DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action responds to the Request for Continued Examination (RCE) dated May 24, 2022 and submitted by the Representative for the Applicant.
In the presented on the Request for Continuing Evaluation (RCE) dated on May, 24, 2022, claims 1, 7-8 and 14-15 have been amended, claims 22-23 have been canceled, and claims 24-25 have been added.
Claims 1, 3-8, 10-15, 17-21 and 24-25 are submitted for examination.
Claims 1, 3-8, 10-15, 17-21 and 24-25 are currently pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/24/2022 has been entered.

Response to Arguments
Applicant’s remark, filed on May 24, 2022, has claims 1, 7-8 and 14-15 amended, claims 22-23 have been canceled, claims 24-25 have been added, and all other claims previously presented. Among the amended claims, claims 1, 8 and 15 are independent ones.
Applicant’s remark, filed on May 24, 2022 at page 9, indicates, “Claim 1, as amended, recites some features of previously presented dependent claim 7. For example, claim 1 recites in part, "determining, based on a frequency of interaction with threat vectors for each of the plurality of network users, a vulnerability index for each of the plurality of network users." Rambo describes "acquiring a vulnerability," which may "include weaknesses of, for example, operating systems, firmware, particular software applications, and the like." Rambo, col. 4, lines 43-45. Rambo further describes that "the vulnerability is acquired automatically, such as when a vulnerability is received from a third party vendor or governmental agency." Rambo, col. 4, lines 51-53. Rambo fails to describe, however, "determining, based on a frequency of interaction with threat vectors for each of the plurality of network users, a vulnerability index for each of the plurality of network users," as recited in claim 1. Parker is not cited for these features. Accordingly, Rambo, Parker, or any combination thereof fails to disclose, teach, or suggest the features of claim 1. Withdrawal of the rejection is respectfully requested.”
Applicant’s argument has been considered and is found persuasive. Therefore, the previous prior-art rejection is withdrawn. However, Applicant’s amendment necessitates a new ground of rejection.
Accordingly, a new ground of rejection based on the newly identified prior-art by Yu et al. (US 2017/0331849) hereinafter Yu, has been applied to the amendment. Specifically, Yu discloses a systems, a computer program product, and a method for identifying threat vectors and implementing controls for securing resources within a network and dynamically generate a graphical representation of the resource and the one or more threat vectors based on at least the received analysis request (See Abstract). Specifically, Yu discloses how to determine a frequency score associated with each of the one or more threat vectors, wherein the frequency score indicates a number of occurrence of a threat via each of the one or more threat vectors; determine a magnitude of impact score associated with each of the one or more threat vectors, wherein the magnitude of impact score indicates a consequence of a loss event caused via each of the one or more threat vectors; determine a strength associated with each of the one or more controls associated with each of the one or more threat vectors; determine an exposure score associated with each of the one or more threat vectors based on at least the frequency score, the magnitude of impact score, and the strength associated with each of the one or more controls associated with each of the one or more threat vectors. Therefore, Yu teaches the amended limitation “determining, based on a frequency of interaction with threat vectors for each of the plurality of network users, a vulnerability index for each of the plurality of network users” (See rejection below). 
Examiner respectfully submits that the new combination of Rambo in view of Yu and Parker would render the claimed limitations of the newly amended independent claim obvious.
Applicant’s remark, filed on May 24, 2022 at pages 9-10, indicates, “Claims 8 and 15 recite similar, though not identical, features to those recited in claim 1. For at least similar reasons as those described above with regard to claim 1, claims 8 and 15 are9Application No. 16/278,016Docket No.: 009075.00048\US allowable over Rambo, Parker, or any combination thereof. Withdrawal of the rejection is respectfully requested.”
Applicant’s argument has been considered and is addressed based on the same rationale presented for the amended independent claim 1.
Regarding dependent claims 3-4, 6-7, 10-11, 13-14, 17-18 and 20 please refer to the aforementioned response, which addresses how the new combination of prior-art references by Rambo in view of Yu and Parker would render the claimed limitations obvious.
Regarding dependent claims 5, 12 and 19 please refer to the aforementioned response, which addresses how the new combination of prior-art references by Rambo in view of Yu, Parker and Voss would render the claimed limitations obvious.
Regarding dependent claim 21 please refer to the aforementioned response and rejection, which addresses how the new combination of prior-art references by Rambo in view of Yu, Parker and Schultz would render the claimed limitations obvious.
Regarding the newly added dependent claims 24 and 25, Applicant’s arguments has been considered, and the newly added claims 24-25 necessitate a new ground of rejection.
Accordingly, a new ground of rejection based on the newly identified prior-art by Sweeney et al. (US 2019/0253447), hereinafter Sweeney, has been applied to the newly added dependent claims 24 and 25. Specifically, Sweeney discloses a method for assessing a cyber security risk, and the method comprises the steps of obtaining cyber security precursor information from a plurality of sources, wherein the cyber security precursor information can be obtained from one or more online or offline sources; normalizing the obtained cyber security precursor information to a common information model; generating, from the normalized cyber security precursor information, one or more events; producing, from the one or more generated events, one or more facts; calculating a plurality of risk indicators from the one or more facts; normalizing the plurality of risk indicators to a com mon model; calculating, using the normalized plurality of risk indicators, one or more cyber risk index component scores; and calculating, using the one or more cyber risk index component scores, a cyber risk indicator index (See Abstract). Therefore, Examiner respectfully submits that the new combination of Rambo, Yu and Parker, when further in view of Sweeney, would render the claimed limitations of the newly added dependent claims 24-25 obvious (See rejection below).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 6-8, 10-11, 13-15, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Rambo et al. (US 10,084,809) hereinafter Rambo in view of Yu et al. (US 2017/0331849) hereinafter Yu, and further in view of Parker (US 9,661,003).
