DETAILED ACTION
	Claims 1-11, 15-21, 24, and 28 are presented on 12/18/2020 for examination on merits.  Claims 1, 15, and 24 are independent base claims.  Claims 12-14, 22-23, 25-27 are cancelled by preliminary amendment on 12/18/2020.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted for examination on merits is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-11, 15-21, 24, and 28 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 10,904,282 B2 (hereinafter “USPAT 282”). 
Although the claims at issue are not identical, they are not patentably distinct from each other because they claim the same subject matter of monitoring the policy holder's computer network for cybersecurity threats and determining the risk level.

	Regarding claim 1, USPAT 282 anticipates:
A method of assessing cybersecurity risk of a computer network, the computer network having a cybersecurity risk parameter with a first value on a scale indicative of a cybersecurity risk level of the computer network at a first time (USPAT 282, CLM. 1: A method of assessing cybersecurity risk of a computer network, the computer network having a cybersecurity risk parameter with a first value on a scale indicative of a cybersecurity risk level of the computer network at a first time), the method comprising: 
employing a processor to execute a cybersecurity risk program including computer-executable instructions stored on a non-transitory computer-readable medium causing the processor to perform steps (USPAT 282, CLM. 1: employing a processor to execute a cybersecurity risk program including computer-executable instructions stored on a non-transitory computer-readable medium causing the processor to perform steps) including: 
receiving input data associated with the computer network at a second time, the second time being different from the first time, the input data corresponding to operational characteristics of the computer network at the second time (USPAT 282, CLM. 1: receiving input data associated with the computer network at a second time, the second time being different from the first time, the input data corresponding to operational characteristics of the computer network at the second time), 
analyzing the operational characteristics of the computer network using a risk model to determine a second value of the cybersecurity risk parameter at the second time, the risk model including a number of data fields configured to determine a value on the scale indicative of the cybersecurity risk level of the computer network, at least one operational characteristic of the computer network from the input data being used in at least one data field of the risk model (USPAT 282, CLM. 1: analyzing the operational characteristics of the computer network using a risk model to determine a second value of the cybersecurity risk parameter at the second time, the risk model including a number of data fields configured to determine a value on the scale indicative of the cybersecurity risk level of the computer network, at least one operational characteristic of the computer network from the input data being used in at least one data field of the risk model), and 
transmitting the second value of the cybersecurity risk parameter at the second time to a client portal for display in a graphical user interface (USPAT 282, CLM. 1: transmitting the second value of the cybersecurity risk parameter at the second time to a client portal for display in a graphical user interface).  
Independent claims 15 and 24 are rejected for the same reason as claim 1, because they each recite the same limitations in similar language.
Regarding dependent claims 2-11, 16-21, and 28 of the present application, they are obvious variants of the same subject matter as found in the reference application, and thereby rejected under the judicially created doctrine of obviousness-type double patenting.

Claim Interpretation - 35 USC § 112(f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

