DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Allowable Subject Matter

Claim 7 is objected to as being dependent upon a rejected base claim, but
would be allowable if rewritten in independent form including all of the limitations of the
base claim and all intervening claims.
	
Invitation to Participate in DSMER Pilot Program
The present application satisfies the criteria for participation set forth in the Federal Register Notice entitled “Deferred Subject Matter Eligibility Response (DSMER) Pilot Program.” Therefore, the examiner invites applicant to participate in the DSMER pilot program. 

An applicant who accepts the invitation to participate in this pilot program must still file a reply to every Office action mailed in this application, but may defer presenting arguments or amendments in response to subject matter eligibility (SME) rejection(s) until the earlier of final disposition of the application, or the withdrawal or obviation of all other outstanding non-SME rejections. A final disposition for purposes of this pilot program occurs upon the earliest of: mailing of a notice of allowance; mailing of a final Office action; filing of a notice of appeal; filing of a request for continued examination; or abandonment of the application. Other than applicant’s ability to defer responding to SME rejections, participation in the DSMER pilot program does not alter the normal examination process (e.g., as outlined in MPEP 700), and applicant must still respond to all non-SME rejections when replying to Office actions. 

Further information about the pilot program, including an explanation of the criteria for receiving an invitation, and the conditions of participation, is provided in the Federal Register Notice announcing the program, which is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response.

Applicant has two choices with respect to this invitation:
(1) Applicant may elect to participate in the DSMER pilot program. To effect this choice, applicant MUST accept this invitation by filing a completed request form PTO/SB/456 with a timely response to this Office action. The DSMER Pilot request form must be signed in accordance with 37 CFR § 1.33(b) by a person having authority to prosecute the application, and must be submitted via the USPTO’s patent electronic filing systems (EFS-Web or Patent Center). The form is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response. If the form is properly completed and timely received, the application will be entered into the pilot program.

(2) Applicant may decline to participate in the pilot program. No action is required from applicant to effect this choice, because if applicant does not timely file a properly completed form PTO/SB/456, the application will not be entered into the pilot program.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/29/2020 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1 and 11 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.            Per the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG) 
101 Flowchart Analysis: 
Step 1: meets the statutory category of a mental process;  Step 2A/Prong 1: recited claims – a method for determining a cyber risk score for an entity having a plurality of devices on a network, the method comprising: collecting, by a processing circuit, a first set of data from individual network devices and a second set of data including risk data from an external data source; normalizing, by the processing circuit, the first set of data and the second set of data; correlating, the normalized first set of data with the normalized second set of data to determine individual cyber risk scores for the individual network devices, by the processing circuit; and determining, the cyber risk score for the entity by aggregating the individual cyber risk scores of the individual network devices, by the processing circuit – when viewed as a whole meet a mental process, thus an abstract idea; and
Step 2B/Prong 2: recites an additional element in steps (1)-(4), determines a combined cyber risk score of the plurality of individual network devices, which are a form of insignificant extra-solution activity.  However, the particular additional element is recited at high level of generality that is no more than merely “apply” the mental step using a generic computer system.  The determining step (4) is aggregating individual network device scores to determine an entity's cyber risk score is also recited at high level of generality, not integrated into a practical application, and amounts to a mere post-solution of arranging, ascertaining or consolidating that is a form of insignificant extra-solution activity. 
 The additional elements are determined to be no more than insignificant extra-solution activity.  In particular, the processor and computer system are considered conventional and well-understood, and are recited at high level of generality.  As the result, the claim, as a whole, is no more than attempting to broadly cover the concept of using a computer system to implement analysis of what a human security analyst would have performed in the mind. Therefore, the claim 1 and 11 are considered as an abstract idea without significantly more than the judicial exception.
Dependent claim(s) Claims 2-10 and 12-19 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reason addressed above. 

