Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1.	This action is responsive to:  an original application filed on 18 March 2020 with acknowledgement that this application is a continuation 16/585,202 filed 27 September 2019 which claims the benefit of a provisional application filed 27 September 2018.  
2.	Claims 1-20 are currently pending.  Claims 1, 19, and 20, are independent claims. 
Double Patenting
3.	A rejection based on double patenting of the “same invention” type finds its support in the language of 35 U.S.C. 101 which states that “whoever invents or discovers any new and useful process... may obtain a patent therefor...” (Emphasis added). Thus, the term “same invention,” in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957).
A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the claims that are directed to the same invention so they are no longer coextensive in scope. The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101.
4.	Claims 1-20 are provisionally rejected on the ground of statutory type double patenting as being unpatentable over claims 1-20 of co-pending application 16/585,202.
	This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.
Claim Rejections – 35 USC § 103
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


6.	Claims 1-6, 12-16, and 18, are rejected under 35 U.S.C. 103 as being unpatentable over Nelson et al. U.S. Patent Application Publication No. 2006/0117388 (hereinafter ‘388) in view of Hassell et al. U.S. Patent Application Publication No. 2015/02959948 (hereinafter ‘948).
	As to independent claim 1, “the method comprising: displaying a graphical user interface having data fields for entry of data representing parameters associated with the digital asset and with a plurality of cyber risk algorithms” is taught in ‘388 Figures 3, and 6-7, note Figure 3 shows an Exemplary System for Modeling an Information Security Risk that includes a graphic user interface (GUI), Figure 6 shows the Questionnaire Engine with two cyber risk algorithms (i.e. Technical Aspect Questionnaire Generator & Business Aspect Questionnaire Generator) Figure 7 shows the GUI Screen with the input fields;
	“receiving the data entered into the data fields representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms” is shown in ‘388 paragraphs 80-86;
	“selecting at least one cyber risk algorithm of the plurality of cyber risk algorithms based on the data entered into the data fields representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms” is disclosed in ‘388 paragraphs 87-91;


Although ‘388 provides a risk assessment with the Risk Categories labeled Low, Intermediate, Moderate, High, and Severe which could be interpreted as “quantifying” an asset in Table 4, since ‘388 does not use the terms “quantifying” or “digital asset” it could be argued the following is not explicitly taught in ‘388: 
“A method for quantifying a cyber risk associated with a digital asset” however ‘948 teaches quantify the risk with of a digital asset by stating “Embodiments described herein provide a cyber analysis modeling evaluation for operations …in order to enable the cyber analyst to evaluate the cyber resiliency of systems and networks” in paragraph 13.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for modeling information security risk taught in ‘388 to include a means to quantify a cyber risk associated with a digital asset.  One of ordinary skill in the art would have been motivated to perform such a modification because cyber security is a global issue of growing importance see ‘948 paragraphs 2-4. 
	As to dependent claim 2, “The method of claim 1, further comprising generating a webpage that specifies the cyber risk associated with the digital asset” is taught in ‘399 Abstract, Figure 2, paragraph 14, note the system uses a Web based Application, that models (specifies) the cyber risk associated with the project (i.e. digital asset).

	As to dependent claim 4, “The method of claim 3, further comprising determining the cyber risk associated with the digital asset based on outputs generated by the multiple cyber risk algorithms” is disclosed in ‘388 paragraphs 63, 100-105, and 122.
	As to dependent claim 5, “The method of claim 1, further comprising determining a cyber resiliency associated with the digital asset” is taught in ‘948 paragraphs 13-14.
	As to dependent claim 6, “The method of claim 1, further comprising dynamically determining a cyber resiliency associated with the digital asset in near real time” is shown in ‘948 paragraph 23. 
	As to dependent claim 12, “The method of claim 1, further comprising classifying the digital asset” is disclosed in ‘948 paragraph 13.
	As to dependent claim 13, “The method of claim 1, wherein the receiving of the data entered into the data fields comprises receiving a data exfiltration exposure associated with the digital asset” is taught in ‘388 paragraphs 97-98 and Table 3, note on Table 3 the 
	As to dependent claim 14, “The method of claim 13, further comprising receiving at least one of the parameters associated with the digital asset describing a number of electronic data records breached during a cyber security incident” is taught in ‘388 paragraphs 97-98 and Table 3.
	As to dependent claim 15, “The method of claim 14, further comprising calculating the data exfiltration exposure associated with the digital asset based on the number of the electronic data records breached during the cyber security incident and a cost per each one of the electronic data records” is shown in ‘388 paragraphs 97-98 and Table 3.
	As to dependent claim 16, “The method of claim 1, wherein the receiving of the data entered into the data fields comprises receiving a business interruption exposure associated with the digital asset” is disclosed in ‘388 paragraphs 97-98 and Table 3.
	As to dependent claim 18, “The method of claim 1, wherein the receiving of the data entered into the data fields comprises receiving a cyber risk exposure associated with the digital asset” is shown in ‘388 paragraph 97.