As per Claim 1, Rambo teaches a computer-implemented method for assessing cyber-security risk (Rambo, Col. 1, lines 30-34; “In another aspect, a computer-implemented method is disclosed. The method includes receiving a vulnerability, generating a user score for each of a plurality of users within an enterprise, and generating a threat score for the vulnerability.”):
determining a privileged index for each of a plurality of network users (Rambo, Col. 5, lines 36-42; “Generating a user score (operation 205) also includes determining user characteristics (operation 248). User characteristics include, for example, one or more of the following: position of the user within the enterprise (e. g., C-level executive, middle manager, board member, etc.), level of seniority of the user within the enterprise, and access clearance of the user.” … Col. 9, line 66 to Col. 10, line 2; “generate a user score for each of a plurality of users within an enterprise, wherein the user score is generated based on a set of characteristics including: behavioral data, user device data, and user status data.”);
determining, [based on a frequency of interaction with threat vectors for each of the plurality of network users], a vulnerability index for each of the plurality of network users (Rambo, Col. 4, lines 42-53; “the example method 200 begins by acquiring a vulnerability (operation 202). As mentioned above, vulnerabilities include weaknesses of, for example, operating systems, firmware, particular software applications, and the like. The vulnerability may be publicly announced or privately identified by the enterprise. In some embodiments, the vulnerability is acquired manually, such as when an enterprise-specific cyber threat team member identifying the vulnerability or a risk is identified on a public news channel. In some embodiments, the vulnerability is acquired automatically, such as when a vulnerability is received from a third party vendor or governmental agency”.  Col. 6 lines 6-18; “A given vulnerability may only affect smart phones with a particular operating system, such as smart phones with the BlackBerryTM operating system. Determining the number of devices affected (operation 260) includes identifying what the vulnerability affects and then calculating the number of devices within the enterprise that have an operating system, software, firmware, etc., that would be potentially impacted by the vulnerability. By identifying the types of devices affected, and by knowing the number of each type of device used within the enterprise, the number of devices within the enterprise affected by the vulnerability can be determined...”.  Claim 7; “…the internal vulnerability score is generated based on a system or a device type affected by the vulnerability.”);
calculating a threat score for one or more cyber-security attacks directed at each of the plurality of network users (Rambo, Col. 2, lines 49-52; “Depending on the nature and sophistication of the threat, the user devices may be vulnerable to malicious actors capable of compromising sensitive or confidential data of the user and the enterprise”. Rambo, Col. 5, lines 62-67; “Referring again to FIG. 3, a threat score is also generated (operation 206) after receiving the vulnerability (operation 202). Generating a threat score (operation 206) is shown in greater detail in FIG. 5 and includes determining a number of devices affected (operation 260), determining a number of users affected (operation 262).”), wherein calculating the threat score further comprises: [determining a targetedness of the one or more cyber-security attacks], and wherein the threat score calculated [for each of the one or more cyber-security attacks is based on the determined targetedness associated with the corresponding cyber-security attack of the one or more cyber-security attacks]; and
calculating a risk-index for at least one network user from among the plurality of network users, wherein the risk-index is based on the privileged index, the vulnerability index, and the threat score associated with each of the network users (Rambo, Col. 4, lines 4-10; “User profile module 108 generates a ranking for one or more users and/or user devices 102 within the enterprise. The user profile module 108 may generate user profiles on demand, such as when requested by the threat manager 106 based on a particular vulnerability. Based on the profiles of the user and/or user devices, the user profile module 108 determines a risk score.” Rambo, Col. 5, lines 36-42; “Generating a user score (operation 205) also includes determining user characteristics (operation 248). User characteristics include, for example, one or more of the following: position of the user within the enterprise (e. g., C-level executive, middle manager, board member, etc.), level of seniority of the user within the enterprise, and access clearance of the user”.  Col. 6 lines 6-18; “A given vulnerability may only affect smart phones with a particular operating system, such as smart phones with the BlackBerryTM operating system. Determining the number of devices affected (operation 260) includes identifying what the vulnerability affects and then calculating the number of devices within the enterprise that have an operating system, software, firmware, etc., that would be potentially impacted by the vulnerability. By identifying the types of devices affected, and by knowing the number of each type of device used within the enterprise, the number of devices within the enterprise affected by the vulnerability can be determined...”.  Col. 10, lines 5-7, “based on the user score and the threat score, generate a composite score for each of the plurality of users within the enterprise”);