	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 5-6, 8, 11-14, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Findlay, US PG Publication (20170346846 A1), in view of Datta Ray, US PG Publication (20190156257 A1).
Regarding claims 1 and 11, Findlay teaches a method for determining a cyber risk score for an entity having a plurality of devices on a network [Findlay, ¶0012: A system comprising a first module allowing a user to establish in respect of one or more activities of an enterprise incorporating at least one of electronic devices and communications networks a threat risk assessment and analysis (TRAA) with respect to one or more attacks, and a second module allowing the user to access information relating to at least one of threat reporting and security responses in respect of one or more attacks. ¶¶0091, 0098, and 0102-0103: The system 200 includes an electronic device 204 (i.e. smartphone 155, an access point (AP) 206, such as first AP 110) and one more device 207 (i.e. communication servers, streaming media servers, and router like first and second servers 190A/B)], the method comprising; and a system for determining a cyber risk score for an entity having a plurality of network devices, the system comprising: [Findlay, ¶¶0247 and 0264-0265: gaps in vulnerability analysis foundation and weak calculation of residual risks; ¶¶0098 and 0261: Threat Information Gathering and Incident Reporting (TIGIR) system addresses limitations within current cyber security methodologies, calculates costs, exploits first data related to user’s assets and third data related to third party security methodologies and solutions and one or more algorithms to provide at least one of: identify residual risk and recommendations to reduce enterprise exposure and provide increased security within the one or more security domains. Collect internal, external and client-reported threat data and perform compound analysis of internal, external and client-reported threat data using detailed threat characteristics to enhance threat identification and distributed threat mitigation]
a server, comprising a processing circuit having a memory storing processing instructions, said processing circuit configured to: [Findlay, ¶0089: First and second servers 190A and 190B may host embodiments of inventions multiple services associated with a provider; supporting database application platforms (DAP); ¶¶0091-0093, 0098, and 0102-0103: electronic device 204 like servers include processors 210 and 211 with non-exhaustive list of memories 212 and 213; one more device 207 (i.e. communication servers, streaming media servers, and router like first and second servers 190A/B)]
collecting, by a processing circuit, a first set of data from individual network devices and a second set of data including risk data from an external data source; [Findlay 20170346846A1, ¶¶0019 and 0020: TIGIR system comprising threat - risk and reporting software systems to address limitations present within current security methodologies and solutions enacted by an enterprise with respect to one or more security domains. TIGIR exploits first data relating to the user ' s assets, second data relating to the enterprise ' s security methodologies and solutions. ¶¶0022 and 0263: provide risk analysis of an enterprise’s current security posture, as well a vulnerability gap analysis. ¶0264: identify residual risk and recommendations to reduce enterprise exposure and provide increased security within the one or more security domains. ¶0265: collect internal, external and client-reported threat data...;]
normalizing, by the processing circuit, the first set of data and the second set of data; [Findlay, ¶¶0230-0231: Component of TIGIR, Threat Reporting and Response Database (TRRD) component provides a framework gathering from select internal and external sources, open sourced and continuously compounds intelligence on historical and live threats. The TRRD utilizes data framework from TRAA to normalize data to ensure compatibility and relevancy to database classes made available for various report types and live alerts]
While Findlay teaches correlating, the normalized first set of data with the normalized second set of data [Findlay, ¶¶0230-0231: The TRRD utilizes data framework from TRAA to normalize data to ensure compatibility and relevancy to database classes made available for various report types and live alerts]; however, Findlay fails to explicitly teach but Datta Ray teaches correlating, the normalized first set of data with the normalized second set of data to determine individual cyber risk scores for the individual network devices, by the processing circuit; [Datta Ray, ¶0020: aggregating and correlation available information pervasively with the domain and situational contexts with automated guidelines. ¶¶0704 and 0706-0709: Security risks to be evaluated in the electric power domain where each cell contains three values: impact, weight, and confidence. ¶¶0713 and 0716:  The security risk relate business function to assets correlations; a collection of cells which shows the assets as correlated to a specific business function, one row for each asset. An asset may have zero correlation to a specific business function.] and 
determining, the cyber risk score for the entity by aggregating the individual cyber risk scores of the individual network devices, by the processing circuit. [Datta Ray, ¶0020: aggregating and correlation available information pervasively with the domain and situational contexts with automated guidelines.  ¶0723: Computing the business function collection (1×n) with asset score collection (N×M) results in a 1×N collection. This intermediate collection represents relative valuation of each of these N assets for the given set of business functions. ¶¶0740-0741: A threat is a quantification of how a particular threat affects a particular vulnerability. Security Risk related threat from vulnerability valuation is calculated: (1508) (electric power domain): Computing the vulnerability collection (1×N) with threat from vulnerability collection (N×M) results in a (1×N) collection. This final collection represents relative valuation of each of these N threats for the given set of vulnerabilities. ¶¶0748-0749: Security Risk related ranked business function to threat output: (1510) (electric power domain): The reverse tree look from (1509) is aggregated into a collection which shows the ranked threats correlated back to the original business functions.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a security threat information gather and incident reporting systems of Findlay before him or her by including the teachings of a pervasive, domain, and situational-aware, adaptive, automated, and coordinated big data analysis, contextual learning and predictive control of business and operational risks and security of Datta Ray. The motivation/suggestion would have been obvious to try to modify the TIGIR system of Findlay by aggregating and correlating available information pervasively with the domain and situational contexts with automated guidelines.as taught by Datta Ray [Datta Ray, ¶0020].  

