DETAILED ACTION

Currently pending claims are 2 – 21 (Claim 1 was cancelled).

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 13 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea.

Step 1: 
With regard to claim 13, the claim is recited as being directed to a system for assessing cyber security risk exposure of an enterprise.  

Step 2A Prong One:
The claim limitations appear to recite “Mental Processes” including classifications and evaluations for security threats via a list of questionnaire / answers based on user inputs which may be performed in a human mind that are merely abstract – i.e. the claim is merely done by human analysis using well-understood and conventional functional descriptive material of user interctive questionnaire / answer technique w.r.t. a user survey previously known to the pertinent industry for evaluating security threats for the enterprises. The claim appears to recite the concepts in a high level of generality concept which may be performed within a human mind and thus abstract.

Step 2B Prong Two:
With regard to claim 13, the claim recites additional elements such as using a list of questions (questionnaire) corresponding to a plurality of security categories on a basis of a user survey and evaluating the answer(s) provided from two or more users to determine a security risk exposure value corresponding to security threats and projecting associated costs for mitigating the risk exposure – As such, the recited claim language is essentially in lack of providing any significant security algorithm(s) for furnishing any patentable feature(s). 


Besides, the claim limitations appear to merely add the use of (i) a non-transitory computer readable storage, (ii) a platform comprising software and/or hardware logic configured, when executed, to perform operations, and (iii) an interactive user interface, which are considered as generic computer components that are merely executing the abstract idea within a computer device (terminal). (See MPEP 2106.05(b)).   

As such, when viewed as an ordered combination, the claim appears to recite a series of mental / abstract processes which are being executed by generic computing components and do not appear to amount to significantly more than the abstract idea itself to subtly incorporates specific details of patentable features into an implementation.

Based on the above analysis the claim 13 has been determined to not be eligible subject matter under 35 USC 101.  Any other claims not addressed are rejected by virtue of their dependency.

Likewise, as per Claim 2, the claim is also rejected under 35 U.S.C. 101 with a similar rationale, wherein the claim has recited additional claim languages such as obtaining from a second user a second set of answers to a remaining portion of the plurality of questions already answered from a first user – however, Examiner notes a survey of a list of questions (questionnaire) provided to a company that utilizes multiple networks would address at least a common part of network security questions and a different (remaining) part of questions associated with each specific network by its different group of network users (emplyees) of the company.  As such, when viewed as an ordered combination, the claim appears to recite a series of mental processes which are being executed by generic computing components and do not appear to amount to significantly more than the abstract idea itself to subtly incorporates specific details of patentable features into an implementation.

Based on the above analysis the claim 2 has been determined to not be eligible subject matter under 35 USC 101.  Any other claims not addressed are rejected by virtue of their dependency.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:

A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 2 – 21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Seiver et al. (U.S. Patent 9,648,036). 