Claims 15-21 contain limitation(s) invoking 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, as detailed in the following.
Each of the following Claim limitations
Claim 15: the cyber risk calculation module configured to receive input data associated with the computer network at a second time;
Claim 15: the display module configured to transmit the second value of the cybersecurity risk parameter at the second time via the web-enabled interface to the client portal for display in a graphical user interface…; 
Claim 16: a forecast module, the forecast module configured … to analyze the operational characteristics of the computer network at the second time...;
Claim 16: the display module is configured to transmit the forecasted value of the cybersecurity risk parameter via the web-enabled interface to the client portal for display in the graphical user interface…;
Claim 17: the cyber risk calculation module is configured to analyze the operational characteristics of the computer network using the risk model to determine a residual risk score …; 
Claim 17: the display module is configured to transmit the residual risk score via the web- enabled interface to the client portal for display in the graphical user interface...;
Claim 18: the business impact module calculates the business impact value based upon asset data from the data storage device…;
Claim 19: the monitoring module configured to monitor a data feed received from a cybersecurity system installed within the computer network for a valid threat alert…;
Claim 19: the display module is configured, … to transmit an alert message via the web-enabled interface to the client portal…;
Claim 20: the monitoring module configured to monitor a data feed received from a cybersecurity system installed within the computer network…;
Claim 21: a cybersecurity risk reduction module configured to select a cybersecurity control from a set of cybersecurity controls not present within the computer network…;
Claim 21: the display module is configured to transmit data concerning the selected cybersecurity control via the web-enabled interface to the client portal for display in the graphical user interface…
has/have been interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because it uses/they use a generic placeholder “module” coupled with functional language without reciting sufficient structure to achieve the function.  Furthermore, the generic placeholder is not preceded by a structural modifier.  
Since the claim limitation(s) invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claim(s) 15-21 has/have been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.  
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph limitation: the modules are a unit of code that performs a software operation; par. 0068.
If applicant wishes to provide further explanation or dispute the examiner’s interpretation of the corresponding structure, applicant must identify the corresponding structure with reference to the specification by page and line number, and to the drawing, if any, by reference characters in response to this Office action. 
If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112 , sixth paragraph, applicant may amend the claim(s) so that it/they will clearly not invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites/recite sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
For more information, see MPEP § 2173 et seq. and Supplementary Examination Guidelines for Determining Compliance With 35 U.S.C. 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9, 2011).

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claim 2 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claim 2 recites another instance of “input data" unclearly in the receiving step without referring to the input data defined in claim 1.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-2, 6, 15, and 24 rejected under 35 U.S.C. 103 as being unpatentable over Hamby (US 20160239665 A1) in view of Ahmed (US 20160381074 A1).

As per claim 1, Hamby teaches a method of assessing cybersecurity risk of a computer network, the computer network having a cybersecurity risk parameter with a first value on a scale indicative of a cybersecurity risk level of the computer network at a first time (Hamby, par. 0070-0073 and 0077: initial questions-questionnaire; the reasoning engine 230 may use the questionnaire responses…to estimate a risk level or ranking: par. 0079: the insurance provider and/or insurance consumer may optionally take some action, such as, for example, changing policy premiums to account for a higher or lower risk level than originally estimated), the method comprising: 
employing a processor to execute a cybersecurity risk program including computer-executable instructions stored on a non-transitory computer-readable medium (Hamby, 0024: the computer readable medium contains further instructions for a processor to generate a plurality of recommended security controls based on the list of mitigated and non-mitigated cyber risk – first ranking) causing the processor to perform steps including: 
receiving input data associated with the computer network at a second time, the second time being different from the first time, the input data corresponding to operational characteristics of the computer network at the second time (Hamby, par. 0011: a second ranking for each of the recommended security controls using a machine learning algorithm; par. 0019: calculate a second ranking; par. 0077-0078: user input), 
analyzing the operational characteristics of the computer network using a risk model to determine a second value of the cybersecurity risk parameter at the second time (Hamby, par. 0103-0104: calculating a second ranking for each of the recommended security controls using a machine learning algorithm) … and 
transmitting the second value of the cybersecurity risk parameter at the second time to a client portal for display in a graphical user interface (Hamby, FIG. 8D shows risk assessment in response to user input, which provides a second ranking of the cybersecurity risk at the second time).  
However, Hamby does not explicitly disclose a number of data fields associated with the risk model being configured to determine a value on the scale indicative of the cybersecurity risk level of the computer network.  This aspect of the claim is identified as a difference.
In a related art, Ahmed discloses:
the risk model including a number of data fields configured to determine a value on the scale indicative of the cybersecurity risk level of the computer network, at least one operational characteristic of the computer network from the input data being used in at least one data field of the risk model (Ahmed, par. 0063-0066: risk values can be a combined value as favorable (1) or unfavorable (0). Risk values on different scales, including binary values, i.e., a number of data fields, can be combined using some baselining or normalization method for analyzes one or more configurable risk elements associated with the network; par. 0069).
Hamby and Ahmed are analogous art, because they are in a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby’s security control server and monitor engine with Ahmed to add data fields that can be used to determine a value on the scale indicative of the cybersecurity risk level of the computer network.  For this combination, the motivation would have been to improve the risk analysis modeling of Hamby’s system with added scale factor indicative of the cybersecurity risk level such that the risk level can be made to suit a particular computer network.