Regarding claims 2 and 12, the combination of Findlay and Datta Ray teach claim 1 as described above.
 	However, Findlay fails to explicitly teach but Datta Ray teaches wherein the second set of data comprises at least one of architectural data, contextual data and social media data. [Datta Ray, ¶0139: operational system 610 knowledge comprise of one or more categories of data: structural]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a security threat information gather and incident reporting systems of Findlay before him or her by including the teachings of a pervasive, domain, and situational-aware, adaptive, automated, and coordinated big data analysis, contextual learning and predictive control of business and operational risks and security of Datta Ray. The motivation/suggestion would have been obvious to try to modify the TIGIR system of Findlay by aggregating and correlating available information pervasively with the domain and situational contexts with the second set of data includes structural data categories as taught by Datta Ray [Datta Ray, ¶0139].  
Regarding claims 3 and 14, the combination of Findlay and Datta Ray teach claim 1 as described above.
Findlay teaches wherein the normalizing step includes decomposing the data. [Findlay, ¶0220: A Comprehensive Risk Assessment addresses separately and in detail key risk areas before consolidating them into the Residual Risk and Recommendations.]

Regarding claims 5 and 16, the combination of Findlay and Datta Ray teach claim 1 as described above.
 	However, Findlay fails to explicitly teach but Datta Ray teaches wherein determining the individual cyber risk scores is based on at least one of geographical location of the network device, cyber vulnerability of the network device and a combination thereof. [Datta Ray , ¶¶0659-0660: security risks to be evaluated on impact of safety – occurrence or probability of disabling security latch]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a security threat information gather and incident reporting systems of Findlay before him or her by including the teachings of a pervasive, domain, and situational-aware, adaptive, automated, and coordinated big data analysis, contextual learning and predictive control of business and operational risks and security of Datta Ray. The motivation/suggestion would have been obvious to try to modify the TIGIR system of Findlay by aggregating and correlating available information pervasively with the domain and situational contexts with security risks based on the impact of safety measures as taught by Datta Ray [Datta Ray, ¶¶0659-0660].  

Regarding claim 6, the combination of Findlay and Datta Ray teach claim 1 as described above.
However, Findlay fails to explicitly teach but Datta Ray teaches wherein the first set of data is selected from the group consisting of device configuration, IP address, MAC address, and data related to software operated on the network devices. [Datta Ray , ¶¶0013-0014: groups of assets are identified through threats/vulnerabilities; ¶¶0104-0105 0107 0112 0144 0155 and 0159: monitored and controlled elements (MCE) include, but are not limited to: any software element within devices (308, 311, 312, 317, 318), e.g., domain specific applications; incoming and outgoing address of protocol specific knowledge. Examiner interprets that the information traversing  the communication network may be via the Internet which include routers, switches that utilize well known methodologies of IP and MAC addresses embedded in layer 2 and 3 devices; this also includes computers or servers that have operating systems]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a security threat information gather and incident reporting systems of Findlay before him or her by including the teachings of a pervasive, domain, and situational-aware, adaptive, automated, and coordinated big data analysis, contextual learning and predictive control of business and operational risks and security of Datta Ray. The motivation/suggestion would have been obvious to try to modify the TIGIR system of Findlay by aggregating and correlating available information pervasively with the domain and situational contexts with selected groups that include IP/MAC address and software element(s) of on a device as taught by Datta Ray [Datta Ray, ¶¶0013-0014].  

Regarding claim 8, 17, and 20, the combination of Findlay and Datta Ray teach claim 1 as described above.
However, Findlay fails to explicitly teach but Datta Ray teaches further includes displaying and sorting the individual network devices by the individual cyber risk scores on a user interface. [Datta Ray , ¶0189: graphical displays show quantitative, geographical, and temporal information, highlight MCE that need extra attention, archive logs sorted and classified according to various specified criteria]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a security threat information gather and incident reporting systems of Findlay before him or her by including the teachings of a pervasive, domain, and situational-aware, adaptive, automated, and coordinated big data analysis, contextual learning and predictive control of business and operational risks and security of Datta Ray. The motivation/suggestion would have been obvious to try to modify the TIGIR system of Findlay by aggregating and correlating available information pervasively with the domain and situational contexts with the ability to display and sort scores graphically as taught by Datta Ray [Datta Ray, ¶0189].  
Claims  4, 9-10, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Findlay, US PG Publication (20170346846 A1), in view of Datta Ray, US PG Publication (20190156257 A1), in view of Behzadi et al., hereinafter (“Behzadi”), US PG Publication (20190265971 A1).

