Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
1.	This action is responsive to communication filed on: 28 September 2022 with acknowledgement of an original application filed on 18 March 2020 and that this application is a continuation 16/585,202 filed 27 September 2019 which claims the benefit of a provisional application filed 27 September 2018.
2.	Claims 1-14 and 16-18, are currently pending.  Claim 1 is an independent claim.
Claims 1-7, 11-14, and 16-18, have been amended.  Claims 15, and 19-20, have been canceled.  
Response to Arguments

3.	Applicant's arguments filed 28 September 2022 have been fully considered however they moot due to new grounds of rejection necessitated by applicant’s amendments to the claims.
Double Patenting
4.	A rejection based on double patenting of the “same invention” type finds its support in the language of 35 U.S.C. 101 which states that “whoever invents or discovers any new and useful process... may obtain a patent therefor...” (Emphasis added). Thus, the term “same invention,” in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957).
A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the claims that are directed to the same invention so they are no longer coextensive in scope. The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101.
5.	Claims 1, 3, 7-13, and 16-18 are provisionally rejected on the ground of statutory type double patenting as being unpatentable over claims 1, 6-13, and 16-18 of co-pending application 16/585,202.
	This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.
Claim Rejections - 35 USC § 112
6.	The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

7.	Claims 1-14 and 16-18are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.  The claims have been amended.  Below is independent claim 1, the underlined limitations are new matter.  The Examiner notes, support does not exist in the specification for the underlined limitations.  “A method executed by a computer that quantifies a cyber risk associated with a digital asset, the method comprising: 
generating, by the computer a digital asset inventory of digital assets by integrating with cybersecurity tools;
displaying, by the computer, the digital asset inventory via a graphical user interface having definable mathematical operands associated with a cyber risk algorithm;
receiving, by the computer, algorithmic selections via the graphical user interface specifying attributes associated with the digital asset inventory and the definable mathematical operands; 
creating, by the computer, cyber risk algorithm using the algorithmic selections specifying the attributes and the definable mathematical operands
quantifying, by the computer, the cyber risk associated with the digital asset of the digital assets by executing the cyber risk algorithm created using the attributes associated with the digital asset inventory as inputs and the definable mathematical operands.”
Dependent claims 2-13 and 17-18 are rejected because of their dependency to claim 1 in addition these claims combine the term “digital asset inventory” in a similar fashion as rejected below.  

The amended claim includes the limitation “generating, by the computer a digital asset inventory of digital assets by integrating with cybersecurity tools”
The Applicant’s disclosure does not explain how the cybersecurity tool or computer generates the digital asset inventory.  In addition, no explanation of integrating digital assets with cybersecurity tools exist.  Appropriate Correction is required.
In addition to the limitation pointed out in letter “A” above, the independent claims have been amended to include the phrase “digital asset inventory” with multiple limitations, that have been underlined above.  The specification does not support use of the term “digital asset inventory” along with the underlined limitations.  Note nowhere in the specification is it stated:
“displaying, by the computer, the digital asset inventory via a graphical user interface”
Or 
“selections via the graphical user interface specifying attributes associated with the digital asset inventory”
Or
“quantifying…using the attributes associated with the digital asset inventory as inputs”
Appropriate Correction is required.The Examiner notes a review of the Applicant’s disclosure paragraphs 124, 126-128, and 135 use the term “digital asset inventory”, however none of these paragraphs relay the limitations presented in the amendment.  At best the Applicant’s disclosure explains how the digital asset inventory includes system and technologies as well as data types.  The system allows for the creation of multiple cyber risk algorithms to measure financial exposures, however the “digital asset inventory” is not generated or used as an input to create the algorithms it is merely something that is referenced.
8.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

9.	Claims 1-14 and 16-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  The claims have been amended.  Below is independent claim 1, the underline text phrases are also considered indefinite.
A method executed by a computer that quantifies a cyber risk associated with a digital asset, the method comprising: 
generating, by the computer a digital asset inventory of digital assets by integrating with cybersecurity tools;
displaying, by the computer, the digital asset inventory via a graphical user interface having definable mathematical operands associated with a cyber risk algorithm;
receiving, by the computer, algorithmic selections via the graphical user interface specifying attributes associated with the digital asset inventory and the definable mathematical operands; 
creating, by the computer, cyber risk algorithm using the algorithmic selections specifying the attributes and the definable mathematical operands
quantifying, by the computer, the cyber risk associated with the digital asset of the digital assets by executing the cyber risk algorithm created using the attributes associated with the digital asset inventory as inputs and the definable mathematical operands.