As per claim 13,  Seiver teaches a system for assessing cyber security risk exposure of an enterprise, the system comprising: 
at least one non-transitory computer readable storage configured to store an array of question data (Seiver: Figure 10), 
each question of the array comprising question text, wherein each question of the plurality of questions is associated with a respective domain of a plurality of cyber security domains (Seiver: Figure 16 / E-1600 & Col. 22 Line 4 – 8 / Line 31 – 40: (a) a survey with a list of questions (i.e. questionnaire) is provided to a company, (b) each question is associated with a respective security domain, (c) the domains of cybersecurity vulnerability (Figure 16 / E-1600) of the enterprise can include security domains such as (i) network security, (ii) access rights, (iii) a domain of a specific user account level, (iv) a domain of a network device level, (v) a domain of overall user level, (iv) a domain of overall system (network) level and etc., so as to (c) evaluate an insurance cost associated with the cyber security risks – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0199] Line 2 – 4: projecting cyber insurance cost across a number of security domains based on the answers from users to a list of questions), and 
each question of the array of questions corresponds to at least two response selections, each response selection corresponding to a respective response value of at least two response values (Seiver: see above: (e.g.) at least including the answers such as yes/no or different range of values/numbers (multiple-choice) as a basic option of a response to a particular question), and 5Application No. 16/781,072 Preliminary Amendment 
an array of answer data, each answer of the answer data corresponding to a respective response value of the at least two response values of a corresponding question of the array of question data, wherein each value represents a relative risk exposure (Seiver: see above & Col. 22 Line 4 – 40: (e.g.) compromised risk values representing a relative security risk exposure); and 
a platform comprising software and/or hardware logic configured, when executed, to perform operations (Seiver: Figure 10) comprising 
obtaining, from at least two users of a plurality of users, at least two sets of answers to a plurality of questions presented in a cyber security questionnaire associated with the enterprise, wherein obtaining the respective sets of answers (Seiver: see above & Col. 22 Line 23 – 25 / Line 27 – 28, Figure 15 / E-1506, E-1510, Figure 25C & Col. 19 Line 48 – 61, Col. 17 Line 30 – 34, Col. 18 Line 18 – 24, Col. 27 Line 41 – 51 and Col. 4 Line 66 – Col. 5 Line 26: a survey with a list of questions (i.e. questionnaire) can be provided to at least two or more users regarding the security subject matters – either individual users or groups of users (i.e. compared with peers) of a company / enterprise, as well as other organization such as the location in different regions (e.g.) regional organizations as peer enterprise entities, a same company that utilizes multiple networks (i.e. different network users) within the enterprise and etc.) comprises 
preparing, for presentation to the respective user at computing device of the respective user, an interactive user interface presenting at least a portion of the plurality of questions, each question presenting question text of a respective question of the array of question data (see above), and 
receiving, via the interactive survey user interface, a respective set of answers of the at least two sets of answers, wherein each user of the at least two users is associated with the enterprise (see above), and 
preparing the interactive user interface comprises presenting, for each question already answered in a respective set of answers of the at least two sets of answers, the answer entered corresponding to the respective question (see above), 
for each domain of the set of cyber security domains, calculating a domain-level exposure value using the response values corresponding to each answer obtained in the at least two sets of answers corresponding to a question of the plurality of questions associated with the respective domain (Seiver: see above & Col. 22 Line 26 – 40: (e.g.) a domain-level exposure value such as a compromise risk value can be determined (e.g.) as per security domain such as acess rights control), 
6Application No. 16/781,072 Preliminary Amendmentidentifying, for each domain of the plurality of cyber security domains, one or more security threats relevant to the enterprise based on at least one of the domain-level exposure value and the answers corresponding to the respective domain (see above), 
 for each security domain of the set of cyber security domains, estimating at least one cost associated with the one or more security threats (Seiver: see above & Figure 15 / E-1510, Col. 4 Line 66 – Col. 5 Line 26, Col. 17 Line 30 – 34, Col. 18 Line 18 – 24 / Line 46 – 49, Col. 19 Line 48 – 61, Col. 32 Line 30 – 31 / Line 21 – 27: (a) the system determines a compromise likelihood for a respective security domain which constitutes a sensitivity of security threat(s) that would cause the system to be compromised w.r.t. a deficiency of appropriate baseline security protections and (b) for example, the recency of the virus defifinition data that has been updated also constitutes an amount of relevance of the one or more cyber security threats to the respective security domain (Seiver: Col. 32 Line 30 – 31 / Line 21 – 27), and 
preparing a report for the enterprise comprising a plurality of cost estimations associated with the plurality of cyber security domains (Seiver: see above & Col. 22 Line 30 – 31: a report associated with an insurance provider to determine the insurance rate (cost) for mitigating the security risks).  

As per claim 2, the claim limitations are met as the same reasons as that set forth in the paragraph above regarding to claim 13 with the exception of the feature(s) related to obtaining from a second user a second set of answers to a remaining portion of the plurality of questions already answered from a first user (Seiver: see above & Col. 22 Line 23 – 25 / Line 27 – 28, Figure 15 / E-1506, E-1510, Figure 25C & Col. 19 Line 48 – 61, Col. 17 Line 30 – 34, Col. 18 Line 18 – 24, Col. 27 Line 41 – 51 and Col. 4 Line 66 – Col. 5 Line 26: a survey with a list of questions (i.e. questionnaire) can be provided to a company that utilizes multiple networks which would address at least a common part of network security questions and a different (remaining) part of questions associated with each specific network by its different group of network users (emplyees) of the company within the enterprise).

As per claim 3 – 4, Seiver teaches applying, to a portion of the plurality of answers of at least one domain of the set of security domains, a weight to the associated answer score of the respective answer (Seiver: see above & Col. 5 Line 27 – 32,Col. 9 Line 58 – 64 and Col. 32 Line 30 – 31 / Line 21 – 27: e.g. (a) adjusting the assessment data (quesitons / answer scores) by utilizing a weighting factor to be associated with a particular importance answer scores to increase (or decrease) significance of the assessment data and (b) the weighting factor can be assigned based on the recency of data being used – e.g. the weighting factor would be higher when computing the compromised risk score if the virus defifinition data has not been updated recently – i.e. with an answer as “no” corresponding to a compromise risk value / score (Col. 32 Line 30 – 31 / Line 21 – 27)).

As per claim(s) 5, the claims contain(s) similar limitations to claim(s) 2 and thus is/are rejected with the same rationale.

