idea, which is not sufficient to amount to a practical application (as noted in the 2019 PEG) and is tantamount to simply saying “apply it” using a general purpose computer, which merely serves to tie the abstract idea to a particular technological environment (computer based operating environment) by using the computer as a tool to perform the abstract idea, which is not sufficient to amount to particular application.  
Accordingly, because the Step 2A Prong One and Prong Two analysis resulted in the conclusion that the claims are directed to an abstract idea, additional analysis under Step 2B of the eligibility inquiry must be conducted in order to determine whether any claim element or combination of elements amount to significantly more than the judicial exception.
With respect to Step 2B of the eligibility inquiry, it has been determined that the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  The additional limitations are directed to: a computer-readable storage device storing computer-executable instructions that, when executed by a computer, cause the computer to perform.  These elements have been considered, but merely serve to tie the invention to a particular operating environment (i.e., computer-based implementation), though at a very high level of generality and without imposing meaningful limitation on the scope of the claim.  In addition, Applicant’s Specification (“Fig. 10 … The processing units 1010, 101515 execute computer-executable instructions. A processing unit can be a general-purpose central processing unit (CPU), processor in an application-specific integrated circuit (ASIC), or any other type of processor. In a multi-processing system, multiple processing units execute computer-executable instructions to increase processing power”) describe generic off-the-shelf computer-based elements for implementing the claimed invention, and which does not amount to significantly more than the abstract idea, which is not enough to transform an abstract idea into eligible subject matter.  Such generic, high-level, and nominal involvement of a computer or computer-based elements for carrying out the invention merely serves to tie the abstract idea to a particular technological environment, which is not enough to render the claims patent-eligible, as noted at pg. 74624 of Federal Register/Vol. 79, No. 241, citing Alice, which in turn cites Mayo.  
In addition, when taken as an ordered combination, the ordered combination adds nothing that is not already present as when the elements are taken individually.  There is no indication that the combination of elements integrate the abstract idea into a practical application.  Their collective functions merely provide conventional computer implementation. Therefore, when viewed as a whole, these additional claim elements do not provide meaningful limitations to transform the abstract idea into a practical application of the abstract idea or that the ordered combination amounts to significantly more than the abstract idea itself.
The dependent claims have been fully considered as well, however, similar to the finding for claims above, these claims are similarly directed to the abstract idea of a mental process, without integrating it into a practical application and with, at most, a general purpose computer that serves to tie the idea to a particular technological environment, which does not add significantly more to the claims.  The ordered combination of elements in the dependent claims (including the limitations inherited from the parent claim(s)) add nothing that is not already present as when the elements are taken individually.  There is no indication that the combination of elements improves the functioning of a computer or improves any other technology.  Their collective functions merely provide conventional computer implementation.  Accordingly, the subject matter encompassed by the dependent claims fails to amount to significantly more than the abstract idea.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1-6, 9-13, and 17-21 are rejected under 35 U.S.C. 103 as being unpatentable over Corey J. Smart (US 2015/0347480 A1, hereinafter “Smart”) in view of Nikon Rasumov (US 2017/0236078 A1, hereinafter “Rasumov”).
Claim 1/19
Smart teaches:
A method, comprising: accessing an organizational framework describing an organization, wherein the organizational framework comprises one or more relational matrices defining matrixed interdependencies between business functions, business processes, engineering applications, assets, responsible entities, and facilities of the organization (ABSTRACT; paragraphs 0012-0014 describes a knowledge model and construction of a an overly structure. The construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e.,  business functions, business processes, engineering applications, assets, facilities of the organization (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements. [0207-0208] and [0212] describes A computer-readable storage device storing computer-executable instructions that, when executed by a computer, cause the computer to perform functions. Examiner Notes: business functions, business processes, engineering applications, assets, responsible entities, and facilities are descriptive labels); and using the relational matrices to compute a criticality of an asset, engineering application, or business process, and using a computed criticality to compute a value at … or a value of a consequence to the organization (paragraph 0048 describes while analytic work performed by a person is generally considerably richer than that of a machine, a computer is particularly adept at examining exceptionally large volumes of entities and relationships for specific patterns. When knowledge is aggregated in this fashion, analytic yield increases significantly once a “critical mass” is reached, as shown in FIG. 2. Paragraph 0050 the notion of analytic yield characterizes the number of computational inferences that an analytic engine could potentially perform given a specific knowledge base. Analytic yield is thus likened to potential energy (or work) in physics and can be computed via formula (i.e., a value)).
While Smart teaches in 0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, it does not explicitly teach the use of Purdue reference model to categorize data and in 0048 describes while analytic work performed by a person is generally considerably richer than that of a machine, a computer is particularly adept at examining exceptionally large volumes of entities and relationships for specific patterns. When knowledge is aggregated in this fashion, analytic yield increases significantly once a “critical mass” is reached, as shown in FIG. 2. Paragraph 0050 the notion of analytic yield characterizes the number of computational inferences that an analytic engine could potentially perform given a specific knowledge base. Analytic yield is thus likened to potential energy (or work) in physics and can be computed via formula (i.e., a value), it does not explicitly teach the following, however analogous reference, in the field of data organization and analysis, Rasumov teaches:
using the relational factors to compute a value at risk or a value of a consequence to the organization ([0018] a scorecard system may be used to calculate the cybersecurity risk score based on discovered relationships. The scorecard system may use the calculated cybersecurity risk score to determine ranking, percentile, and other detailed cybersecurity risk information about the entity, and this information may be used to determine how various relationships that the entity has with third parties impact the entity's cybersecurity risk. Additionally, the cybersecurity risk score calculated according to embodiments may provide information that may be used by third parties to assess the cybersecurity risk of the entity in connection with establishing a relationship with the entity).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teaching of Smart incorporate the teachings of Rasumov to use the relational factors to compute a value at risk or a value of a consequence to the organization, because doing so would help in determining risk associated with an organization and take steps in preventing it.

