DETAILED ACTION

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

	Authorization for this Examiner’s Amendment was given in a telephone interview with Brian M. Dingman, Esq. (Reg. No. 32,729) on 16 May 2022.
This application has been amended as follows:
IN THE CLAIMS
Cancel claim 3.
Replace the following claims listed as follows.

1.	(currently amended) A method for identifying gaps in an organization's cyber defenses, and identifying and prioritizing remediations that are designed to eliminate those gaps, comprising:
a. using a multiple choice questionnaireeach question corresponds to a risk factor and an inherent risk score is calculated for the question based on a weighting factor associated with the question and a risk rating associated with the answer, and wherein said inherent risk scores are used to calculate a normalized total inherent risk score for the organization
b. predefining, prioritizing, weighting, and scoring a universe of security controls that can be implemented at different levels of functionality represented by declarative statements, preassigning each security control to distinct functional, lifecycle, and control groups, selecting from this universe a set of security controls and corresponding levels that the organization is expected to implement to achieve reasonable and effective security based on its normalized total inherent risk, calculating an expected maturity score for said selected security controls, and determining an actual maturity score for said selected security controls based on a series of multiple choice questionnaires;
c. 

aggregating and comparing said actual and expected maturity scores by said functional, lifecycle, and control groups,  in the actual aggregated maturity scores of said groups which present unreasonable residual risk; 
d. and recommending and prioritizing  to the security controls in said groups whose actual maturity score falls short of the expected maturity score, actual aggregated maturity score of said groups with said identified gaps to the, thereby eliminating unreasonable residual risk;
wherein the steps above are implemented using a computing device;
in this manner the organization can identify a sequenced set of concrete steps it can take to achieve reasonable and effective security.

2.	(currently amended) The method of claim 1, wherein step a) comprises:
a. using expert judgment and open source threat intelligence, predefining a list of generic risk factors and grouping these into risk categories for “Assets”, “Data”, “Media”, ”Staff”, “3rd Parties”, “Facilities”, “IT infrastructure”, and “Applications”;
b. using expert judgement and open source threat intelligence, pre-assigning a weighting factor wi for each risk factor i, which represents an estimate of the size of risk factor i relative to other factors in the same category; 
c. using expert judgement, pre-assigning a set of declarative statements for each of said risk factors, which describe levels of minimal, moderate, and significant risk;
d. using expert judgement, pre-assigning a numerical value between 0 and 1 for each declarative statement, which represents an estimated risk rating rij for risk factor i and level j;
e. prompting the user with the choice of said declarative statements for each of said risk factors;
f. receiving the chosen response from the user and multiplying the risk rating rij for the chosen level j by the weighting factor pre-assigned for this risk factor wi, to establish an inherent risk score Ri for factor i, as in the formula Ri=wirij;
g. adding up the inherent risk scores for each risk category C and dividing by the maximum total inherent risk score for each category C to generate a normalized category inherent risk score, as in the formula RC                         
                            =
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        1
                                    
                                    
                                        n
                                    
                                
                                
                                    
                                        
                                            w
                                        
                                        
                                            i
                                        
                                    
                                
                            
                            
                                
                                    r
                                
                                
                                    i
                                    j
                                
                            
                        
                     /                         
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        1
                                    
                                    
                                        n
                                    
                                
                                
                                    
                                        
                                            w
                                        
                                        
                                            i
                                        
                                    
                                
                            
                            m
                            a
                            x
                            ⁡
                            (
                            
                                
                                    r
                                
                                
                                    i
                                
                            
                            )
                        
                    , where                         
                            m
                            a
                            x
                            ⁡
                            (
                            
                                
                                    r
                                
                                
                                    i
                                
                            
                            )
                        
                     =                         
                            
                                
                                    r
                                
                                
                                    i
                                    S
                                    i
                                    g
                                    n
                                    i
                                    f
                                    i
                                    c
                                    a
                                    n
                                    t
                                
                            
                        
                     and n is the number of risk factors in risk category C;
h. calculating a threat score T using the risk scores for the “Assets”, “Data”, and “Media” categories, and the formula                         
                            T
                            =
                            
                                
                                    
                                        
                                            R
                                        
                                        
                                            A
                                            s
                                            s
                                            e
                                            t
                                            s
                                        