The claims as amended are confusing and the disclosure does not clearly point out the invention, for multiple reasons.
The amended claim includes the limitation “generating, by the computer a digital asset inventory of digital assets by integrating with cybersecurity tools”
The limitation is not clear and therefore indefinite.  The Applicant’s disclosure does not explain how the cybersecurity tool or computer generating the digital asset inventory.  In addition, no explanation of integrating digital assets with cybersecurity tools exist.

A review of the Applicant’s disclosure paragraphs 124, 126-128, and 135 use the term “digital asset inventory”, however the precise phrase “generating, by the computer a digital asset inventory of digital assets by integrating with cybersecurity tools” is never used.  At best the Applicant’s disclosure explains how the digital asset inventory includes system and technologies as well as data types.  The system allows for the creation of multiple cyber risk algorithms to measure financial exposures, however the “digital asset inventory” is not generated it is merely something that is referenced.  Appropriate Correction is required.
In addition to the limitation pointed out in letter “a” above, the independent claims have been amended to include the phrase “digital asset inventory” with multiple limitations. However, these limitations are missing many details to make sense of the invention.  Note paragraph 135 of Applicant’s disclosure is shown below:
“[0135] The invention allows for multiple financial exposures to be calculated. Using the digital asset inventory, asset classifications, data classifications and data form internal and external sources, the invention allows for the creation of multiple cyber risk algorithms to measure financial exposures. The graphical user interface has defined specific quantification models for data exfiltration, business interruption and regulatory loss calculations. Each quantification model can be associated to one or more algorithms that are defined using the graphical user interface. See FIG. 5 for Cyber Risk Exposures Metrics that can be defined. Multiple algorithms can be defined by associating a data type (privacy, financial, etc.) or across a business unit. This can be done since data was captured in terms of the organization, business unit, system, process, technology, data type when we did the digital asset inventory. Additionally, information has been captured in the digital asset inventory regarding the attributes used in the calculations including number of records, average revenue generated per hour and organization revenue. Number of records is a system attribute that is tied to the database that it utilized to store the records. Average revenue per hour is a process attribute that is related to a revenue generating process. Organization revenue is an organization attribute. The user chooses the attributes and defines the calculation using operators including addition, subtraction, multiplication and division to create the calculation. Constants can also be used in the calculations and include the average DDoS Lifecycle, and IBM Ponemon Cost of a data breach data, Algorithms are defined based on the user's requirements and can be applied to any data classification including but not limited to only systems that process privacy data or healthcare data or credit card data or EU citizen data or across all the systems. See FIG. 6 for Cyber Risk Exposure Attributes.”Below are the additional claim limitations that include the term “digital asset inventory”:
“displaying, by the computer, the digital asset inventory via a graphical user interface having definable mathematical operands associated with a cyber risk algorithm;
receiving, by the computer, algorithmic selections via the graphical user interface specifying attributes associated with the digital asset inventory and the definable mathematical operands” 
and
“quantifying, by the computer, the cyber risk associated with the digital asset of the digital assets by executing the cyber risk algorithm created using the attributes associated with the digital asset inventory as inputs and the definable mathematical operands”
In paragraph 135 of Applicant’s disclosure, includes the phrase “Using the digital asset inventory, asset classification, data classifications, and data form internal and external sources, the invention allows for the creation of multiple cyber risk algorithms to measure financial exposures”, the claim limitations as written do not include these details, missing is “asset classification, data classifications, and data form internal and external sources”.   Also, missing from the claims is any wording relating to “quantification model” as well as numerous details from paragraph 135.  Without these details the claim is indefinite because the claim is missing details to make sense of the invention.  Appropriate Correction is required.
In addition to the details missing from the limitations to make sense of the invention.  
It appears the use of the term, “digital asset inventory” in the claims is not consistent with the disclosure.  According to Applicant’s disclosure, multiple financial exposures can be calculated.  The user chooses the attributes and defines the calculations.  The digital asset inventory is barely used in the specification and it appears to mean that attributes/parameters assigned to a digital asset inventory can be used in related calculations.  But the weight given to the term in the claims is not consistent with the specification.  Appropriate Correction is required.