Claim 2
Smart further teaches:
The method of claim 1, wherein the organization is an energy utility organization (paragraph 0062 the solution knowledge framework provides a method for constructing and analyzing multi-disciplinary models of large complex systems (e.g. global communication, energy, and transportation infrastructure; world population systems)).  

Claim 3
Smart further teaches:
The method of claim 1, further comprising: categorizing and identifying the business functions and business processes of the organization based on inputs to the organization (paragraph 0063 describes within framework, the solution characterizes all entities that access the knowledge space as knowledge producers and/or knowledge consumers. The solution uses the term analytic to describe either of these roles. Producers are analytics that enrich the knowledge space through the transformation of data sources. Each of the transformations in the theory set Γ above have a knowledge producer role. In contrast, many end-user applications' needs only consume this knowledge, such as visualization tools, trend analyzers, and alerting functions. Each of the functions in the interpretation set above have a knowledge consumer role. Some analytics may exhibit dual roles, both producing and consuming knowledge. Contextual analytics that perform a model transformation based on input data and existing model state are an example of a dual knowledge consumer/producer. Similarly, ‘pure’ analytics (i.e. those that interact only with the knowledge space) that produce new knowledge based solely on consumption and theorization of the existing model are another dual example); and constructing a first relational matrix of the one or more relational matrices defining dependencies between the business functions and business processes (paragraph 0017 describes  receiving a first data set from a first data source at a first of multiple hypergraph servers; graphing by the first hypergraph server first data from the first data set in a knowledge hypergraph in accordance with a knowledge model (M), the knowledge hypergraph being defined by hypergraph elements including hypervertices and hyperedges, wherein attributes of the first data are represented in the hypergraph by first state vectors affixed to one or more hypergraph elements(business functions and business processes)).  

Claim 4
Smart further teaches:
The method of claim 3, further comprising: annotating as a business function each input that is part of an organizational objective and annotating as a business process each input that enables a business function of the organization(paragraph 0065 the solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs. The representation of entity/relationship state vectors may be readily embedded in this structure. This attributed hypergraph structure was specifically chosen as it enables dense representation of the broadest range of complex semantic relationships. Whereas a sizable portion of the current knowledge representation industry is restricted to subject-predicate-object expressions (e.g. RDF triples), the solution's relationship structure enables any number of entities (represented as hypergraph vertices) to be contained in a single relationship (represented as a hypergraph edge)); for each input annotated as a business process that is used to fulfill a business function, identifying all relevant business functions and relating the business process to the business functions such that each identified business function is an output of the business process(paragraphs 0065-67 the solution employs hypergraph element polymorphism enabling hypergraph edges to behave as hypergraph vertices, and hypergraph vertices to behave as hypergraph edges. A depiction of all of the solution's hypergraph elements is shown in FIG. 5. Using the hypergraph formulation, for example, the family relationship of five people can be represented with five graph vertices (one for each family member) and a single hypergraph edge versus six traditional graph vertices (one for each family member and one special vertex for the family) and five graph member edges. In the solution hypergraph domain, the hypergraph edge representing the family relationship can then in turn be captured as a single hypervertex representation of the aggregate family unit for use in other model relationships. This yields a very compact, simple structure for representing a wide range of complex relationships); and for each input annotated as a business process that is not used to fulfill a business function but does use the business function as an input to generate a new output, identifying all relevant business functions and relate the business process to the business functions such that each identified business function is an input to the business process(paragraphs 0065-67 the solution employs hypergraph element polymorphism enabling hypergraph edges to behave as hypergraph vertices, and hypergraph vertices to behave as hypergraph edges. A depiction of all of the solution's hypergraph elements is shown in FIG. 5. Using the hypergraph formulation, for example, the family relationship of five people can be represented with five graph vertices (one for each family member) and a single hypergraph edge versus six traditional graph vertices (one for each family member and one special vertex for the family) and five graph member edges. In the solution hypergraph domain, the hypergraph edge representing the family relationship can then in turn be captured as a single hypervertex representation of the aggregate family unit for use in other model relationships. This yields a very compact, simple structure for representing a wide range of complex relationships).  