As per claim 2, the references as combined above teach the method of claim 1, wherein the computer-executable instructions of the cybersecurity risk program further cause the processor to perform further steps including: 
receiving input data associated with, and corresponding to operational characteristics of, the computer network the computer network at a third time, the third time being different from both the first time and the second time (Hamby, par. 0021-0024: continuously and automatically monitor … and calculate a ranking), 
analyzing the operational characteristics of the computer network at the third time using the risk model to determine a third value of the cybersecurity risk parameter at the third time (Hamby, par. 0116-0117: machining learning for analysis based on input and generating the heuristic ranking), 
generating risk score trend data of the computer network based upon at least two of the first value, the second value, and the third value (Hamby, par. 0079-0080: adding new security controls to mitigate additional threats, and other actions; generate a ranked list of recommended security controls 237), and 
transmitting the risk score trend data to the client portal for display in the graphical user interface (Hamby, par. 0127-0128: transmitting the external monitoring configuration to an insured device ... and the alert to one or more client devices 105 via network interface 210).  

As per claim 6, the references of Hamby and Ahmed as combined above teach the method of claim 1, Hamby also teaches: 
wherein the input data associated with the computer network at the second time is received via a data feed from a cybersecurity system installed within the computer network (Hamby, par. 0137-0138: user input such as, for example, a mouse click, additional interactive options 802a-c may be displayed … In response to user input on the “configure” interactive option 802d, the workspace display may generate an interactive menu 830 of security risks that may be monitored and controlled and are applicable to the risk transfer transaction.  Here the mouse click, for example, provides a data feed). 

As per claim 15, Hamby teaches a system for assessing cybersecurity risk of a computer network, the system comprising: 
a non-transitory computer-readable medium including a cybersecurity risk program (Hamby, par. 0123-0124: non-transitory computer-readable medium 742); 
a cybersecurity processor in operable arrangement with the computer-readable medium, the cybersecurity processor configured to execute the cybersecurity risk program contained on the computer-readable medium (Hamby, par. 0123-0124: non-transitory computer-readable medium 742); and 
a data storage device in operable arrangement with the cybersecurity processor, the data storage device including a cybersecurity risk parameter with a first value on a scale indicative of a cybersecurity risk level of the computer network at a first time (Hamby, par. 0070-0073 and 0077: initial questions-questionnaire; the reasoning engine 230 may use the questionnaire responses…to estimate a risk level or ranking: par. 0079: the insurance provider and/or insurance consumer may optionally take some action); 
a web-enabled interface in communicative relationship with the cybersecurity processor and the data storage device to exchange information with a client portal (Hamby, par. 0056-0057: use a network interface 210 to exchange one or more messages or information to users, or client devices 105, as well as an insured device 115, via a network 110. In some embodiments, a delivery protocol may be used by the security control server 100 for transmitting such messages over network 110); 
wherein the cybersecurity risk program includes a cyber risk calculation module and a display module, 
the cyber risk calculation module configured to receive input data associated with the computer network at a second time (Hamby, par. 0017-0021: continuously and automatically monitoring each of the one or more security controls implemented in the insured device. In some embodiments, the method may further include the step of generating, by the security control server, a report indicating a change in the operation status or performance of one or more of the one or more security controls implemented in the insured device), the second time being different from the first time, the input data corresponding to operational characteristics of the computer network at the second time (Hamby, par. 0011: a second ranking for each of the recommended security controls using a machine learning algorithm; par. 0019: calculate a second ranking; par. 0077-0078: user input), and to analyze operational characteristics of the computer network at the second time using a risk model to determine a second value of the cybersecurity risk parameter at the second time, … at least one operational characteristic of the computer network from the input data being used in at least one data field of the risk model (Hamby, par. 0103-0104: calculating a second ranking for each of the recommended security controls using a machine learning algorithm), and 
the display module configured to transmit the second value of the cybersecurity risk parameter at the second time via the web-enabled interface to the client portal for display in a graphical user interface (Hamby, FIG. 8D shows risk assessment in response to user input, which provides a second ranking of the cybersecurity risk at the second time).  
However, Hamby does not explicitly disclose a number of data fields associated with the risk model being configured to determine a value on the scale indicative of the cybersecurity risk level of the computer network.  This aspect of the claim is identified as a difference.
In a related art, Ahmed discloses:
the risk model including a number of data fields configured to determine a value on the scale indicative of the cybersecurity risk level of the computer network (Ahmed, par. 0063-0066: risk values can be a combined value as favorable (1) or unfavorable (0). Risk values on different scales, including binary values, i.e., a number of data fields, can be combined using some baselining or normalization method for analyzes one or more configurable risk elements associated with the network; par. 0069).
Hamby and Ahmed are analogous art, because they are in a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby’s security control server and monitor engine with Ahmed to add data fields that can be used to determine a value on the scale indicative of the cybersecurity risk level of the computer network.  For this combination, the motivation would have been to improve the risk analysis modeling of Hamby’s system with added scale factor indicative of the cybersecurity risk level such that the risk level can be made to suit a particular computer network.