                                    
                                    +
                                    
                                        
                                            R
                                        
                                        
                                            D
                                            a
                                            t
                                            a
                                        
                                    
                                
                                
                                    2
                                
                            
                            *
                            (
                            0.5
                            +
                            0.5
                            *
                            
                                
                                    R
                                
                                
                                    M
                                    e
                                    d
                                    i
                                    a
                                
                            
                            )
                        
                     ;
i. calculating a vulnerability score V using the risk scores for the “Staff”, “3rd Parties”, “Facilities”, “IT Infrastructure”, and “Applications” categories, and the formula                         
                            V
                            =
                            
                                
                                    
                                        
                                            
                                                
                                                    R
                                                
                                                
                                                    S
                                                    t
                                                    a
                                                    f
                                                    f
                                                
                                            
                                            +
                                            
                                                
                                                    R
                                                
                                                
                                                    3
                                                    r
                                                    d
                                                     
                                                    P
                                                    a
                                                    r
                                                    t
                                                    i
                                                    e
                                                    s
                                                
                                            
                                            +
                                            
                                                
                                                    R
                                                
                                                
                                                    F
                                                    a
                                                    c
                                                    i
                                                    l
                                                    i
                                                    t
                                                    i
                                                    e
                                                    s
                                                
                                            
                                            +
                                            
                                                
                                                    R
                                                
                                                
                                                    I
                                                    T
                                                     
                                                    I
                                                    n
                                                    f
                                                    r
                                                    a
                                                    s
                                                    t
                                                    r
                                                    u
                                                    c
                                                    t
                                                    u
                                                    r
                                                    e
                                                
                                            
                                            +
                                            
                                                
                                                    R
                                                
                                                
                                                    A
                                                    p
                                                    p
                                                    l
                                                    i
                                                    c
                                                    a
                                                    t
                                                    i
                                                    o
                                                    n
                                                    s
                                                
                                            
                                        
                                    
                                
                                
                                    5
                                
                            
                             
                        
                    ;
j. calculating a consequence score C using the normalized inherent risk scores for the ”Assets” and “Data” categories and the formula                         
                            C
                            =
                            (
                            
                                
                                    R
                                
                                
                                    A
                                    s
                                    s
                                    e
                                    t
                                    s
                                
                            
                            +
                            
                                
                                    R
                                
                                
                                    D
                                    a
                                    t
                                    a
                                
                            
                            )
                            /
                            2
                        
                    ;
k. calculating a normalized total inherent risk score                         
                            
                                
                                    R
                                
                                
                                    T
                                    o
                                    t
                                    a
                                    l
                                
                            
                        
                     using said scores for threat, vulnerability and consequence and the formula                         
                            
                                
                                    R
                                
                                
                                    T
                                    o
                                    t
                                    a
                                    l
                                
                            
                            =
                             
                            
                                
                                    (
                                    T
                                    V
                                    C
                                    )
                                
                                
                                    3
                                
                            
                        
                     ; 
wherein the steps above are implemented using a computing device.   
3.	(canceled)

4.	(currently amended) The method of claim 1wherein step b) comprises
a. identifying a universesecurity control frameworks, intelligence agency security control rankings, and industry analyst guides;
b. using expert judgement to combine and rearrange said best practices and technologies to derive a universe
c. pre-assigning each of said derived security controls to one of the following functional groups: “Governance”, “Endpoints”, “Network”, “Access”, “Data”, Dependencies” and “Awareness”;
d. pre-assigning each of said derived security controls to one of the following lifecycle groups: “Identify”, “Prevent”, “Limit”, Detect”, “Respond”, “Recover”; 
e. pre-assigning each of said derived security controls to one of the following security control groups: “Plan”, “Policy”, “Procedure”, “Resource”, or “Technical”;
f. ensuring that every combination of said functional group and said lifecycle group has at least one security control; 
g. pre-assigning a specific priority P1, P2, or P3 to each security control based on best practice surveys, customary norms, intelligence agency security control rankings, NIST Baselines, or Center for Internet Security Implementation Classes;
h. pre-assigning a set of declarative statements to each security control which describe basic, intermediate and advanced levels of functionality, wherein each higher level either subsumes or replaces and improves the functionality of the level(s) below it;
i. designating each of said derived security controls as a predominantly likelihood-reducing security control orsecurity control;
j. pre-assigning a weighting factor                         
                            