Claim 5
Smart further teaches:
The method of claim 1, further comprising:  identifying engineering applications of the organization based on the inputs, including identifying sequences of steps of engineering consequences for the engineering applications([0017]  receiving a second data set from a second data source at a second of multiple hypergraph servers, while fig. 4 and [0065]  instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs. The representation of entity/relationship state vectors may be readily embedded in this structure. This attributed hypergraph structure was specifically chosen as it enables dense representation of the broadest range of complex semantic relationships); and constructing a second relational matrix of the one or more relational matrices defining interconnections between the business processes and the sequence steps of the engineering applications (0017 graphing by the second hypergraph server second data from the second data set in the hypergraph, wherein attributes of the second data are represented in the hypergraph by second state vectors affixed to one or more hypergraph elements, [0065]  instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs. The representation of entity/relationship state vectors may be readily embedded in this structure. This attributed hypergraph structure was specifically chosen as it enables dense representation of the broadest range of complex semantic relationships).  

Claim 6
Smart further teaches:
The method of claim 5, further comprising: identifying the engineering applications, including engineering applications that enable the business processes ([0013] and [0015] the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities (e.g. people, computers, cities, Earth) and their complex interdependencies (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements (i.e. both hypervertices and hyperedges), wherein the development of this design was driven by pragmatic engineering constraints to ensure practical implementation and performance, given current and emerging computational resources and technology. the approach is directed at hypergraph representation of macroscopic entities and their relationships (e.g. people, cities, social networks, cyberspace).); identifying the sequences of engineering consequences for each of the identified engineering applications (([0013] the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities (e.g. people, computers, cities, Earth) and their complex interdependencies (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements (i.e. both hypervertices and hyperedges). Transformation of source system data into this overlay structure is accomplished with minimal data movement and replication. Rather, the overlay structure is populated using a universal “pointer” like mechanism that is managed in a decentralized fashion by the respective transformation components. Access to the knowledge overlay is performed via a hypergraph communication protocol. This protocol was specifically designed with formal mathematical verification in mind to enable extremely robust security and “black box” privacy isolation technique); verifying a logical integrity of each sequence by (a) annotating each step of the sequence as a pre-requisite for subsequent steps in the sequence where failure of the step disables execution of the subsequent steps and (b) annotating each step of the sequence as having previous steps operating as pre-requisites for the step where failure of the step does not disable execution of subsequent steps of the sequence(para. [0065] instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs. The representation of entity/relationship state vectors may be readily embedded in this structure. This attributed hypergraph structure was specifically chosen as it enables dense representation of the broadest range of complex semantic relationships. Whereas a sizable portion of the current knowledge representation industry is restricted to subject-predicate-object expressions (e.g. RDF triples), the solution's relationship structure enables any number of entities (represented as hypergraph vertices) to be contained in a single relationship (represented as a hypergraph edge)); and annotating verified steps as engineering-only engineering consequences where no business consequence is associated with the step and mapping and annotating verified steps with business consequences where business consequences and engineering consequences are associated with the steps(para. [0065] instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs. The representation of entity/relationship state vectors may be readily embedded in this structure. This attributed hypergraph structure was specifically chosen as it enables dense representation of the broadest range of complex semantic relationships. Whereas a sizable portion of the current knowledge representation industry is restricted to subject-predicate-object expressions (e.g. RDF triples), the solution's relationship structure enables any number of entities (represented as hypergraph vertices) to be contained in a single relationship (represented as a hypergraph edge)).

Claim 9
Smart further teaches:
The method of claim 1, further comprising identifying business consequences and annotating sequence steps of the engineering applications with identified business consequences where a failure of the step produces the identified business consequences (To achieve its scalability and application generality, the solution utilizes a hypergraph knowledge representation structure for M. Instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs. The representation of entity/relationship state vectors may be readily embedded in this structure. This attributed hypergraph structure was specifically chosen as it enables dense representation of the broadest range of complex semantic relationships. Whereas a sizable portion of the current knowledge representation industry is restricted to subject-predicate-object expressions (e.g. RDF triples), the solution's relationship structure enables any number of entities (represented as hypergraph vertices) to be contained in a single relationship (represented as a hypergraph edge)).  