10.	To expedite a complete examination of the instant application the claims rejected under 35 U.S.C. 101 (nonstatutory) as well as 35 U.S.C. 112  above are further rejected as set forth below in anticipation of applicant amending these claims to overcome the above rejections.
Claim Rejections – 35 USC § 103
11.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

12.	Claims 1-4, 8-10, 12-14, and 16-18, are rejected under 35 U.S.C. 103 as being unpatentable over Mahabir et al. U.S. Patent Application Publication No. 2017/0244740 (hereinafter ‘740) in view of Nelson et al. U.S. Patent Application Publication No. 2006/0117388 (hereinafter ‘388).
As to independent claim 1, “A method executed by a computer that quantifies a cyber risk associated with a digital asset” is taught in ‘740 the Abstract, paragraphs 6, 10-11, 14-15, and 19-20, note a method of evaluating cyber risks and determining a risk assessment score is interpreted equivalent to “quantifies”;
“the method comprising: generating, by the computer a digital asset inventory of digital assets by integrating with cybersecurity tools” is shown in ‘740 the Abstract, paragraphs 6, 8, 106-109, and 113-114, note a network security assessment system that receives (i.e. generates) a list of software applications and a list or organization nodes, is interpreted equivalent to the inventory;
	“displaying, by the computer, the digital asset inventory via a graphical user interface having definable mathematical operands associated with a cyber risk algorithm” is disclosed in‘740 the Abstract, paragraphs 6, 15, 85, 92-93, and 139-142, a risk assessment viewer application that displays risk assessment reports about the subscriber organization this includes a digital asset inventory, also note ‘a predefined reporting threshold’ and/or the summed or combined scoring to reach a total score, and/or the weights assigned weighted average is interpreted equivalent to ‘definable mathematical operands associated with cyber risk algorithm’; 
	“receiving, by the computer, algorithmic selections via the graphical user interface specifying attributes associated with the digital asset inventory and the definable mathematical operands” is taught in ‘740, note user (subscribers) are able to interact with GUI and RAS interface to obtain risk assessment in paragraphs 85-87;
“quantifying, by the computer, the cyber risk associated with the digital asset of the digital assets by executing the cyber risk algorithm created using the attributes associated with the digital asset inventory as inputs and the definable mathematical operands” is shown in ‘740, in paragraphs 85-87;
the following is not explicitly taught in ‘740:
	“creating, by the computer, cyber risk algorithm using the algorithmic selections specifying the attributes and the definable mathematical operands” however ‘388 teaches, modeling security risks is a cyber risk algorithm, the questionnaire allows algorithmic selections where weights (definable mathematical operands) can be assigned to different attributes in the Abstract, paragraphs 12-13, 63, 87-91 and 122.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for enhancing security in a computer network taught ‘740 to include a means to create a cyber risk algorithm.  One of ordinary skill in the art would have been motivated to perform such a modification because conventional risk determination methods need improvements that is economical use of resources and time see ‘388 paragraphs 3-12. 
	As to dependent claim 2, “The method of claim 1, further comprising generating a webpage that specifies the cyber risk associated with the digital data asset” is taught in ‘388 Abstract, Figure 2, paragraph 14, note the system uses a Web based Application, that models (specifies) the cyber risk associated with the project (i.e. digital asset).
	As to dependent claim 3, “The method of claim 1, further comprising financially quantifying the cyber risk using the attributes and definable mathematical operands” is disclosed in ‘740 paragraphs 4, 45-46, and 61.
	As to dependent claim 4, “The method of claim 1, further comprising determining the cyber risk associated with the digital asset based on outputs generated by the cyber risk algorithms” is disclosed in ‘388 paragraphs 63, 100-105, and 122.
	As to dependent claim 8, “The method of claim 1, further comprising comparing the cyber risk to a threshold value” is taught in ‘740 paragraph 95, note “Alerts or notifications may be sent to interested users when risk levels change or when predetermined thresholds are exceeded or both”.
	As to dependent claim 9, “The method of claim 8, further comprising determining the cyber risk fails to satisfy the threshold value” is taught in ‘740 Abstract, paragraphs 6, 15, and 95.
	As to dependent claim 10, “The method of claim 9, further comprising generating a notification in response to the cyber risk failing to satisfy the threshold value” is shown in ‘740 Abstract, paragraphs 6, 15, and 95. 