As per claim 24, Hamby teaches a method of monitoring cybersecurity risk of a computer network, the computer network having a cybersecurity risk parameter with a first value on a scale indicative of a cybersecurity risk level of the computer network at a first time (Hamby, par. 0070-0073 and 0077: initial questions-questionnaire; the reasoning engine 230 may use the questionnaire responses…to estimate a risk level or ranking: par. 0079: the insurance provider and/or insurance consumer may optionally take some action, such as, for example, changing policy premiums to account for a higher or lower risk level than originally estimated), the method comprising: 
actively monitoring the computer network via a cybersecurity system installed within the computer network, the cybersecurity system configured to generate operational data relating to the computer network at a second time, the second time being different from the first time (Hamby, par. 0020: monitoring configuration to the insured device; and receive an alert from the insured device; par. 0021-0024: continuously and automatically monitor … and calculate a ranking); 
employing a processor to execute a cybersecurity risk program including computer-executable instructions stored on a non-transitory computer-readable medium (Hamby, 0024: the computer readable medium contains further instructions for a processor to generate a plurality of recommended security controls based on the list of mitigated and non-mitigated cyber risk – first ranking) causing the processor to perform steps including: 
analyzing the operational data of the computer network to determine input data corresponding to operational characteristics of the computer network (Hamby, par. 0103-0104: calculating a second ranking for each of the recommended security controls using a machine learning algorithm), 
transmitting the input data to a risk model configured to determine a second value of the cybersecurity risk parameter at the second time … (Hamby, FIG. 8D shows risk assessment in response to user input, which provides a second ranking of the cybersecurity risk at the second time).  
However, Hamby does not explicitly disclose a number of data fields associated with the risk model being configured to determine a value on the scale indicative of the cybersecurity risk level of the computer network.  This aspect of the claim is identified as a difference.
In a related art, Ahmed discloses:
the risk model including a number of data fields configured to determine a value on a scale indicative of the cybersecurity risk level of the computer network, at least one operational characteristic of the computer network from the input data being used in at least one data field of the risk model (Ahmed, par. 0063-0066: risk values can be a combined value as favorable (1) or unfavorable (0). Risk values on different scales, including binary values, i.e., a number of data fields, can be combined using some baselining or normalization method for analyzes one or more configurable risk elements associated with the network; par. 0069).
Hamby and Ahmed are analogous art, because they are in a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby’s security control server and monitor engine with Ahmed to add data fields that can be used to determine a value on the scale indicative of the cybersecurity risk level of the computer network.  For this combination, the motivation would have been to improve the risk analysis modeling of Hamby’s system with added scale factor indicative of the cybersecurity risk level such that the risk level can be made to suit a particular computer network.
  