                                
                                    w
                                
                                
                                    i
                                
                            
                        
                     for each likelihood-reducing security control i, which is an estimate of the fraction of all security incidents that the security control will block or contain, based on open source data breach statistics;
k. pre-assigning a weighting factor                         
                            
                                
                                    w
                                
                                
                                    i
                                
                            
                        
                     for each impact-reducing security control i, which is an estimate of the fraction by which the security control will reduce the impact of a security incident, based on open source cost of data breach statistics;
l. pre-calculating a maturity score for each possible level of each security control, selecting from said universe of security controls a set of security controls that the organization is expected to implement, prescribing the level of implementation required of said selected security controls to achieve reasonable and effective security based on its normalized total inherent risk, and calculating an expected maturity score for said selected security controls; 
m. determining an actual maturity score for said selected security controls based on said pre-calculated maturity scores and a series of multiple choice questionnaires;
wherein the steps above are implemented using a computing device.

5.	(currently amended) The method of claim 4wherein step l) comprises
a. pre-assigning a numerical value between 0 and 1 for each declarative statement for each security control i                         
                            
                                
                                    
                                        
                                            D
                                            e
                                            g
                                            r
                                            e
                                            
                                                
                                                    e
                                                
                                                
                                                    i
                                                
                                            
                                        
                                    
                                
                                
                                    L
                                
                            
                        
                     of the security control implemented at level L relative to its maximum functionality (implemented at the advanced level);
b. multiplying the weighting factor pre-assigned to each security control maturity score for the security control for basic, intermediate, and advanced levels of functionality, as in the formula                         
                            
                                
                                    
                                        
                                            C
                                            
                                                
                                                    S
                                                
                                                
                                                    i
                                                
                                            
                                        
                                    
                                
                                
                                    L
                                
                            
                            =
                            
                                
                                    w
                                
                                
                                    i
                                
                            
                            *
                            
                                
                                    
                                        
                                            D
                                            e
                                            g
                                            r
                                            e
                                            
                                                
                                                    e
                                                
                                                
                                                    i
                                                
                                            
                                        
                                    
                                
                                
                                    L
                                
                            
                        
                    , where L is the level of functionality (basic, intermediate, or advanced);
c. pre-calculating cumulative aggregated maturity scores                         
                            A
                            
                                
                                    M
                                
                                
                                    ρ
                                    λ
                                
                            
                        
                     by adding together said precalculated maturity                        
                            A
                            
                                
                                    M
                                
                                
                                    ρ
                                    λ
                                
                            
                            =
                            A
                            
                                
                                    M
                                
                                
                                    (
                                    ρ
                                    -
                                    1
                                    )
                                    A
                                    d
                                    v
                                    a
                                    n
                                    c
                                    e
                                    d
                                
                            
                            +
                            
                                
                                    
                                        
                                            ∑
                                            
                                                i
                                                =
                                                1
                                            
                                            
                                                
                                                    
                                                        N
                                                    
                                                    
                                                        ρ
                                                    
                                                
                                            
                                        
                                        
                                            
                                                
                                                    (
                                                    C
                                                    S
                                                
                                                
                                                    i
                                                
                                            
                                            )
                                        
                                    
                                
                                
                                    λ
                                
                            
                        
                    , where                         
                            
                                
                                    N
                                
                                
                                    ρ
                                
                            
                        
                    is the number of security controls with priority ρ;
d. dividing said cumulative aggregated maturity scores by the maximum possible cumulative aggregated maturity score, obtained by implementing all security controls (P1, P2, and P3) at the advanced level, to yield a matrix of nine normalized total maturity scores, as in                         
                            
                                
                                    
                                        
                                            
                                                
                                                    M
                                                
                                                
                                                    T
                                                    o
                                                    t
                                                    a
                                                    l
                                                
                                            
                                        
                                    
                                
                                
                                    ρ
                                    λ
                                
                            
                            =
                            A
                            
                                
                                    M
                                
                                
                                    ρ
                                    λ
                                
                            
                            /
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        1
                                    
                                    
                                        N
                                    
                                
                                
                                    
                                        
                                            w
                                        
                                        
                                            i
                                        
                                    
                                
                            
                        
                    , where                         
                            N
                        
                     is the total number of security controls;
e. selecting only P1 security controls if the normalized total inherent risk score                         
                            