	As to dependent claim 12, “The method of claim 1, further comprising classifying the digital asset” is disclosed in ‘388 paragraph 97.
	As to dependent claim 13, “The method of claim 1, further comprising determining a data exfiltration exposure associated with the digital asset based on a number of records associated with the digital asset inventory multiplied by an average cost per stolen record” is taught in ‘388 paragraphs 97-98 and Table 3, note on Table 3 the Questions/Answers provide details related to the type of data and the associated risks, i.e. security ranking, dollar  amount, criticality of process these questions/answers provide “data exfiltration exposure” as defined by Applicant’s disclosure in paragraphs 11 and 52.
	As to dependent claim 14, “The method of claim 13, further comprising inputting a number of electronic data records breached during a cyber security incident” is taught in ‘388 paragraphs 97-98 and Table 3.
	As to dependent claim 16, “The method of claim 1, further comprising retrieving a business interruption exposure associated with the digital asset” is disclosed in ‘388 paragraphs 97-98 and Table 3.
	As to dependent claim 17, “The method of claim 1, further comprising retrieving a cyber risk exposure associated with the digital asset” is disclosed in ‘740 paragraphs 109-110 and 121, note each software application (i.e. digital asset) receives an indication of one or more properties associated with the software application which may include regulatory compliance status or “regulatory data”. 	
	As to dependent claim 18, “The method of claim 1, further comprising retrieving a cyber risk exposure associated with the digital asset” is shown in ‘388 paragraphs 96-97.
13.	Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Mahabir et al. U.S. Patent Application Publication No. 2017/0244740 (hereinafter ‘740) in view of Nelson et al. U.S. Patent Application Publication No. 2006/0117388 (hereinafter ‘388) in further view of Hassell et al. U.S. Patent Application Publication No. 2015/02959948 (hereinafter ‘948).
	As to dependent claim 5, the following is not explicitly taught in ‘740 and ‘388: “The method of claim 1, further comprising determining a cyber resiliency associated with the digital asset” however ‘948 teaches determining the resiliency associated with the digital asset in paragraphs 13-14.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for enhancing security in a computer network taught ‘740 and ‘388 to include a means to determine resiliency.  One of ordinary skill in the art would have been motivated to perform such a modification because cyber security is a global issue of growing importance see ‘948 paragraphs 2-4. 
 	As to dependent claim 6, “The method of claim 1, further comprising dynamically determining a cyber resiliency associated with the digital asset in near real time” is shown in ‘948 paragraph 23. 
14.	Claims 7 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Mahabir et al. U.S. Patent Application Publication No. 2017/0244740 (hereinafter ‘740) in view of Nelson et al. U.S. Patent Application Publication No. 2006/0117388 (hereinafter ‘388) in further view of Hamby U.S. Patent Application Publication No. 2016/0239665 (hereinafter ‘665).
	As to dependent claim 7, the following is not explicitly taught in ‘388 and ‘740: “The method of claim 1, further comprising determining a cyber insurance associated with the digital asset” however ‘665 teaches cyber liability insurance is determined (i.e. evaluated) in the Abstract, paragraphs 2 and 8.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for enhancing security in a computer network taught ‘740 and ‘388 to include a means to determine cyber insurance associated with the digital asset.  One of ordinary skill in the art would have been motivated to perform such a modification because the growth of networked computer systems has directly or indirectly resulted in the increased frequency and complexity of cyber-attacks and cyber liability insurance has evolved see ‘665 paragraphs 3-5.
	As to dependent claim 11, the following is not explicitly taught in ‘388 and ‘948: “The method of claim 1, further comprising determining a third-party cyber risk associated with the digital asset” however ‘665 teaches the embodiments disclosed herein although specifically addressing the cyber-liability insurance transactions, are not limited to insurance policy transaction so named. The risk may also be assigned to third-parties may be an important factor in cyber-liability pricing in paragraph 46.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of system and method for modeling information security risk taught in ‘388 and ‘948 to include a means to determine third-party cyber risk associated with the digital asset.  One of ordinary skill in the art would have been motivated to perform such a modification because the growth of networked computer systems has directly or indirectly resulted in the increased frequency and complexity of cyber-attacks and cyber liability insurance has evolved to include third-parties see ‘665 paragraphs 3-5 and 46.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
15.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELLEN C TRAN whose telephone number is (571) 272-3842.  The examiner can normally be reached from M-F 9 AM to 6PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        19 October 2022