Claim 10
Smart further teaches:
The method of claim 1, further comprising identifying business consequences by annotating engineering sequence steps that result in an identified or unidentified business loss(To achieve its scalability and application generality, the solution utilizes a hypergraph knowledge representation structure for M. Instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs. The representation of entity/relationship state vectors may be readily embedded in this structure. This attributed hypergraph structure was specifically chosen as it enables dense representation of the broadest range of complex semantic relationships. Whereas a sizable portion of the current knowledge representation industry is restricted to subject-predicate-object expressions (e.g. RDF triples), the solution's relationship structure enables any number of entities (represented as hypergraph vertices) to be contained in a single relationship (represented as a hypergraph edge)).  
Claim 11 
Smart further teaches:
The method of claim 10, wherein the identified business loss includes a loss of load, an infrastructure loss, and/or a standards violation([0161] describes different layers of the framework such as the Layer A—Layer B trust boundary, a Layer B API implementation is actually responsible for creating and enforcing that boundary(standards violation). It is envisioned that Layer B API implementations will be additionally augmented with anti-tamper capabilities to further deter cyber adversaries and attempts at privacy violation. The resulting Layer B component design makes the transmission and/or exploitation of malware, viruses, backdoors, Trojan horses, etc. extremely difficult, significantly raising the risk, level of sophistication, and amount of investment needed by an adversary).  

Claim 12
Smart further teaches:
The method of claim 1, further comprising: identifying and annotating entities of the organization that are responsible for the engineering applications(fig. 18a-18b illustrate entities responsible, [0017], and [0066]-[0067] The construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e.,  business functions, business processes, engineering applications, assets, facilities of the organization (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, while figs. 4 and 5 illustrate Instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs. The representation of entity/relationship state vectors may be readily embedded in this structure. This attributed hypergraph structure was specifically chosen as it enables dense representation of the broadest range of complex semantic relationships. Whereas a sizable portion of the current knowledge representation industry is restricted to subject-predicate-object expressions (e.g. RDF triples), the solution's relationship structure enables any number of entities (represented as hypergraph vertices) to be contained in a single relationship (represented as a hypergraph edge)); and identifying facilities of the organization and mapping the facilities with the entities and business functions(fig. 5, [0017], and [0066]-[0067] The construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e.,  business functions, business processes, engineering applications, assets, facilities of the organization (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, while figs. 4 and 5 illustrate Instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs, further [0090] The resiliency use case focuses on the resources and economics required to sustain communities through a plethora of threats, pressures, and constraints including natural disaster, emergency crisis, terrorist attack, climate change, energy food supply disruption, and communication failures. The model components (hypergraph elements) of such systems involve people, roads, communication infrastructure, facilities, organizations, communities, cities, etc. The second use case focuses on individuals, helping to predict and mitigate their displacement due to natural disaster, political unrest, humanitarian crisis, climate change, and economic collapse. The model components of such systems involve people, families, neighborhoods, relief organizations, regional climate, energy and food supply, political and economic structures. While these two use cases have dramatically different purposes, the models involved have significant overlap, particularly at increasing global scale. The solution described herein recognizes that multi-disciplinary domains greatly benefit from sharing and collaborative development (i.e. increased knowledge density/analytic yield). The global scalability of the knowledge hypergraph is critical for this purpose ).  

Claim 13
Smart further teaches:
The method of claim 1, further comprising gathering inputs to the organization and analyzing the inputs to identify the business functions and business processes of the organization(fig. 5, [0017], and [0066]-[0067] The construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e.,  business functions, business processes, engineering applications, assets, facilities of the organization (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, while figs. 4 and 5 illustrate Instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs).  

Claim 17 
Smart further teaches:
The method of claim 1, further comprising mapping a set of a cybersecurity maturity model controls to the business functions and business processes ([0070]  The union of all such views collectively defines the view space W. Each view is implemented via one or more mapping functions from the interpretation set Φ. Views are again considered a special case of analytic that interfaces to one or more users or user applications. Views are similarly hosted on an analytic engine, sharable with other analytics. Views enable researchers to monitor model changes in real time from several different perspectives. This is of critical importance when working to understand the dynamics of many real-world systems (e.g. critical infrastructure, cyberspace). These primitives allow a client (i.e. an analytic) to connect to the knowledge model, create and delete hypergraph elements, invoke their methods, and asynchronously publish and subscribe to events. In addition, these primitives enable a very robust form of knowledge space isolation in support of privacy enforcement and cyber security).  