Claims 4 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Hamby and Ahmed, as applied to claim 1, further in view of Mo (US 20190034845 A1).

As per claim 4, the references of Hamby and Ahmed as combined above teach the method of claim 1, but do not explicitly disclose the residual risk score calculation based upon a control effectiveness value deducted from a product of a threat likelihood value and a business impact value.  This aspect of the claim is identified as a further difference.
In a related art, Mo teaches:
wherein the risk model includes a threat likelihood module, a business impact module, and a control effectiveness module (Mo, par. 0093 and 0100: the likelihood), and 
wherein the operational characteristics of the computer network are analyzed using the risk model to determine a residual risk score (Mo, par. 0102-0103: a low total score), the residual risk score being based upon a control effectiveness value from the control effectiveness module being deducted from a product of a threat likelihood value from the threat likelihood module and a business impact value from the business impact module (Mo, par. 0094:  The portfolio cybersecurity risk level can be … a mathematical product of, e.g., (1) the multiplier, and (2) an initial portfolio risk level or some other default or standardized value; see par. 0093 and 0095 for cybersecurity risk level [that] represents the likelihood one or more companies in a portfolio will experience a cybersecurity event in view of its degree of similarity to a company or companies that experienced such an event).  
Mo is analogous art to the claimed invention in a similar field of endeavor in improving risk analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby’s system with the improved calculation of risk score.  For this combination, the motivation would have been to improve the risk analysis of computer network with another risk score calculation.

As per claim 17, the references as combined above teach the system of claim 15, , but do not explicitly disclose the residual risk score calculation based upon a control effectiveness value deducted from a product of a threat likelihood value and a business impact value.  This aspect of the claim is identified as a further difference.
In a related art, Mo teaches:
wherein the risk model includes a threat likelihood module, a business impact module, and a control effectiveness module (Mo, par. 0093 and 0100: the likelihood), and 
wherein the cyber risk calculation module is configured to analyze the operational characteristics of the computer network using the risk model to determine a residual risk score (Mo, par. 0102-0103: a low total score),  the residual risk score being based upon a control effectiveness value from the control effectiveness module being deducted from a product of a threat likelihood value from the threat likelihood module and a business impact value from the business impact module, and wherein the display module is configured to transmit the residual risk score via the web- enabled interface to the client portal for display in the graphical user interface (Mo, par. 0094:  The portfolio cybersecurity risk level can be … a mathematical product of, e.g., (1) the multiplier, and (2) an initial portfolio risk level or some other default or standardized value; see par. 0093 and 0095 for cybersecurity risk level [that] represents the likelihood one or more companies in a portfolio will experience a cybersecurity event in view of its degree of similarity to a company or companies that experienced such an event).  
Mo is analogous art to the claimed invention in a similar field of endeavor in improving risk analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby’s system with the improved calculation of risk score.  For this combination, the motivation would have been to improve the risk analysis of computer network with another risk score calculation.
 

Claims 5 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hamby and Ahmed and Mo, as applied to claim 4, further in view of Yampolskiy (US 20170048267 A1; hereinafter “Yamp”).

As per claim 5, the references of Hamby and Ahmed and Mo as combined above teach the method of claim 4, but do not explicitly disclose calculating the business impact value based upon asset data associated with an operational configuration of the computer network. This aspect of the claim is identified as a further difference.
In a related art, Yamp teaches:
wherein the business impact module calculates the business impact value based upon asset data associated with an operational configuration of the computer network (Yamp, par. 0019 and 0078: business impact; For each of the companies in the benchmark group, the scorecard system 200 may calculate a normalized overall cybersecurity risk score in addition to normalized security scores for each of the different types of data that impacts overall cybersecurity).  
Yamp is analogous to the claimed invention a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby-Ahmed-Mo system with Yamp to use asset data associated with an operational configuration to calculate the business impact.  For this combination, the motivation would have been to improve the risk analysis by calculating the business impact.