As per claim 6, Seiver teaches adding information different from the information available within the plurality of questions and/or the plurality of answers, wherein the at least one input control is unavailable in the first interactive survey user interface and the second interactive survey user interface (Seiver: see above, see above & Col. 22 Line 23 – 25 / Line 27 – 28, Figure 15 / E-1506, E-1510, Figure 25C, Figure 16 & Col. 19 Line 48 – 61, Col. 17 Line 30 – 34, Col. 18 Line 18 – 24, Col. 27 Line 41 – 51, Col. 4 Line 66 – Col. 5 Line 26 and Col. 21 Line 6 – 23 and Col. 58 Line 52 – 67: (a) a survey with a list of questions (i.e. questionnaire) can be provided to at least two or more users regarding the security subject matters – either individual users or groups of users (i.e. compared with peers) of a company or enterprise, as well as other organization such as the location in different region (e.g.) regional organization as a peer enterprise entity, a company that utilizes multiple networks (i.e. different network users) within the enterprise and etc. and thus (b) a survey with a list of questions (i.e. questionnaire) can be provided to a company that utilizes multiple networks which would address at least a common part of network security questions and a different (remaining) part of questions associated with each specific network by its different group of network users (emplyees) of the company within the enterprise – for example, allowing the user, via the graphic user interface (GUI), to select (assign) the recommended actions (purchasing product or services) to reduce or eliminate the cyber-security risks (issues) such as adding (i.e. purchasing) “Sophos” anti-virus software to improve the baseline security (Seiver: Figure 15 & Figure 16, Col. 21 Line 6 – 23 and Col. 58 Line 52 – 67)).

As per claim 7 & 17, Seiver teaches wherein the overview of cost estimates comprises at least one cyber insurance cost (Seiver: see above & Col. 22 Line 4 – 8: so as to determine cyber insurance rates (costs) w.r.t. the security risk level)

As per claim 8, Seiver teaches wherein the overview of cost estimates comprises a plurality of recommended mitigations to cyber security risk, wherein each recommended mitigation comprises a respective cost estimate (Seiver: Figure 16 / E-1600 & Col. 22 Line 4 – 8 / Line Line 31 – 40: (a) a survey with a list of questions (i.e. questionnaire) is provided to a company, (b) each question is associated with a respective security domain, (c) the domains of cybersecurity vulnerability (Figure 16 / E-1600) of the enterprise can include the security domains such as (at least) (i) network security, (ii) access rights, (iii) a domain of a specific user account level, (iv) a domain of a network device level, (v) a domain of overall user level, (iv) a domain of overall system (network) level and etc., so as to (c) evaluate an insurance cost associated with the cyber security risks – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0199] Line 2 – 4: projecting cyber insurance cost across a number of security domains based on the answers from users to a list of questions)

As per claim 9, Seiver teaches each mitigation of the plurality of recommended mitigations is associated with a corresponding urgency of application of the respective mitigation (Seiver: see above & Figure 16 / E-1606, Figure 16, Col. 21 Line 6 – 23 and Col. 58 Line 52 – 67: (a) allowing the user to select recommended actions, displayed via a user interface (GUI), for purchasing products or services to reduce or eliminate the cyber-security risks (issues) such as adding (purchasing) a particular security software to improve the baseline security and (b) reflecting through a list of TOP INVESTMENTS (w.r.t. urgency) w.r.t. purchasing a respective software product or service on a basis of priority as needed (Figure 16 / E-1606) such as deploying patches on vulnerable applications, implementing N-factor authentications, reducing enable high-privilege accounts and etc.).

As per claim 10, Seiver teaches wherein each mitigation of the plurality of recommended mitigations is associated with a number of risks mitigated by the respective mitigation (Seiver: Figure 15 / E-1510 (3rd-Item) & Figure 16 / E-1606).

As per claim 11, Seiver teaches wherein one or more mitigations of the plurality of recommended mitigations is dependent upon first applying another mitigation of the plurality of recommended mitigations (Seiver: Figure 15 & 16 and Col. 22 Line 35 – 40: (a) an improvement of applying different mitigations across different security concerns on a plurality of security domains and (b) recommeded by an expert of insurance provider such as a recommendation of adding Sophos (anti-virus) software to improve baseline security – as a first prerequisite recommended products or services).

As per claim 12, Seiver teaches an expert commentary section including analysis entered by a field agent of a cyber security vulnerability assessment service provider via a field agent user interface comprising the plurality of questions and the plurality of answers (Seiver: Figure 15 & 16 and Col. 22 Line 35 – 40: (e.g.) recommeded by an expert of insurance provider such as a recommendation of adding Sophos (anti-virus) software to improve baseline security – as a first prerequisite recommended products or services).