Claim 18
Smart further teaches:
The method of claim 17, further comprising: propagating a cybersecurity threat scenario through the assets to disrupt the business functions ([0156] describes different layers/scenario that enables the creation of an extremely strong security isolation barrier to prevent unauthorized data breaches, vulnerability-inducing data or cyber contamination (e.g. malware transmission), or usurpation of control (e.g. hacking)); filtering the cybersecurity maturity model controls based on the business functions affected by the cybersecurity threat scenario([0156] This barrier establishes a trust boundary above which Layer C analytic processing can be performed, but without compromise to any constituent Layer A source components. Similarly, the barrier prevents individual Layer A source components from compromising the integrity of Layer C operations or another Layer A source component in an aggregate framework enterprise. To achieve this high degree of integrity, the framework Layer B boundary is designed specifically so that the interface implementation can be rigorously defined and mathematically proven. The robustness of this trust/isolation boundary is particularly important for applications requiring the highest levels of privacy protection and preservation); 
While Smart teaches in 0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, it does not explicitly teach the use of Purdue reference model to categorize data and in [0070] Views enable researchers to monitor model changes in real time from several different perspectives. This is of critical importance when working to understand the dynamics of many real-world systems (e.g. critical infrastructure, cyberspace), [0127] It is envisioned that these assumptions (regarding risk) will vary depending upon specific application, the sensitivities of the data, and the damage of compromise. Thus this effort proposes an accompanying set of privacy certifications levels to be better match cost with specific privacy needs depending upon the information sharing application. For efforts requiring the most robust civil liberties protections, the Black Box boundary is assumed to be no less than a physical and electronic hardware barrier that has been subject to formal vulnerability analysis and proof-of-correctness, it does not explicitly teach the following, however analogous reference, in the field of data organization and analysis, Rasumov teaches:
and identifying attack consequences to the organization that result from the cybersecurity threat scenario and calculating the criticalities and risk values of the assets, engineering applications, or business processes associated with the attack consequences to quantify a risk or value at risk to the organization associated with a cybersecurity vulnerability([0018] a scorecard system may be used to calculate the cybersecurity risk score based on discovered relationships. The scorecard system may use the calculated cybersecurity risk score to determine ranking, percentile, and other detailed cybersecurity risk information about the entity, and this information may be used to determine how various relationships that the entity has with third parties impact the entity's cybersecurity risk. Additionally, the cybersecurity risk score calculated according to embodiments may provide information that may be used by third parties to assess the cybersecurity risk of the entity in connection with establishing a relationship with the entity. [0064] he scoring module 810 may generate a cybersecurity score based on the risk factors. In an embodiment, the risk factor(s) may represent the affect that, or degree to which, a breach of the vendor's cybersecurity will expose sensitive data of the company being scored. For example, if the relationship is between a company and a cloud data storage provider, a breach of the cloud storage provider's systems may expose some or all of the data stored in the cloud by the company. In such instances, the weighting module 270 may determine that a breach of the vendor's cybersecurity may potentially expose sensitive data of the company being scored, and may give that relationship more weight. Based on the risk factor(s), the weighting module 270 may determine the weight of the relationship, and scoring module 810 may modify or adjust the cybersecurity score of the company based, at least in part, on the weighting of the relationship].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teaching of Smart incorporate the teachings of Rasumov to calculating the criticalities and risk values of the assets, engineering applications, or business processes associated with the attack consequences to quantify a risk or value at risk to the organization associated with a cybersecurity vulnerability, because doing so would help in determining risk associated with an organization and take steps in preventing it.

Claim 20/21
Smart teaches
A method, comprising: Application Number 17/067,374providing an organizational framework comprising a set of matrixed interdependencies between one or more cybersecurity maturity models, responsible business functions and business processes, engineering applications, assets, responsible entities, and facilities of the organization(ABSTRACT; paragraphs 0012-0014 describes a knowledge model and construction of a an overly structure. The construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e.,  business functions, business processes, engineering applications, assets, facilities of the organization (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements. [0207-0208] and [0212] describes A computer-readable storage device storing computer-executable instructions that, when executed by a computer, cause the computer to perform functions. Examiner Notes: business functions, business processes, engineering applications, assets, responsible entities, and facilities are descriptive labels);
propagating a cybersecurity threat scenario through the assets of the organizational framework  ([0156] describes different layers/scenario that enables the creation of an extremely strong security isolation barrier to prevent unauthorized data breaches, vulnerability-inducing data or cyber contamination (e.g. malware transmission), or usurpation of control (e.g. hacking)); 
While Smart teaches in 0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, it does not explicitly teach the use of Purdue reference model to categorize data and in 0048 describes while analytic work performed by a person is generally considerably richer than that of a machine, a computer is particularly adept at examining exceptionally large volumes of entities and relationships for specific patterns. When knowledge is aggregated in this fashion, analytic yield increases significantly once a “critical mass” is reached, as shown in FIG. 2. Paragraph 0050 the notion of analytic yield characterizes the number of computational inferences that an analytic engine could potentially perform given a specific knowledge base. Analytic yield is thus likened to potential energy (or work) in physics and can be computed via formula (i.e., a value), it does not explicitly teach the following, however analogous reference, in the field of data organization and analysis, Rasumov teaches:
and quantifying a risk to assets and engineering applications impacted by the cybersecurity threat scenario based on a consequence score derived from asset and engineering application criticalities ([0018] a scorecard system may be used to calculate the cybersecurity risk score based on discovered relationships. The scorecard system may use the calculated cybersecurity risk score to determine ranking, percentile, and other detailed cybersecurity risk information about the entity, and this information may be used to determine how various relationships that the entity has with third parties impact the entity's cybersecurity risk. Additionally, the cybersecurity risk score calculated according to embodiments may provide information that may be used by third parties to assess the cybersecurity risk of the entity in connection with establishing a relationship with the entity).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teaching of Smart incorporate the teachings of Rasumov to quantify a risk to assets and engineering applications impacted by the cybersecurity threat scenario based on a consequence score derived from asset and engineering application criticalities, because doing so would help in determining risk associated with an organization and take steps in preventing it.