                                
                                    R
                                
                                
                                    T
                                    o
                                    t
                                    a
                                    l
                                
                            
                        
                                             
                            
                                
                                    
                                        
                                            
                                                
                                                    M
                                                
                                                
                                                    T
                                                    o
                                                    t
                                                    a
                                                    l
                                                
                                            
                                        
                                    
                                
                                
                                    P
                                    1
                                    A
                                    d
                                    v
                                    a
                                    n
                                    c
                                    e
                                    d
                                
                            
                        
                    ; 
f. selecting P1 and P2 security controls if the normalized total inherent risk score                         
                            
                                
                                    R
                                
                                
                                    T
                                    o
                                    t
                                    a
                                    l
                                
                            
                        
                                             
                            
                                
                                    
                                        
                                            
                                                
                                                    M
                                                
                                                
                                                    T
                                                    o
                                                    t
                                                    a
                                                    l
                                                
                                            
                                        
                                    
                                
                                
                                    P
                                    1
                                    A
                                    d
                                    v
                                    a
                                    n
                                    c
                                    e
                                    d
                                
                            
                        
                    , but equal or less than said normalized total maturity score for P2 at the advanced level,                         
                            
                                
                                    
                                        
                                            
                                                
                                                    M
                                                
                                                
                                                    T
                                                    o
                                                    t
                                                    a
                                                    l
                                                
                                            
                                        
                                    
                                
                                
                                    P
                                    2
                                    A
                                    d
                                    v
                                    a
                                    n
                                    c
                                    e
                                    d
                                
                            
                        
                    ; 
g. selecting P1, P2 and P3 security controls if the normalized total inherent risk score                         
                            
                                
                                    R
                                
                                
                                    T
                                    o
                                    t
                                    a
                                    l
                                
                            
                        
                                             
                            
                                
                                    
                                        
                                            
                                                
                                                    M
                                                
                                                
                                                    T
                                                    o
                                                    t
                                                    a
                                                    l
                                                
                                            
                                        
                                    
                                
                                
                                    P
                                    2
                                    A
                                    d
                                    v
                                    a
                                    n
                                    c
                                    e
                                    d
                                
                            
                        
                    , but equal or less than said normalized total maturity score for P3 at the advanced level,                         
                            
                                
                                    
                                        
                                            
                                                
                                                    M
                                                
                                                
                                                    T
                                                    o
                                                    t
                                                    a
                                                    l
                                                
                                            
                                        
                                    
                                
                                
                                    P
                                    3
                                    A
                                    d
                                    v
                                    a
                                    n
                                    c
                                    e
                                    d
                                
                            
                        
                    ;
h. for each of said selected security controls, calculating the degree of functionality that the organization is expected to implement to achieve reasonable and effective security based on its normalized total inherent risk;
i. for each selected security control, calculating an expected maturity score by multiplying the expected degree of functionality for this security control by the weighting factor pre-assigned to this security control, as in the formula                         
                            E
                            
                                
                                    S
                                
                                
                                    i
                                
                            
                            =
                            
                                
                                    w
                                
                                
                                    i
                                
                            
                            *
                            E
                            
                                
                                    D
                                
                                
                                    
                                        
                                            P
                                        
                                        
                                            i
                                        
                                    
                                
                            
                        
                    ;
wherein the steps above are implemented using a computing device.

6.	(currently amended) The method of claim 5wherein step h) comprises
a. if only P1 security controls are selected of functionality for all P1 security controls                         
                            E
                            
                                
                                    D
                                
                                
                                    P
                                    1
                                
                            
                             
                        
                    by dividing the normalized total inherent risk score by the sum of the weighting factors for all P1 security controls, as in the formula                         
                            E
                            
                                
                                    D
                                
                                
                                    P
                                    1
                                
                            
                            =
                            
                                
                                    
                                        
                                            R
                                        
                                        
                                            T
                                            o
                                            t
                                            a
                                            l
                                        
                                    
                                
                                
                                    
                                        
                                            ∑
                                            
                                                i
                                                =
                                                1
                                            
                                            
                                                I
                                            
                                        
                                        
                                            
                                                
                                                    w
                                                
                                                
                                                    i
                                                
                                            
                                        
                                    
                                
                            
                        