As per claim 14, Seiver teaches storing user identification data representing the plurality of users, wherein the user identification data comprises a plurality of user identifiers; and each set of answers of the at least two sets of answers is associated with a respective user identifier of the user identification data (Seiver: see above & Col. 11 Line 58  – 60 / Line 41 – 48: a domain-level vulnerability score is determined in conjunction with a percentage of user accounts accessing a particular network node associated with user identification data (more likely to be compromised if a target node is less accessed by the users) and accordingly, user account access rights should be further tightend than available node access and as such, (b) a vulnerability score when exceeding a threshold percentage (w.r.t. a percentage of user account access to a target node) relative to that of the calculated available domain-level (i.e. an average level of available user account access to the target node).  

As per claim 15, Seiver teaches each domain of the plurality of cyber security domains is associated with a respective set of domain-level categories of a plurality of domain-level categories; and each question of the array of question data corresponds to a respective domain level category of a respective cyber security domain (Seiver: see above & Col. 5 Line 27 – 32, Col. 9 Line 58 – 64, Figure 15 / E-1510 & Col. 19 Line 48 – 61, Col. 17 Line 30 – 34, Col. 18 Line 18 – 24, Col. 27 Line 41 – 51 and Col. 4 Line 66 – Col. 5 Line 26: e.g. (a) a relative risk level is compared to other network compromise risk value such as other organizations to establish relative risks associated with the system and network and thus the risk scores associated with other organizations indeed constitutes vulnerability scores for one or more peer enterprises sharing the attributes with the enterprise and (b) adjusting the assessment data (metric) by utilizing a weighting factor to be associated with a particular importance metric to increase (or decrease) significance of the assessment data, wherein (c) the adjustment of the access criteria including a duration of the access time period).  

As per claim 16, Seiver teaches the domain exposure value of each domain of the plurality of cyber security domains, and at least one control for adjusting the domain exposure value associated with a given domain of the plurality of cyber security domains; and the operations comprise receiving, from a remote computing system via the interactive report, adjustment of a first control of the at least one control, and adjusting, responsive to an updated value of the corresponding domain of the plurality of cyber security domains, at least one cost estimation of the plurality of cost estimations (Seiver: see above and Figure 11 / E-1106 & E-1112 and Figure 15 / 16: as shown in FIG. 11, Figure 15 / E-1502, E-1508, E-1512 & Figure 16 / E-1606, Col. 40 Line 60 – 64 / Line 39 – 45 / Line 46 – 48, Col. 44 Line 39 – 50, Col. 21 Line 6 – 23, C58 Line 52 – 67 and Col. 32 Line 12 – 32 – "before" monitoring (obtaining) assessment data, determining the risk values (scores) (FIG. 11 / E-1106) so as to evaluate the improvements after implementing the recommended security actions (see above) and (b) after reducing (improving) the privileged user accounts, applying an anti-virus software (e.g. Sophos) or implementing two-factor authentications based on the recommended actions, indicating a progress (efficacy) of improvements by displaying, via a GUI (user interface), as an improvement (adjusting) of the risk value (score) and an indication of the analysis trend of vulnerability).  

As per claim 18, Seiver teaches wherein each cost estimation of at least a portion of the plurality of cost estimations is associated with a respective implementation time (Seiver: Figure 15 / E-1502, E-1508, E-1512 & Figure 16 / E-1606 and Col. 40 Line 60 – 64 / Line 39 – 45 / Line 46 – 48: a plurality of selectable elements as a list of recommended actions can be configured by the system to enable the user to select (i.e. click on “assign”) and evaluate (i.e. click on “view”) from the GUI interface to manage respective arrangements onto the timeline so as to prepare a plan for the corresponding products or services (e.g. adding the (Sophos) anti-virus security software).  

As per claim 19, Seiver teaches wherein each cost estimation of at least a portion of the plurality of cost estimations is associated with a respective service provider (Seiver: Figure 15 & 16 and Col. 22 Line 35 – 40: (e.g.) recommeded by an expert of a respective insurance provider such as a recommendation of adding Sophos (anti-virus) software to improve baseline security – as a first prerequisite recommended products or services).  

As per claim 19, Seiver teaches cost estimations for each product and/or service of a plurality of products and/or services for mitigating cyber security risk exposure (Seiver: Figure 15 & Figure 16, Col. 21 Line 6 – 23 and Col. 58 Line 52 – 67: allowing the user, via the graphic user interface (GUI), to select (assign) the recommended actions (purchasing product or services) to reduce or eliminate the cyber-security risks (issues) such as adding (i.e. purchasing) “Sophos” anti-virus software to improve the baseline security).  

As per claim 20, Seiver teaches wherein the plurality of products and/or services are arranged in the report according to a respective impact on cyber security risk exposure (Seiver: see above & Figure 15 & Figure 16).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2359 – 2022
---------------------------------------------------