Claim 7, 8, and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Corey J. Smart (US 2015/0347480 A1, hereinafter “Smart”) in view of Nikon Rasumov (US 2017/0236078 A1, hereinafter “Rasumov”), as applied in claim 1, Seth G. Carpenter (US 2016/0234229 A1, hereinafter “Carpenter”).
Claim 7
Smart further teaches:
The method of claim 1, further comprising: identifying assets of the organization including data flows and asset dependencies (0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements); and constructing a third relational matrix defining interconnections between the business processes and the assets (fig. 5, [0017], and [0066]-[0067] The construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e.,  business functions, business processes, engineering applications, assets, facilities of the organization (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, while figs. 4 and 5 illustrate Instances of knowledge concepts (model nodes) and conceptual relationships (model links) are represented as hypergraph vertices and hypergraph edges, respectively. The solution enables information attributes to be attached to any hypergraph element. Using this attribute mechanism, hypergraph elements can be richly annotated with weights, color, or more general name-value attribute pairs. The representation of entity/relationship state vectors may be readily embedded in this structure. This attributed hypergraph structure was specifically chosen as it enables dense representation of the broadest range of complex semantic relationships. Whereas a sizable portion of the current knowledge representation industry is restricted to subject-predicate-object expressions (e.g. RDF triples), the solution's relationship structure enables any number of entities (represented as hypergraph vertices) to be contained in a single relationship (represented as a hypergraph edge)).  
While Smart teaches in0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, it does not explicitly teach the use of Purdue reference model to categorize data, however analogous reference, in the field of data organization and analysis, Carpenter teaches:
categorizing the assets according to a Purdue reference model([0011] using Purdue model to categorize data)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teaching of Smart and Rasumov incorporate the teachings of  Carpenter to use Purdue reference model in analyzing data, because Purdue analysis is the offers the best practices for the relationship between industrial control systems and business networks by providing hierarchal data structure, wherein as you move down the hierarchy (from Level 5 to Level 0), devices have more access to critical processes but fewer intrinsic security capabilities. 

Claim 8 
Smart further teaches:
The method of claim 7, further comprising: identifying critical assets that are part of an organizational objective using an asset registry, network mapping, and/or fault trees and attack trees, wherein critical assets comprise data flows, software, hardware, and/or personnel(0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., real-world entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements. [0014] source data is fundamentally treated as scientific observations or measurements of some set of interdependent subsystems (e.g. an individual, cyberspace, Earth). The transformation components are used to map source system data into the knowledge overlay structure, thus minimizing data replication and movement. Except when cached for performance reasons, data largely remains at rest in its origin system and in its original structure and form); and Page 3 of 831694-EAttorney Reference Number 23-104960-01 Application Number 17/067,374 layering the identified assets on a…. model by (a) listing assets and connecting assets to other assets based on asset-to-asset dependencies and (b) mapping the assets to the identified engineering applications(Figs. 4 and 5, [0013]This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities (e.g. people, computers, cities, Earth) and their complex interdependencies (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements (i.e. both hypervertices and hyperedges). Attributes are represented as state vectors affixed to any hypergraph element. [0047] A large segment of analysis is dedicated to understanding real-world (or virtual world) entities and their complex interrelationships and dependencies, while the framework described applies this process at global scale to aid the creation of a knowledge base with world coverage. The estimated upper bound of such a knowledge base equates roughly to a graph of approximately one trillion nodes and one quadrillion link).  
While Smart teaches in0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, it does not explicitly teach the use of Purdue reference model to categorize data, however analogous reference, in the field of data organization and analysis, Carpenter teaches:
The use of Purdue reference model([0011] using Purdue model to categorize data)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teaching of Smart and Rasumov incorporate the teachings of  Carpenter to use Purdue reference model in analyzing data, because Purdue analysis is the offers the best practices for the relationship between industrial control systems and business networks by providing hierarchal data structure, wherein as you move down the hierarchy (from Level 5 to Level 0), devices have more access to critical processes but fewer intrinsic security capabilities. 