As per claim 18, the references of Hamby and Ahmed and Mo as combined above teach the system of claim 17, but do not explicitly disclose calculating the business impact value based upon asset data associated with an operational configuration of the computer network. This aspect of the claim is identified as a further difference.
In a related art, Yamp teaches:
wherein the business impact module calculates the business impact value based upon asset data from the data storage device, the asset data associated with an operational configuration of the computer network (Yamp, par. 0019 and 0078: business impact; For each of the companies in the benchmark group, the scorecard system 200 may calculate a normalized overall cybersecurity risk score in addition to normalized security scores for each of the different types of data that impacts overall cybersecurity).  
Yamp is analogous to the claimed invention a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby-Ahmed-Mo system with Yamp to use asset data associated with an operational configuration to calculate the business impact.  For this combination, the motivation would have been to improve the risk analysis by calculating the business impact.

Claims 7-9, 19-20, and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Hamby and Ahmed, as applied to claim 1, further in view of Yampolskiy (US 20170048267 A1; hereinafter “Yamp”).

As per claim 7, the references as combined above teach the method of claim 6, but do not explicitly disclose responding to a valid threat alert with an alert message displayed at the client portal. This aspect of the claim is identified as a further difference.
In a related art, Yamp teaches:
the computer-executable instructions of the cybersecurity risk program further cause the processor to monitor the data feed from the cybersecurity system installed within the computer network for a valid threat alert (Yamp, par. 0012 and 0088: generate alerts to trigger further attention; par. 0038-0040: validating threats, such as, for example, by confirming that an event creating data that indicates the presence of a malware event is in fact a malware event), and, 
in response to receiving the valid threat alert, transmitting an alert message to the client portal for display in the graphical user interface (Yamp, par. 0038-0040: validating threats; par. 0088: an alert which can be transmitted to a representative of the entity or simply displayed an output, for example on a user interface or output display, such as the output displays illustrated in FIGS. 7-11; par. 0090-0091: an alert comprises a real-time e-mail, which sends recommendations for an entity, such as a network administrator).  
Yamp is analogous to the claimed invention a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby-Ahmed system with Yamp’s technique of validating the threat alert and responding to it with an alert message.  For this combination, the motivation would have been to improve client’s awareness of the valid alert.

As per claim 8, the references as combined above teach the method of claim 6, but do not explicitly disclose monitoring the data feed from the cybersecurity system installed within the computer network for a valid threat alert. This aspect of the claim is identified as a further difference.
In a related art, Yamp teaches:
wherein the computer-executable instructions of the cybersecurity risk program further cause the processor to monitor the data feed from the cybersecurity system installed within the computer network for a valid threat alert (Yamp, par. 0020: tracking and monitoring… to allow the cybersecurity risk score for an entity to be updated via real-time monitoring; par. 0038-0040: validating threats, such as, for example, by confirming that an event creating data that indicates the presence of a malware event is in fact a malware event), and, 
in response to receiving the valid threat alert, to actively modify the computer network by implementing a protective measure configured to reduce the threat (Yamp, par. 0020: track its historical performance and be proactive in preventing a cybersecurity threat). 
Yamp is analogous to the claimed invention a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby-Ahmed system with Yamp’s technique of validating the threat alert and responding to it with an alert message.  For this combination, the motivation would have been to improve client’s response to a valid alert.