                     , where I is the number of security controls with priority P1;
b. if P1 and P2 security controls are selected of functionality for all P1 security controls to 1 and calculating the expected degree of functionality for all P2 security controls                         
                            E
                            
                                
                                    D
                                
                                
                                    P
                                    2
                                
                            
                             
                        
                    by subtracting the sum of the weighting factors for all P1 security controls from the normalized total inherent risk score and dividing the remainder by the sum of the weighting factors for all P2 security controls, as in the formula                         
                            E
                            
                                
                                    D
                                
                                
                                    P
                                    2
                                
                            
                        
                    =                         
                            
                                
                                    (
                                    R
                                
                                
                                    T
                                    o
                                    t
                                    a
                                    l
                                
                            
                        
                     -                          
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        1
                                    
                                    
                                        I
                                    
                                
                                
                                    
                                        
                                            w
                                        
                                        
                                            i
                                        
                                    
                                
                            
                        
                    ) /                         
                            
                                
                                    ∑
                                    
                                        j
                                        =
                                        1
                                    
                                    
                                        J
                                    
                                
                                
                                    
                                        
                                            w
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                     , where I is the number of security controls with priority P1, and J is the number of security controls with priority P2;
c. if P1, P2 and P3 security controls are selectedof functionality for all P1 and P2 security controls to 1 and calculating the expected degree of functionality for all P3 security controls                         
                            E
                            
                                
                                    D
                                
                                
                                    P
                                    2
                                
                            
                        
                     by subtracting the sum of the weighting factors for all P1 and P2 security controls from the normalized total inherent risk score and dividing the remainder by the sum of the weighting factors for all P3 security controls, as in the formula                         
                            E
                            
                                
                                    D
                                
                                
                                    P
                                    3
                                
                            
                            =
                             
                            
                                
                                    (
                                    R
                                
                                
                                    T
                                    o
                                    t
                                    a
                                    l
                                
                            
                        
                     -                         
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        1
                                    
                                    
                                        I
                                    
                                
                                
                                    
                                        
                                            w
                                        
                                        
                                            i
                                        
                                    
                                
                            
                        
                     -                         
                            
                                
                                    ∑
                                    
                                        j
                                        =
                                        1
                                    
                                    
                                        J
                                    
                                
                                
                                    
                                        
                                            w
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                    ) /                         
                            
                                
                                    ∑
                                    
                                        k
                                        =
                                        1
                                    
                                    
                                        K
                                    
                                
                                
                                    
                                        
                                            w
                                        
                                        
                                            k
                                        
                                    
                                
                            
                        
                    , where I is the number of security controls with priority P1, J is the number of security controls with priority P2, and K is the number of security controls with priority P3;
wherein the steps above are implemented using a computing device.  

7.	(currently amended) The method of claim 4wherein step m) comprises 
a. for each of said selected security controlsathe security control and corresponding to each level;
b. determining based on the response to said choice the actual maturity score for the security control based on said pre-calculated maturity score for the level chosen;                         
                            C
                            
                                
                                    S
                                
                                
                                    i
                                
                            
                            =
                            
                                
                                    w
                                
                                
                                    i
                                
                            
                            *
                            D
                            e
                            g
                            r
                            e
                            
                                
                                    e
                                
                                
                                    i
                                
                            
                            ;
                        
                    
wherein the steps above are implemented using a computing device.   

8.	(currently amended) The method of claim 1, wherein step c) comprises:
a. for each of said functional, lifecycle, and control groupsactual maturity scores for all selected security controls pre-assigned to said functional, lifecycle, or control group, as in the formula                         
                            A
                            
                                
                                    M
                                
                                
                                    G
                                
                            
                            =
                             
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        1
                                    
                                    
                                        n
                                    
                                
                                
                                    
                                        
                                            C
                                            S
                                        
                                        
                                            i
                                        
                                    
                                
                            
                        
                    , where there are n security controls in group G;  
b. for each of said functional, lifecycle, and control groups maturity scores for all selected security controls pre-assigned to said functional, lifecycle, or control group, as in the formula                         
                            
                                
                                    E
                                    M
                                
                                
                                    G
                                
                            
                            =
                             
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        1
                                    
                                    
                                        n
                                    
                                
                                
                                    
                                        
                                            E
                                            S
                                        
                                        
                                            i
                                        
                                    
                                
                            
                        
                    , where there are n security controls in group G;   
c. for each of said functional, lifecycle, and control groups                        
                            A
                            
                                
                                    M
                                
                                
                                    G
                                
                            
                            <
                            E
                            
                                
                                    M
                                
                                
                                    G
                                
                            
                            ?
                        