ranking, based on the risk-index (Rambo, Col. 4, lines 4-10; “User profile module 108 generates a ranking for one or more users and/or user devices 102 within the enterprise. The user profile module 108 may generate user profiles on demand, such as when requested by the threat manager 106 based on a particular vulnerability. Based on the profiles of the user and/or user devices, the user profile module 108 determines a risk score.”), the at least one network user along with the plurality of network users to create a list of a subset of the plurality of network users upon which to focus security resources (Rambo, Col. 6, line 64 to Col. 7, line 2; “These rankings may be in order from low priority to high priority, or low risk to high risk, where the ranking is based on the composite score and/or the user score. Thereby, a score for a user and/or user device may be blended with the threat score to determine a per-threat, per-user, and/or per-user device prioritization of security measures.” … Col. 7, lines 14-23; “After acquiring the security measure (operation 212) and generating a ranking (operation 210), the security measure is implemented (operation 216). Referring now to FIG. 6, implementing a security measure (operation 216) includes determining priority for the patch (operation 280), publishing the patch (operation 282), determining compliance (operation 284), determining whether the security measure has been implemented (operation 286), and executing device intervention (operation 288). Other embodiments may include more or fewer operations.”); and
displaying the ranked list (Rambo, Col. 6, line 64 to Col. 7, line 2; “These rankings may be in order from low priority to high priority, or low risk to high risk, where the ranking is based on the composite score and/or the user score. Thereby, a score for a user and/or user device may be blended with the threat score to determine a per-threat, per-user, and/or per-user device prioritization of security measures.”  Rambo, Col. 9, lines 26-30; “the mass storage device 814 and/or the RAM 810 can store software instructions that, when executed by the CPU 802, cause the example computing device 801 to display received data on the display screen of the example computing device 801.” Examiner submits that user’s rank list is part of the data (received by the system) that is analyzed and displayed in order to protect the user and devices.)
Rambo does not expressly teach:
based on a frequency of interaction with threat vectors for each of the plurality of network users,
… determining a targetedness of the one or more cyber-security attacks, and …  each of the one or more cyber-security attacks is based on the determined targetedness associated with the corresponding cyber-security attack of the one or more cyber-security attacks;
However, Yu teaches:
based on a frequency of interaction with threat vectors for each of the plurality of network users (Yu, Parag. [0006]; “determine a frequency score associated with each of the one or more threat vectors, wherein the frequency score indicates a number of occurrence of a threat via each of the one or more threat vectors; ... ; determine an exposure score associated with each of the one or more threat vectors based on at least the frequency score” … Parag. [0008]; “determine that the exposure (i.e. user interaction) score associated with at least one of the one or more threat vectors is greater than a predetermined threshold.” Parag. [0043]; In one aspect, threat vectors within particular categories of threat types can be identified. For example, the STRIDE methodology may be used to identify and categorize various threat (vector) types. More specifically, STRIDE is an acronym for: (i) Spoofing—Spoofing refers to an act of attempting to gain access to a system by using a false identity. This can be accomplished using misappropriated user credentials or a false IP address. After successfully gaining access as a legitimate user or host, elevation of privileges or abuse using authorization can begin; (ii) Tampering—Tampering is the unauthorized modification of data, for example as it flows over a network between two computers; (iii) Repudiation—Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions; (iv) Information disclosure—Information disclosure is the unwanted exposure of private data, for example, a user views the contents of a table or file he or she is not authorized to open, or monitors data passed in plaintext over a network.  Examiner submits that the method disclosed by Yu is implemented on user devices, thus the determination of vulnerability/threats is for a plurality of network users.)
Rambo and Yu are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for performing threat detection and risk– index scoring.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yu’s system into Rambo’s system, with a motivation to provide a system for identifying threat vectors and implementing controls for securing internal resources within a network (Yu, Parag. [0003]).
The combination of Rambo and Yu does not teach:
 … determining a targetedness of the one or more cyber-security attacks, and … each of the one or more cyber-security attacks is based on the determined targetedness associated with the corresponding cyber-security attack of the one or more cyber-security attacks.
However, Parker teaches:
… determining a targetedness of the one or more cyber-security attacks, and … each of the one or more cyber-security attacks is based on the determined targetedness associated with the corresponding cyber-security attack of the one or more cyber-security attacks (Parker, Col. 4, line 62 to Col. 5, line 15; “Attack Objectives: methods for identifying observable objectives of a cyber-attack are significant as they often indicate the intent of the adversary. Generally speaking, discreet subsets of adversaries will have differing intents. For example, the intent of organized crime groups engaged in cyber-attacks is typically financially motivated. Therefore, if an attack can be quantitatively identified as being intended to target financial data, such a measure may be utilized to conclude the nature of the adversary responsible, or at least narrow attribution to a subset of known adversaries. (3) Attack Targeting: methods for quantitatively observing the level of cyber-attack targeting will often provide valuable data regarding the nature of the cyber-attack and adversary. Many cyber-attacks are launched against broad sets of victims, while others are highly surgical in nature and target small groups of individuals or organizations in key positions consistent with the objectives of the adversary. Observation of attack targeting therefore provides key data that can augment other data regarding the objectives of a cyber-attack.”);
Rambo, Yu and Parker are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for performing threat detection and risk– index scoring.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Parker’s system into Rambo-Yu system, with a motivation to provide cyber-attack identification and to the profiling of cyber-attackers or adversaries (Parker, Col. 1, lines 13-14) in order to managing security risks to user devices within an enterprise (Rambo, Col. 1, lines 17-18).