As per claim 9, the references as combined above teach the method of claim 6, but do not explicitly disclose transmitting a threat alert message concerning the cybersecurity threat to the client portal for display in the graphical user interface independent of whether the cybersecurity threat is detected within the computer network. This aspect of the claim is identified as a further difference.
In a related art, Yamp teaches:
wherein the computer-executable instructions of the cybersecurity risk program further cause the processor, in response to receiving an alert input concerning a cybersecurity threat, to transmit a threat alert message concerning the cybersecurity threat to the client portal for display in the graphical user interface independent of whether the cybersecurity threat is detected within the computer network (Yamp, par. 0038-0040: validating threats, such as, for example, by confirming that an event creating data that indicates the presence of a malware event is in fact a malware event; par. 0045-0047: the scorecard system 200 can identify one or more data sources from which to collect one or more types of data relating to the entity's cybersecurity, and sending e-mail).  
Yamp is analogous to the claimed invention a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby-Ahmed system with Yamp’s technique of validating the threat alert and responding to it with an alert message.  For this combination, the motivation would have been to improve client’s response to an threat alert.

As per claim 19, the references as combined above teach the system of claim 15, but do not explicitly disclose responding to a valid threat alert with an alert message displayed at the client portal. This aspect of the claim is identified as a further difference.
In a related art, Yamp teaches:
wherein the cybersecurity risk program further includes a monitoring module, the monitoring module configured to monitor a data feed received from a cybersecurity system installed within the computer network for a valid threat alert (Yamp, par. 0012 and 0088: generate alerts to trigger further attention), and 
wherein the display module is configured, in response to the monitoring module receiving the valid threat alert, to transmit an alert message via the web-enabled interface to the client portal for display in the graphical user interface (Yamp, par. 0038-0040: validating a threat; par. 0088: an alert which can be transmitted to a representative of the entity or simply displayed an output, for example on a user interface or output display, such as the output displays illustrated in FIGS. 7-11; par. 0090-0091: an alert comprises a real-time e-mail, which sends recommendations for an entity, such as a network administrator).  
Yamp is analogous to the claimed invention a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby-Ahmed system with Yamp’s technique of validating the threat alert and responding to it with an alert message.  For this combination, the motivation would have been to improve client’s awareness of the valid alert.

As per claim 20, the references as combined above teach the system of claim 15, but do not explicitly disclose monitoring the data feed from the cybersecurity system installed within the computer network for a valid threat alert. This aspect of the claim is identified as a further difference.
In a related art, Yamp teaches:
wherein the cybersecurity risk program further includes a monitoring module, the monitoring module configured to monitor a data feed received from a cybersecurity system installed within the computer network for a valid threat alert (Yamp, par. 0020: tracking and monitoring… to allow the cybersecurity risk score for an entity to be updated via real-time monitoring; par. 0038-0040: validating threats… confirming that an event … is in fact a malware event), and, 
in response to receiving the valid threat alert, to actively modify the computer network by implementing a protective measure configured to reduce the threat (Yamp, par. 0020: track its historical performance and be proactive in preventing a cybersecurity threat). 
Yamp is analogous to the claimed invention a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby-Ahmed system with Yamp’s technique of validating the threat alert and responding to it with an alert message.  For this combination, the motivation would have been to improve client’s response to a valid alert.

As per claim 28, the references as combined above teach the method of claim 24, but do not explicitly disclose a data feed from the cybersecurity system for determining whether a valid cybersecurity threat pertains to the computer network. This aspect of the claim is identified as a further difference.
In a related art, Yamp teaches:
 wherein the computer-executable instructions of the cybersecurity risk program further cause the processor to transmit a data feed from the cybersecurity system installed within the computer network, the data feed configured to be used to determine whether a valid cybersecurity threat pertains to the computer network (Yamp, par. 0038-0040: validating threats ... the event is in fact a malware event; par. 0020: tracking and monitoring… to allow the [updates] for real-time monitoring; par. 0045-0047: identify one or more data sources from which to collect one or more types of data relating to the entity's cybersecurity).
Yamp is analogous to the claimed invention a similar field of endeavor in improving risk analysis techniques.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Hamby-Ahmed system with Yamp’s technique of using data feed to determine whether a valid cybersecurity threat pertains to the computer network.  For this combination, the motivation would have been to improve the detection of a valid threat.

Claims 10 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Hamby and Ahmed, as applied to claim 1, further in view of, further in view of Vescio (US 9747570 B1).