                    ;
d. if the actual group aggregated maturity score is less than the expected group aggregated maturity score, then identifying the difference as a gap in said functional, lifecycle, or control group and calculating the size of the gap by subtracting the actual group aggregated maturity score from the expected group aggregated maturity score, as in the formula                         
                            G
                            
                                
                                    S
                                
                                
                                    G
                                
                            
                            =
                            E
                            
                                
                                    M
                                
                                
                                    G
                                
                            
                            -
                            A
                            
                                
                                    M
                                
                                
                                    G
                                
                            
                            ;
                        
                    
wherein the steps above are implemented using a computing device.

9.	(currently amended) The method of claim 1, wherein step d) comprises
a. for each of said groups with said identified gaps
b. for each security control i pre-assigned to said group, calculating the size of the shortfall for the security control by subtracting the actual maturitymaturity score for this security control, as in the formula                         
                            S
                            
                                
                                    F
                                
                                
                                    i
                                
                            
                            =
                            E
                            
                                
                                    S
                                
                                
                                    i
                                
                            
                            -
                            C
                            
                                
                                    S
                                
                                
                                    i
                                
                            
                            ;
                        
                    
c. sorting all security controls pre-assigned to said group whose actual maturity maturity scores, in ascending order of priority (P1 then P2 then P3) followed by descending order of the size of the shortfall             
                S
                
                    
                        F
                    
                    
                        i
                    
                
            
        ;
d. working through the sorted list, choosing security controls for improvement, each time subtracting the size of the shortfall             
                S
                
                    
                        F
                    
                    
                        i
                    
                
                 
            
        from the size of the gap for said group             
                G
                
                    
                        S
                    
                    
                        G
                    
                
            
        , until there are no more security controls or the sum of shortfall for the chosen security controls equals or exceeds the size of the gap, as in the formula             
                G
                
                    
                        S
                    
                    
                        G
                    
                
                ≤
                 
                
                    
                        ∑
                        
                            ρ
                            =
                            P
                            1
                        
                        
                            P
                            3
                        
                    
                    
                        
                            
                                ∑
                                
                                    i
                                    =
                                    1
                                
                                
                                    g
                                
                            
                            
                                M
                                a
                                x
                                
                                    
                                        
                                            
                                                S
                                                
                                                    
                                                        F
                                                    
                                                    
                                                        i
                                                    
                                                
                                            
                                        
                                    
                                    
                                        ρ
                                    
                                
                            
                        
                    
                
            
        , where             
                M
                a
                x
                
                    
                        
                            
                                S
                                
                                    
                                        F
                                    
                                    
                                        i
                                    
                                
                            
                        
                    
                    
                        ρ
                    
                
            
         is the largest remaining shortfall in the sorted list of security controls with priority ρ in group G and g is the number of security controls in group g with a nonzero shortfall;
e. recommending improvements in functionality for said chosen security controls, according to the declarative statements representing the 
wherein the steps above are implemented using a computing device.



Allow Subject Matter

Claims 1 – 2 and 4 – 9 are allowed.
The following is an examiner’s statement of reasons for allowance:
The above mentioned claims are allowable over prior arts because the CPA (Cited Prior Art) of record fails to teach or render obvious the claimed limitations in combination with the specific added limitations recited in each of the independent claim 1 (& associated dependent claims).
The present invention is directed to a method for identifying gaps in an organization's cyber defenses, and identifying and prioritizing remediations that are designed to eliminate those gaps. In view of the closest prior arts such as U.S. Patent 10,592,938 (by Hogg) and U.S. Patent 10,728,761 (by Kedem), no singular art disclosing nor motivation to combine has been found to anticipate or render obvious the claimed invention in such particular details of doing so in the context of recited limitations such as using a multiple choice questionnaire


Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788.  The examiner can normally be reached on Monday - Friday 9:00am-5:00pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

           /LONGBIT CHAI/Primary Examiner, Art Unit 2431                                                                                                                                                                                                                 (No. #2354 - 2022)