As per claim 3, the combination of Rambo, Yu and Parker teaches the computer-implemented method of claim 1, wherein the threat score calculated for each of the one or more cyber-security attacks is based on a threat type associated with the cyber-security attack (Yu, Parag. [0043]; “In one aspect, threat vectors within particular categories of threat types can be identified. For example, the STRIDE methodology may be used to identify and categorize various threat (vector) types.”).
In addition, Rambo teaches the nature/type of the threat (Rambo, Col. 2, lines 49-50; “Depending on the nature and sophistication of the threat, the user devices may be vulnerable to malicious actors ….”).

As per claim 4, the combination of Rambo, Yu and Parker teaches the computer- implemented method of claim 1. Rambo further teaches wherein the privileged index for each of the plurality of network users is based on a level of network access rights associated with the network user (Rambo, Col. 5, lines 36-42; “Generating a user score (operation 205) also includes determining user characteristics (operation 248). User characteristics include, for example, one or more of the following: position of the user within the enterprise (e. g., C-level executive, middle manager, board member, etc.), level of seniority of the user within the enterprise, and access clearance of the user.” … Col. 9, line 66 to Col. 10, line 2; “generate a user score for each of a plurality of users within an enterprise, wherein the user score is generated based on a set of characteristics including: behavioral data, user device data, and user status data.”).