Claim 14
While Smart teaches in 0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, it does not explicitly teach the use of Purdue reference model to categorize data, it does not explicitly teach the following, however analogous reference, in the field of data organization and analysis, Rasumov teaches:
The method of claim 1, further comprising: determining an asset criticality score by aggregating cumulative dependencies of (a) an asset in a bottom-up fashion to identify all asset-level dependencies that belong to … model layers below a current layer of the asset and (b) an asset in a left-to-right fashion to identify all asset-level dependencies at the same .. model layer ([0051]-[0064] and fig. 6 describes computing a critical score based on different data types and determining an overall score, wherein [0055] a type of data associated with an entity that can be collected includes network exploitation information, which the scorecard system may collect using network exploitation collection module 205. network exploitation information includes information about the level of security of the entity's network and/or the vulnerabilities in the network's infrastructure. This information is critical because hackers may exploit insecure settings to circumvent the network's login process or obtain elevated access to the system. To collect the information about the level of the security of the entity's network, the scorecard system 200 may search public datasets associated with the entity's network for evidence of high risk network settings which may increase the risk of the network being exploited. The scorecard system 200 can also search and analyze headers of servers from public datasets to collection information about the level of security of the entity's network. The scorecard system can also analyze datasets collected by search engines to identify application security vulnerabilities, for example, by noticing indexed pages or URLs in caches of search browsers that indicate a presence of application security vulnerability.  [0063] Another type of data associated with an entity that can be collected includes patching cadence information (asset), which the scorecard system 200 can collect using patching cadence collection module 207. Patching cadence information can be information that indicates the amount of the entity's software that is out-of-date or vulnerable. The scorecard system 200 may collect patching cadence information by searching through an entity's software versions and configurations information and then cross-referencing the identified versions against CVE vulnerability databases. For example, the scorecard system 200 may collect patching cadence information by searching for specific vulnerabilities, such as Poodle, heartbleed, Opensl® and/or other vulnerabilities. When a software version matches a CVE, the software can be flagged. The scorecard system 200 may associate different vulnerabilities with different severities and assign worse scores for the vulnerabilities that present a higher risk to an entity);
 determining an engineering application criticality score by aggregating cumulative dependencies of (a) an engineering application in a bottom-up fashion to identify all engineering Page 4 of 831694-EAttorney Reference Number 23-104960-01 Application Number 17/067,374application-level dependencies that belong to … model layers below a current layer of the engineering application and (b) an engineering application in a left-to-right fashion to identify all engineering application-level dependencies at the same … model layer([0051]-[0064] and fig. 6 describes computing a critical score based on different data types and determining an overall score, wherein [0063] a type of data associated with an entity that can be collected includes patching cadence information, which the scorecard system 200 can collect using patching cadence collection module 207. Patching cadence information can be information that indicates the amount of the entity's software (an asset that is an engineering application)that is out-of-date or vulnerable. The scorecard system 200 may collect patching cadence information by searching through an entity's software versions and configurations information and then cross-referencing the identified versions against CVE vulnerability databases. For example, the scorecard system 200 may collect patching cadence information by searching for specific vulnerabilities, such as Poodle, heartbleed, Opensl® and/or other vulnerabilities. When a software version matches a CVE, the software can be flagged. The scorecard system 200 may associate different vulnerabilities with different severities and assign worse scores for the vulnerabilities that present a higher risk to an entity);
and computing a consequence score based on the asset and engineering application criticality scores and computing a risk or value at risk score based at least in part on the consequence score([0018] a scorecard system may be used to calculate the cybersecurity risk score based on discovered relationships. The scorecard system may use the calculated cybersecurity risk score to determine ranking, percentile, and other detailed cybersecurity risk information about the entity, and this information may be used to determine how various relationships that the entity has with third parties impact the entity's cybersecurity risk. Additionally, the cybersecurity risk score calculated according to embodiments may provide information that may be used by third parties to assess the cybersecurity risk of the entity in connection with establishing a relationship with the entity. [0064] he scoring module 810 may generate a cybersecurity score based on the risk factors. In an embodiment, the risk factor(s) may represent the affect that, or degree to which, a breach of the vendor's cybersecurity will expose sensitive data of the company being scored. For example, if the relationship is between a company and a cloud data storage provider, a breach of the cloud storage provider's systems may expose some or all of the data stored in the cloud by the company. In such instances, the weighting module 270 may determine that a breach of the vendor's cybersecurity may potentially expose sensitive data of the company being scored, and may give that relationship more weight. Based on the risk factor(s), the weighting module 270 may determine the weight of the relationship, and scoring module 810 may modify or adjust the cybersecurity score of the company based, at least in part, on the weighting of the relationship].  
While Smart teaches in 0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, it does not explicitly teach the use of Purdue reference model to categorize data, however analogous reference, in the field of data organization and analysis, Carpenter teaches:
The use of Purdue reference model([0011] using Purdue model to categorize data)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teaching of Smart and Rasumov incorporate the teachings of  Carpenter to use Purdue reference model in analyzing data, because Purdue analysis is the offers the best practices for the relationship between industrial control systems and business networks by providing hierarchal data structure, wherein as you move down the hierarchy (from Level 5 to Level 0), devices have more access to critical processes but fewer intrinsic security capabilities. 