As per claim 10, the references as combined above teach the method of claim 6, but do not explicitly disclose selecting a cybersecurity control from a set of cybersecurity controls not present within the computer network, the selected cybersecurity control determined by calculating a relative effectiveness value for each of the set of cybersecurity controls and identifying the highest relative effectiveness value and to transmit data concerning the selected cybersecurity control to the client portal for display in the graphical user interface.  This aspect of the claim is identified as a further difference.
In a related art, Velcio teaches:
wherein the computer-executable instructions of the cybersecurity risk program further cause the processor to select a cybersecurity control from a set of cybersecurity controls not present within the computer network, the selected cybersecurity control determined by calculating a relative effectiveness value for each of the set of cybersecurity controls and identifying the highest relative effectiveness value and to transmit data concerning the selected cybersecurity control to the client portal for display in the graphical user interface (Velcio, col. 13, lines 17-28: one or more effectiveness values that may be generated and output 912; col. 13, lines 35-39: a control effectiveness value may be provided on a scale, such that potential control effectiveness values may include "significant," "high," "reasonable," "moderate," "limited," "very limited," or "none/no control effectiveness."  See chart 1408 of FIG. 14 for display in the graphical user interface).  
Velcio is analogous art to the claimed invention in a similar field of endeavor in improving risk analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Velcio’s control effectiveness value to modify the Hamby-Ahmed system to include a step for selecting a cybersecurity control from a set of cybersecurity controls not present within the computer network.  For this combination, the motivation would have been to improve the risk analysis of computer network.

As per claim 21, the references as combined above teach the system of claim 15, but do not explicitly disclose selecting a cybersecurity control from a set of cybersecurity controls not present within the computer network, the selected cybersecurity control determined by calculating a relative effectiveness value for each of the set of cybersecurity controls and identifying the highest relative effectiveness value and to transmit data concerning the selected cybersecurity control to the client portal for display in the graphical user interface.  This aspect of the claim is identified as a further difference.
In a related art, Velcio teaches:
wherein the cybersecurity risk program further includes a cybersecurity risk reduction module configured to select a cybersecurity control from a set of cybersecurity controls not present within the computer network (Yamp, par. 0045-0047: the scorecard system 200 can identify one or more data sources from which to collect one or more types of data relating to the entity's cybersecurity, and sending e-mail), the selected cybersecurity control determined by calculating a relative effectiveness value for each of the set of cybersecurity controls and identifying the highest relative effectiveness value, and wherein the display module is configured to transmit data concerning the selected cybersecurity control via the web-enabled interface to the client portal for display in the graphical user interface (Velcio, col. 13, lines 17-28: one or more effectiveness values that may be generated and output 912; col. 13, lines 35-39: a control effectiveness value may be provided on a scale, such that potential control effectiveness values may include "significant," "high," "reasonable," "moderate," "limited," "very limited," or "none/no control effectiveness."  See chart 1408 of FIG. 14 for display in the graphical user interface).  
Velcio is analogous art to the claimed invention in a similar field of endeavor in improving risk analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Velcio’s control effectiveness value to modify the Hamby-Ahmed system to include a step for selecting a cybersecurity control from a set of cybersecurity controls not present within the computer network.  For this combination, the motivation would have been to improve the risk analysis of computer network.


Allowable Subject Matter
Claims 3, 11, and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The claims 3, 11, and 16 each recite elements of “in response to receiving a forecast request from the client portal for at least one of a set of cybersecurity controls not present within the computer network, to analyze the operational characteristics of the computer network at the second time modified by assuming said at least one of the set of cybersecurity controls not present within the computer network is implemented in the computer network using the risk model to determine a forecasted value of the cybersecurity risk parameter and to transmit the forecasted value of the cybersecurity risk parameter to the client portal for display in the graphical user interface” or similar features.  These features, in combination with the other limitations in the claim 1, 10, and 15, are not anticipated by, nor made obvious over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        06/03/2022