As per claim 6, the combination of Rambo, Yu and Parker teaches the computer- implemented method of claim 1. Rambo further teaches wherein the vulnerability index determined for each of the plurality of network users is based on the associated network user's performance on one or more security audits (Rambo, Col. 1, lines 30-34; “a computer-implemented method is disclosed. The method includes receiving a vulnerability, generating a user score for each of a plurality of users within an enterprise, and generating a threat score for the vulnerability…” … Col. 4, lines 54-59; “The person or persons receiving the vulnerability log the vulnerability in a database. When the vulnerability is automatically received, the vulnerability is automatically logged in a database. The database log may include data about the vulnerability, such as source, date received, devices or software affected, etc. Other data are possible…” … Col. 4, lines 63-67; “Generating a user score (operation 204) is shown in greater detail in FIG. 4 and includes determining behavior patterns (operation 242), determining access patterns (operation 244), and determining user characteristics (operation 248).”).

As per claim 7, the combination of Rambo, Yu and Parker teaches the computer-implemented method of claim 1. Rambo further teaches wherein the vulnerability index determined for each of the plurality of network users is based onRambo, Col. 1, lines 30-34; “a computer-implemented method is disclosed. The method includes receiving a vulnerability, generating a user score for each of a plurality of users within an enterprise, and generating a threat score for the vulnerability…” Col. 2, lines 42-44; “Security risks include vulnerabilities and weaknesses of, for example, operating systems, firmware, particular software applications, and the like.”).

As per claim 8, it is a system claim that recites limitations similar to those of claim 1, and therefore, it is rejected for the same rationale applied to claim 1. In addition, Rambo teaches one or more processors (Rambo, Col. 8, lines28-32; “the example computing device 801 includes at least one central processing unit (“CPU”) 802, a system memory 808, and a system bus 822 that couples the system memory 808 to the CPU 802.”);
a network interface coupled to the one or more processors (Rambo, Col. 9, lines 5- 8; “The example computing device 801 may connect to the network 103 through a network interface unit 804 connected to the system bus 822.”); and
a computer-readable medium coupled to the one or more processors, wherein the medium comprises instructions stored therein, which when executed by the processors, cause the processors to perform operations comprising (Rambo, Col. 1, lines 43-46; “… a computer-readable, non-transitory data storage memory comprising instructions. The instructions, when executed by a processing unit of an electronic computing device, cause the processing unit to: …”).

As per claim 10, the rejection of claim 8 is incorporated. In addition, it is a system claim that recites limitations to those of claim 3, and therefore it is rejected for the same rationale applied to claim 3.

As per claim 11, the rejection of claim 8 is incorporated. In addition, it is a system claim that recites limitations to those of claim 4, and therefore it is rejected for the same rationale applied to claim 4.

As per claim 13, the rejection of claim 8 is incorporated. In addition, it is a system claim that recites limitations to those of claim 6, and therefore it is rejected for the same rationale applied to claim 6.

As per claim 14, the rejection of claim 8 is incorporated. In addition, it is a system claim that recites limitations to those of claim 7, and therefore it is rejected for the same rationale applied to claim 7.

As per claim 15, it is a non-transitory computer-readable storage medium claim that recites limitations similar to those of claim 1, and therefore it is rejected for the same rationale applied to claim 1. In addition, Rambo teaches the non-transitory computer- readable storage medium comprising instructions stored therein, which when executed by one or more processors, cause the processors to perform operations (Rambo, Col. 1, lines 43-46; “… a computer-readable, non-transitory data storage memory comprising instructions. The instructions, when executed by a processing unit of an electronic computing device, cause the processing unit to: …”).

As per claim 17, the rejection of claim 15 is incorporated. In addition, it is a non- transitory computer-readable storage medium claim that recites limitations to those of claim 3, and therefore it is rejected for the same rationale applied to claim 3.

As per claim 18, the rejection of claim 15 is incorporated. In addition, it is a non- transitory computer-readable storage medium claim that recites limitations to those of claim 4, and therefore it is rejected for the same rationale applied to claim 4.

As per claim 20, the rejection of claim 15 is incorporated. In addition, it is a non-transitory computer-readable storage medium claim that recites limitations to those of claim 6, and therefore it is rejected for the same rationale applied to claim 6.

Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Rambo et al. (US 10,084,809) hereinafter Rambo in view of Yu et al. (US 2017/0331849) hereinafter Yu, and Parker (US 9,661,003) as applied to claim 1 above, and further in view of Voss et al. (US 7,552,480) hereinafter Voss.
As per claim 5, the combination of Rambo, Yu and Parker teaches the computer-implemented method of claim 1, wherein the privileged index for each of the plurality of network users [is based on one or more of: an ability to transfer funds, an ability to access employee data, or an ability to access intellectual property]. 
The combination of Rambo, Yu and Parker does not expressly teaches:
wherein the privileged index … is based on one or more of: an ability to transfer funds, an ability to access employee data, or an ability to access intellectual property. 
However, Voss teaches:
wherein the privileged index … is based on one or more of: an ability to transfer funds, an ability to access employee data, or an ability to access intellectual property (Voss, Col. 8, lines 2-6; “A normal user may be able to access certain data from a computer, but if that person were to exploit a vulnerability, he or she might have additional control, for example, to see and/or delete other persons data that he or she would not otherwise have.”).
Rambo, Yu, Parker and Voss are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for performing threat detection and risk– index scoring.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Voss system into Rambo-Yu-Parker system, with a motivation to provide assessing and quantifying the risk exposure of an information system or application using a quantitative risk assessment model (Voss, Col. 1, lines 17-19) in order to managing security risks to user devices within an enterprise (Rambo, Col. 1, lines 17-18).

As per claim 12, the rejection of claim 8 is incorporated. In addition, it is a system claim that recites limitations to those of claim 5, and therefore it is rejected for the same rationale applied to claim 5.

As per claim 19, the rejection of claim 15 is incorporated. In addition, it is a non-transitory computer-readable storage medium claim that recites limitations to those of claim 5, and therefore it is rejected for the same rationale applied to claim 5.


Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Rambo et al. (US 10,084,809) hereinafter Rambo in view of Yu et al. (US 2017/331849) hereinafter Yu and Parker (US 9,661,003) as applied to claim 1 above, and further in view of Schultz et al. (US 2015/0381649) hereinafter Schultz.
As per claim 21, the combination of Rambo, Yu and Parker teaches the computer-implemented method of claim 1, wherein the targetedness [is based on geographic specificity].
However, the combination of Rambo, Yu and Parker does not expressly teaches:
wherein the targetedness is based on geographic specificity.
But, Shultz teaches:
wherein the targetedness is based on geographic specificity (Shultz, Parag. [0038]; ““Threat agent”, in various embodiments, is a specific attacker with actors or a threat group category with category properties whose likelihood of attack varies on factors including, but not limited to, geography, industry segment, political preferences, government affiliation, and relation to financial events or activist causes. The threat agent can be used to normalize the likelihood of attack on the targeted organization based on its industry segment, location and relation to world or local events.”).
Rambo, Yu, Parker and Shultz are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for performing threat detection and risk– index scoring.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shultz’s system into Rambo-Yu-Parker system, with a motivation to provide systems, apparatuses, and methods related to modeling risk as the probabilistic likelihood of loss, including financial loss, resulting from damage to a physical system, virtual system, data, and/or information assets in a computer network based on one or more cyber-attacks (Shultz, Parag. [0001]) and determining the likelihood of an attack taking into consideration various factors including geographic location (Shultz, Parag. [0038]).


Claims 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Rambo et al. (US 10,084,809) hereinafter Rambo in view of Yu et al. (US 2017/331849) hereinafter Yu and Parker (US 9,661,003) as applied to claim 1 above, and further in view of Sweeney et al. (US 2019/0253447) hereinafter Sweeney.
As per claim 24, the combination of Rambo, Yu and Parker teaches the computer-implemented method of claim 1. 
The combination of Rambo, Yu and Parker does not teach the method further comprising:
normalizing risk-indexes of the subset of the plurality of network users; and
performing, using the normalized risk-indexes, a quantitative risk comparison of a first organization, corresponding to the plurality of network users to a second organization, wherein the second organization is larger than the first organization.
However, Sweeney teaches:
normalizing risk-indexes of the subset of the plurality of network users (Sweeney, Parag. [0038]; “system and method for providing an automated, continuous cyber security risk assessment measurement that provides a normalized comparison between distinct sets of data collected from a variety of sources, including both offline and online data sources. Offline data sources may include but not be limited to personnel security indicators, localized and global cyber threat and risk indicators, and overall threat and risk levels calculated for a specific industry or the Internet as a whole. Online data sources may include but not be limited to computer network asset inventories, scan results from vulnerability scanning and penetration testing activities, and the output of security and architecture data from networked computing and security devices.” … Parag. [0040]; “Referring to FIG. 2 is a flowchart of a source data normalization method, in accordance with an embodiment. According to an embodiment, the data sources that are processed as part of the risk index calculation are normalized to a common information model. An integral part of computing the overall risk index is the ability to normalize the index. Normalization of the index occurs using one or more of the following primary factors: source type, asset identification, risk indicator properties (data bounds detected for properties based on the common information model), and risk index component contribution.  Parag. [0062]; “… In order to provide a cybersecurity risk index score that is …  sets of networked computing assets”); and
performing, using the normalized risk-indexes, a quantitative risk comparison of a first organization, corresponding to the plurality of network users to a second organization, wherein the second organization is larger than the first organization (Sweeney, Parag. [0062]; “Referring to FIG. 5 is a flowchart of a method for risk indicator normalization, in accordance with an embodiment. In order to provide a cybersecurity risk index score that is comparable between two distinct sets of networked computing assets, such as departments within an organization or organizations of different sizes (i.e. one organization larger than another), normalization of the risk indicators can be an important step in the index calculation process. The method for normalization may be per formed on variables that are shared across events and analytic facts, for example in the current embodiment they take the form of normalization by the sensor type that recorded the event, threat type, defense action type, vulnerability type, logical location (i.e., network assignment) or physical location.”).
Rambo, Yu, Parker and Sweeney are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for performing threat detection and risk– index scoring.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sweeney system into Rambo-Yu-Parker system, with a motivation for providing an automated, continuous cyber security risk assessment measurement using a method for consistent, predictable, repeatable measurement and comparison of cyber security risk indicators (Sweeney, Parag. [0005]).