Regarding claims 4 and 15, the combination of Findlay and Datta Ray teach claim 1 as described above.
While Datta Ray teaches correlating, the normalized first set of data with the normalized second set of data [Datta Ray, See ¶0020: aggregating and correlation available information pervasively with the domain and situational contexts with automated guidelines. ¶¶0713 and 0716:  The security risk relate business function to assets correlations; a collection of cells which shows the assets as correlated to a specific business function, one row for each asset.]; however, Datta Ray fails to explicitly teach but Behzadi teaches correlating further comprises correlating a hierarchy of the network devices with the normalized first and second sets of data. [Behzadi, ¶0228: With the integration component 202 and the data services component 204, the system 200 is designed to aggregate, federate, and normalize significant volumes of disparate, real-time operational data.
¶0479: operators are enabled to make more informed maintenance decisions by assessing risk at different levels of equipment or organizational hierarchy. ¶¶0517 and 0518: To identify and correlate the effect of historical and current factors influencing supply network risk analytics also integrates externally-gathered data; ... correlated all of these data inputs, supply network risk analytics employs machine learning algorithms to identify the most significant, potential production delays and delivery risks associated with each unique product and production line, at any current point in time.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a security threat information gather and incident reporting systems of Findlay and Datta Ray before him or her by including the teachings of systems and methods for IoT data processing and enterprise applications of Behzadi. The motivation/suggestion would have been obvious to try to modify the TIGIR system of Findlay by aggregating and correlating available information pervasively with the domain and situational contexts with automated guidelines.as taught by Datta Ray with business intelligence reports/dashboards/etc. that organize and aggregate into hierarchies imported from data maintained on external data sources into an enterprise IoT platform of the utilities sector as well as identify and correlate risk analytics of Behzadi [Behzadi, ¶¶0517-0520 and 0560].  

Regarding claim 9, the combination of Findlay and Datta Ray teach claim 1 as described above.
While Datta Ray teaches individual risk scores [Datta Ray, ¶¶0704 and 0706-0709: Security risks to be evaluated]; however, the combination of Findlay and Datta Ray fail to explicitly teach but Behzadi teaches further comprises storing or updating the individual risk scores in a memory. [Behzadi, ¶0479: updates risk scores in real time; ¶0571: data services module 3206 is responsible for persisting (storing) large and increasing volumes of data, while also making data readily available for analytical calculations.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a security threat information gather and incident reporting systems of Findlay and Datta Ray before him or her by including the teachings of systems and methods for IoT data processing and enterprise applications of Behzadi. The motivation/suggestion would have been obvious to try to modify the TIGIR system of Findlay by aggregating and correlating available information pervasively with the domain and situational contexts with automated guidelines.as taught by Datta Ray with business intelligence reports/dashboards/etc. that organize and aggregate into hierarchies imported from data maintained on external data sources into an enterprise IoT platform of the utilities sector as well as using data service module to update and/or store risk scores of Behzadi [Behzadi, ¶¶0479 and 0571].  

Regarding claim 10, the combination of Findlay and Datta Ray teach claim 1 as described above.
While Datta Ray teaches individual risk scores [Datta Ray, ¶¶0704 and 0706-0709: Security risks to be evaluated]; however, the combination of Findlay and Datta Ray fail to explicitly teach but Behzadi teaches wherein determining the individual cyber risk scores of the individual network devices and the cyber risk score of the entity occurs in real time or near real time. [Behzadi, ¶0479: continuously applies advanced machine learning techniques to update risk scores in real time]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a security threat information gather and incident reporting systems of Findlay and Datta Ray before him or her by including the teachings of systems and methods for IoT data processing and enterprise applications of Behzadi. The motivation/suggestion would have been obvious to try to modify the TIGIR system of Findlay by aggregating and correlating available information pervasively with the domain and situational contexts with automated guidelines.as taught by Datta Ray with business intelligence reports/dashboards/etc. that organize and aggregate into hierarchies imported from data maintained on external data sources into an enterprise IoT platform of the utilities sector as well as using machine learning to determine risk scores close to or near real-time of Behzadi [Behzadi, ¶0479].  

	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Maria (9876811 B2) discloses dynamic and selective response to cyber attack for telecommunications carrier networks.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Sakinah White Taylor/           Primary Examiner, Art Unit 2497