Claim 15 
While Smart teaches in 0014 the construction of a knowledge model “overlay” for organizing and analyzing large, dynamic data volumes (e.g. the World-Wide Web). This overlay is implemented as a hypergraph that manifests as a result of a distributed theory-driven data source transformation process. This process maps exponentially growing data into an asymptotically limited information space. Within this space, real-world entities i.e., responsible entities (e.g. people, computers, cities, Earth) and their complex interdependencies i.e., assets (e.g. social networks, connectivity, causal relationships) are represented as attributed hypergraph elements, it does not explicitly teach the use of Purdue reference model to categorize data and in [0070] Views enable researchers to monitor model changes in real time from several different perspectives. This is of critical importance when working to understand the dynamics of many real-world systems (e.g. critical infrastructure, cyberspace), [0127] It is envisioned that these assumptions (regarding risk) will vary depending upon specific application, the sensitivities of the data, and the damage of compromise. Thus this effort proposes an accompanying set of privacy certifications levels to be better match cost with specific privacy needs depending upon the information sharing application. For efforts requiring the most robust civil liberties protections, the Black Box boundary is assumed to be no less than a physical and electronic hardware barrier that has been subject to formal vulnerability analysis and proof-of-correctness, it does not explicitly teach the following, however analogous reference, in the field of data organization and analysis, Rasumov teaches:
The method of claim 14, wherein the risk is computed based on the consequence score, a vulnerability estimate, and a threat probability ([0018] a scorecard system may be used to calculate the cybersecurity risk score based on discovered relationships. The scorecard system may use the calculated cybersecurity risk score to determine ranking, percentile, and other detailed cybersecurity risk information about the entity, and this information may be used to determine how various relationships that the entity has with third parties impact the entity's cybersecurity risk. Additionally, the cybersecurity risk score calculated according to embodiments may provide information that may be used by third parties to assess the cybersecurity risk of the entity in connection with establishing a relationship with the entity. [0064] he scoring module 810 may generate a cybersecurity score based on the risk factors. In an embodiment, the risk factor(s) may represent the affect that, or degree to which, a breach of the vendor's cybersecurity will expose sensitive data of the company being scored. For example, if the relationship is between a company and a cloud data storage provider, a breach of the cloud storage provider's systems may expose some or all of the data stored in the cloud by the company. In such instances, the weighting module 270 may determine that a breach of the vendor's cybersecurity may potentially expose sensitive data of the company being scored, and may give that relationship more weight. Based on the risk factor(s), the weighting module 270 may determine the weight of the relationship, and scoring module 810 may modify or adjust the cybersecurity score of the company based, at least in part, on the weighting of the relationship).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teaching of Smart incorporate the teachings of Rasumov to compute risk score based on the consequence score, a vulnerability estimate, and a threat probability, because doing so would help in determining risk associated with an organization and take steps in preventing it.

Claim 16
Smart further teaches:
The method of claim 15, wherein the vulnerability comprises a cybersecurity vulnerability ([0070], [0127], and [0137] Views are again considered a special case of analytic that interfaces to one or more users or user applications. Views are similarly hosted on an analytic engine, sharable with other analytics. Views enable researchers to monitor model changes in real time from several different perspectives. This is of critical importance when working to understand the dynamics of many real-world systems (e.g. critical infrastructure, cyberspace)).  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US 20190147376 A1
METHODS AND SYSTEMS FOR RISK DATA GENERATION AND MANAGEMENT
Mahabir; Roger Ramchand et al.

US 20160171415 A1
CYBERSECURITY RISK ASSESSMENT ON AN INDUSTRY BASIS
Yampolskiy; Aleksandr et al.
US 20040059611 A1
Method of modeling frameworks and architecture in support of a business
Kananghinis, John  et al.


Any inquiry concerning this communication or earlier communications from the examiner should be directed to REHAM K ABOUZAHRA whose telephone number is (571)272-0419. The examiner can normally be reached M-F 7:00 AM to 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Epstein can be reached on (571) 270-5389. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/REHAM K ABOUZAHRA/Examiner, Art Unit 3683

/TIMOTHY PADOT/Primary Examiner, Art Unit 3683