As per claim 25, the combination of Rambo, Yu and Parker teaches the computer-implemented method of claim 1. Rambo teaches wherein displaying the ranked list [comprises graphically displaying a time series of risk-indexes] of the ranked list [over a predetermined time period] (Rambo, Col. 4, lines 4-10; “User profile module 108 generates a ranking for one or more users and/or user devices 102 within the enterprise. The user profile module 108 may generate user profiles on demand, such as when requested by the threat manager 106 based on a particular vulnerability. Based on the profiles of the user and/or user devices, the user profile module 108 determines a risk score”.  Col. 9, lines 26-30; “the mass storage device 814 and/or the RAM 810 can store software instructions that, when executed by the CPU 802, cause the example computing device 801 to display received data on the display screen of the example computing device 801”).
The combination of Rambo, Yu and Parker does not teach:
wherein displaying [the ranked list] comprises graphically displaying a time series of risk-indexes of [the ranked list] over a predetermined time period.
However, Sweeney teaches:
wherein displaying [the ranked list] comprises graphically displaying a time series of risk-indexes of [the ranked list] over a predetermined time period (Sweeney, Parag. [0094]; “the cyber risk indicator index is provided via a user interface, such as a cyber risk dashboard. Referring to FIGS. 10-12, for example, are embodiments of one or more components of a cyber risk user interface or dashboard. In FIG. 10, for example, the calculated cyber risk index is calculated as a score between 0 and 100, inclusive. In FIG. 11, for example, the calculated cyber risk index is calculated as a score between 0 and 100, and events or risk factors are provided to the user depending on the severity of the risk (critical, important, moderate, low, and no criticality, for example). In FIG. 12, for example, the calculated cyber risk index is calculated as a score between 0 and 100 and is plotted on a graph over time. The user can then monitor changes in the calculated cyber risk index over time, and can extract or calculate patterns in the changing cyber risk index.”).
Rambo, Yu, Parker and Sweeney are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for performing threat detection and risk-index scoring.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the technique of Sweeney to incorporate the ranked list of Rambo in the Rambo-Yu-Parker system, with a motivation for providing an automated, continuous cyber security risk assessment measurement using a method for consistent, predictable, repeatable measurement and comparison of cyber security risk indicators (Sweeney, Parag. [0005]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Tippett et al. (US 2005/0278786) relates to a system and method for assessing the risk to information resources that may include the generation and/or use of a security risk index.
Doynikova et al. “Enhancement of Probabilistic Attack Graphs for Accurate Cyber Security Monitoring” (2017) relates to attack graphs are widely used to reveal possible attack paths in computer networks. They are defined as the set of possible attack actions and transitions between them. Attack graphs allow following an attack path in the computer network from its source to the attack target. They allow to outline network assets under the risk, to define current attack state on the basis of the security incidents, and to conclude on an attacker characteristics.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEX D CARRASQUILLO whose telephone number is (571)270-5045. The examiner can normally be reached Monday - Friday 9:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/A.D.C./Examiner, Art Unit 2498       

/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498