7.	Claims 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Nelson et al. U.S. Patent Application Publication No. 2006/0117388 (hereinafter ‘388) in view of Mahabir et al. U.S. Patent Application Publication No. 2017/0244740 (hereinafter ‘740).
	As to independent claim 19, “A system, comprising: a hardware processor; and a memory device, the memory device storing instructions, the instructions when executed causing the 
	“sending a webpage to the client device, the webpage generating a graphical user interface having data fields for entry of data representing parameters associated with a digital asset and with a plurality of cyber risk algorithms for providing the cyber security service” is shown in ‘388 the Abstract, Figures 3, 6-7, and paragraph 14, note Figure 3 shows an Exemplary System for Modeling an Information Security Risk that includes a graphic user interface (GUI), Figure 6 shows the Questionnaire Engine with two cyber risk algorithms (i.e. Technical Aspect Questionnaire Generator & Business Aspect Questionnaire Generator) Figure 7 shows the GUI Screen with the input fields, and the system uses a Web based Application, that models (specifies) the cyber risk associated with the project (i.e. digital asset);
	“receiving the data from the client device, the data entered into the data fields, the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms” is shown in ‘388 paragraphs 80-86;
	“receiving electronic cyber security answers from the client device, the electronic cyber security answers describing cyber security impacts associated with the digital asset, the electronic cyber security answers responsive to electronic prompts displayed by the graphical user interface generated by the webpage” is disclosed in ‘388 paragraphs 97-98 and Table 3, note on Table 3 the Questions/Answers provide details related to the type of data and the associated risks, i.e. security ranking, dollar  amount, criticality of process these questions/answers provide “data exfiltration exposure”;

	“selecting a first cyber security algorithm of the plurality of cyber risk algorithms based on the data exfiltration exposure associated with the digital asset” is shown in ‘388 paragraphs 87-91 and 104-105;
	“calculating a business interruption exposure associated with the digital asset, the business interruption exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; selecting a second cyber security algorithm of the plurality of cyber risk algorithms based on the business interruption exposure associated with the digital asset” is disclosed in ‘388 paragraphs 97-98 and Table 3;
	“determining a cyber risk score associated with the digital asset, the cyber risk score based on the electronic cyber security answers describing the cyber security impacts associated with the digital asset” is taught in ‘388 paragraphs 61 and 90;
	“determining a cyber exposure associated with the digital asset, the cyber exposure based on i) executing the first cyber security algorithm selected based on the data exfiltration exposure, ii) executing the second cyber security algorithm selected based on the business interruption exposure “and iv) the cyber risk score based on the electronic cyber security answers describing the cyber security impacts; and sending the cyber exposure associated with the digital asset to the client device in response to the request for the cyber security service” is shown in ‘388 paragraphs 100-105, 108, and 122;

‘388:
	“calculating a regulatory exposure associated with the digital asset, the regulatory exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; selecting a third cyber security algorithm of the plurality of cyber risk algorithms based on the regulatory exposure associated with the digital asset” and “iii) executing the third cyber security algorithm selected based on the regulatory exposure” however ‘740 teaches each software application (i.e. digital asset) receives an indication of one or more properties associated with the software application which may include regulatory compliance status or “regulatory data” in paragraphs 109-110 and 121.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for modeling information security risk taught in ‘388 to include a means to calculate regulatory exposure with the digital asset.  One of ordinary skill in the art would have been motivated to perform such a modification because the nature of cybersecurity has changed.  Therefore, few organizations have a clear picture of what comprises regulatory or other compliance material see ‘740 paragraphs 2-5.

	As to independent claim 20. A memory device storing instructions that when executed cause a hardware processor to perform operations, the operations comprising: receiving a request for a cyber security service from a client device” is taught in ‘388 paragraphs 44 and 46, note the client initiates (requests) the security service to model risks;

	“receiving the data from the client device, the data entered into the data fields, the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms” is shown in ‘388 paragraphs 80-86;
	“receiving electronic cyber security answers from the client device, the electronic cyber security answers describing cyber security impacts associated with the digital asset, the electronic cyber security answers responsive to electronic prompts displayed by the graphical user interface generated by the webpage sent to the client device” is disclosed in ‘388 paragraphs 97-98 and Table 3, note on Table 3 the Questions/Answers provide details related to the type of data and the associated risks, i.e. security ranking, dollar  amount, criticality of process these questions/answers provide “data exfiltration exposure”;
	“calculating a data exfiltration exposure associated with the digital asset, the data exfiltration exposure based on the data representing the parameters associated with the digital 
	“in response to the data exfiltration exposure associated with the digital asset, selecting a first cyber security algorithm of the plurality of cyber risk algorithms” is shown in ‘388 paragraphs 87-91 and 104-105;
	“calculating a business interruption exposure associated with the digital asset, the business interruption exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; in response to the business interruption exposure associated with the digital asset, selecting a second cyber security algorithm of the plurality of cyber risk algorithms” is disclosed in ‘388 paragraphs 97-98 and Table 3;
	“determining a cyber risk score associated with the digital asset, the cyber risk score based on the electronic cyber security answers describing the cyber security impacts associated with the digital asset” is taught in ‘388 paragraphs 61 and 90;
	“determining a cyber exposure associated with the digital asset, the cyber exposure based on i) executing the first cyber security algorithm selected in response to the data exfiltration exposure, ii) executing the second cyber security algorithm selected in response to the business interruption exposure” and iv) the cyber risk score based on the electronic cyber security answers describing the cyber security impacts; and sending another webpage to the client device, the another webpage specifying the cyber exposure associated with the digital asset as a result of the cyber security service” is shown in ‘388 paragraphs 100-105, 108, and 122;

‘388: 
	“calculating a regulatory exposure associated with the digital asset, the regulatory exposure based on the data representing the parameters associated with the digital asset and with the plurality of cyber risk algorithms; in response to the regulatory exposure associated with the digital asset, selecting a third cyber security algorithm of the plurality of cyber risk algorithms” and “iii) executing the third cyber security algorithm selected in response to the regulatory exposure” however ‘740 teaches each software application (i.e. digital asset) receives an indication of one or more properties associated with the software application which may include regulatory compliance status or “regulatory data” in paragraphs 109-110 and 121.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for modeling information security risk taught in ‘388 to include a means to calculate regulatory exposure with the digital asset.  One of ordinary skill in the art would have been motivated to perform such a modification because the nature of cybersecurity has changed.  Therefore, few organizations have a clear picture of what comprises regulatory or other compliance material see ‘740 paragraphs 2-5.

8.	Claims 7 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Nelson et al. U.S. Patent Application Publication No. 2006/0117388 (hereinafter ‘388) in view of Hassell et al. U.S. Patent Application Publication No. 2015/02959948 (hereinafter ‘948) in further view of Hamby U.S. Patent Application Publication No. 2016/0239665 (hereinafter ‘665).
As to dependent claim 7, the following is not explicitly taught in ‘388 and ‘948: “The method of claim 1, further comprising determining a cyber insurance associated with the digital asset” however ‘665 teaches cyber liability insurance is determined (i.e. evaluated) in the Abstract, paragraphs 2 and 8.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for modeling information security risk taught in ‘388 and ‘948 to include a means to determine cyber insurance associated with the digital asset.  One of ordinary skill in the art would have been motivated to perform such a modification because the growth of networked computer systems has directly or indirectly resulted in the increased frequency and complexity of cyber-attacks and cyber liability insurance has evolved see ‘665 paragraphs 3-5.

	As to dependent claim 11, the following is not explicitly taught in ‘388 and ‘948: “The method of claim 1, further comprising determining a third-party cyber risk associated with the digital asset” however ‘665 teaches the embodiments disclosed herein although specifically addressing the cyber-liability insurance transactions, are not limited to insurance policy transaction so named. The risk may also be assigned to third-parties may be an important factor in cyber-liability pricing in paragraph 46.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for modeling information security risk taught in ‘388 and ‘948 to include a means to determine third-party cyber risk associated with the digital asset.  One of ordinary skill in the art would have been motivated to perform such a modification because the growth of networked computer systems has directly or indirectly .

9.	Claims 8-10 and 17, are rejected under 35 U.S.C. 103 as being unpatentable over Nelson et al. U.S. Patent Application Publication No. 2006/0117388 (hereinafter ‘388) in view of Hassell et al. U.S. Patent Application Publication No. 2015/02959948 (hereinafter ‘948) in further view of Mahabir et al. U.S. Patent Application Publication No. 2017/0244740 (hereinafter ‘740).

	As to dependent claim 8, the following is not explicitly taught in ‘388 and ‘948: “The method of claim 1, further comprising comparing the cyber risk to a threshold value” however ‘740 teaches comparing a cyber risk to a threshold value in paragraph 95, note “Alerts or notifications may be sent to interested users when risk levels change or when predetermined thresholds are exceeded or both”.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for modeling information security risk taught in ‘388 and ‘948 to include a means to compare cyber risk to threshold value.  One of ordinary skill in the art would have been motivated to perform such a modification because the nature of cybersecurity has changed.  Therefore, few organizations have a clear picture of what crown jewel data (or threshold data) comprises see ‘740 paragraphs 2-5.
	As to dependent claim 9, “The method of claim 8, further comprising determining the cyber risk fails to satisfy the threshold value” is taught in ‘665 paragraph 95

	As to dependent claim 17, the following is not explicitly taught in ‘388 and ‘948: “The method of claim 1, wherein the receiving of the data entered into the data fields comprises receiving a regulatory exposure associated with the digital asset” however ‘740 teaches each software application (i.e. digital asset) receives an indication of one or more properties associated with the software application which may include regulatory compliance status or “regulatory data” in paragraphs 109-110 and 121.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for modeling information security risk taught in ‘388 and ‘948 to include a means to calculate regulatory exposure with the digital asset.  One of ordinary skill in the art would have been motivated to perform such a modification because the nature of cybersecurity has changed.  Therefore, few organizations have a clear picture of what comprises regulatory or other compliance material see ‘740 paragraphs 2-5.
Conclusion
10.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELLEN C TRAN whose telephone number is (571) 272-3842.  The examiner can normally be reached from M-F 9 AM to 6PM.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        25 March 2022