DETAILED ACTION
Response to Amendment
 	This Final office action is in response to Applicant’s amendment filed 9/7/2022. Claims 1, 8 and 13 have been amended. Claims 1, 3-8, 10-15 and 17-20 are pending.

 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

 	Applicant's arguments filed 9/7/2022 have been fully considered but they are not persuasive.

Claim Rejections - 35 USC § 103
 	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
 	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

 	Claims 1, 3-8, 10-15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Sarkissian (US 20200410001 A1), in view of Argoeti et al (US 20200274894 A1).
As per claim 1, Sarkissian discloses a method, comprising: 
retrieving data corresponding to an asset, wherein the asset is a computing device or software application of an enterprise system (i.e., FIGS. 1A and 1B show a dataflow diagram of systems and techniques according to various examples. Some examples include categorizing, collecting and processing data to create a baseline dataset, ¶ 0042, wherein An event-source device 802 (e.g., a Question & Answer (Q&A) user interface (UI), API client device, or computer running a software agent to detect or report events) can be configured to collect data from external sources (e.g., risk-relevant changes outside the system's immediate and internal environment) relevant to users of system 800. The event-source device 802 can, e.g., collect of data from set formats delivered from various utility, organizational, security, cyber security or compliance tools such as vulnerability scans results, penetration test results, quality assurance test results or other Form Data, ¶ 0151); 
identifying a set of vulnerabilities of the asset (i.e., a " risk" describes a threat that may exploit a vulnerability and thereby cause loss, damage, or destruction of an asset. Risks can include, but are not limited to, internal or external cyber risks, threats and vulnerabilities, or other risks, ¶ 0035, Cloud based software to detect and mitigate risks (e.g., implementing FIG. 1A-1B, 3-6, or 9-24, or running on systems of FIG. 7 or 8), ¶ 0037); 
generating a user interface for the asset comprising a list including each targeted recommendation; providing the user interface for display (i.e., decisions regarding suggestions (or recommended treatments and solutions) or other items in the Stream (1c) can include, e.g., decisions to accept a recommendation, accept a risk (e.g., refuse a recommendation), or postpone a decision. Other actions can take in the form of a confirmation (or a decision) of an advice, reminder, notification or alert by clicking Confirm, Decline, OK, or Skip, ¶ 0043, wherein Various examples determine commands, e.g., commands to present recommendations of actions which users will find useful via a user interface (e.g., FIGS. 11, 15, 16, 18, 20), or commands to carry out those actions (e.g., configuration commands) (e.g., FIGS. 12, 22, 24), ¶ 0091);
receiving user selection of a particular targeted recommendation in the list, the particular targeted recommendation mitigating a particular vulnerability of the subset of vulnerabilities; and 
applying the security control identified by the particular targeted recommendation to the asset to mitigate the particular vulnerability (i.e., Various examples determine computational models using at least one of: Natural Language Processing (NLP), deep learning, or Probabilistic Graphical Models (PGMs). Various examples determine commands, e.g., commands to present recommendations of actions which users will find useful via a user interface (e.g., FIGS. 11, 15, 16, 18, 20), or commands to carry out those actions (e.g., configuration commands) (e.g., FIGS. 12, 22, 24), ¶ 0091).
Sarkissian does not explicitly disclose for each vulnerability in the set of vulnerabilities, determining whether a respective measure of effectiveness of a respective security control has breached a respective threshold measure of effectiveness of the respective security control; and 
for each vulnerability in a subset of the set of vulnerabilities, responsive to determining that the respective measure of effectiveness of the respective security control has breached the respective threshold measure of effectiveness of the respective security control, generating a targeted recommendation to implement a security control on the asset for mitigating the vulnerability.
Argoeti et al disclose the risk assessment 1210 process 1200, 1300, 1400 also includes performing 1310 at least one cybersecurity action 1100 based on the recommendation score, including at least one of: a risk acceptance action 1112 which accepts 1112 a risk R 804, and a risk mitigation 1102 action 1102 which aids mitigation 1102 of the risk R 804 (¶ 0263).
Some possible actions 1100 include preventing 1104 access to the storage item or resource identified in the request, terminating 1106 an access-in-progress to the storage item or resource identified in the request, alerting 1108 an administrator (a person), or actively allowing 1118 the access after comparison of the recommendation score to pertinent threshold(s) 1208 subject to 1408 the inverse relationship 1406 between recommendations and risk measures (¶ 0276).
FIG. 14 further illustrates some method embodiments in a general flowchart 1400. Technical methods shown in the Figures or otherwise disclosed will be performed automatically, e.g., by cybersecurity system 800, unless otherwise indicated. Methods may also be performed in part automatically and in part manually to the extent action by a human administrator or other human person is implicated, e.g., a person may set thresholds 1208 that determine which action 1100 is taken. No method contemplated as innovative herein is entirely manual. In a given embodiment zero or more illustrated steps of a method may be repeated, perhaps with different parameters or data to operate on (¶ 0277).
Inversion 1406 may also be implicit in the comparison tests, thresholds 1208, and actions 1100 take, e.g., code that allows 1118 an access 1120 continue or to occur when a recommendation_score is above 0.75 in a range of [0 . . . 1], attempts to prevent 1104 or terminate 1106 an access when the recommendation_score is below 0.5, and otherwise flags 1110 the access attempt for review. In each case in these examples, however, the risk assessor code 806 or other code 122 takes 1310 cybersecurity action 1100 based on the recommendation score 810 (¶ 0303).
Sarkissian and Argoeti et al are concerned with effective cybersecurity risk management.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include for each vulnerability in the set of vulnerabilities, determining whether a respective measure of effectiveness of a respective security control has breached a respective threshold measure of effectiveness of the respective security control; and for each vulnerability in a subset of the set of vulnerabilities, responsive to determining that the respective measure of effectiveness of the respective security control has breached the respective threshold measure of effectiveness of the respective security control, generating a targeted recommendation to implement a security control on the asset for mitigating the vulnerability in Sarkissian, as seen in Argoeti et al, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
As per claim 3, Sarkissian discloses wherein the user interface comprises a risk factors and mitigations panel that lists tactics for mitigating risk for the asset (i.e., Dashboard (10) can provide a summary view of determined risk(s) associated with a project, e.g., via a graphical user interface presented on an electronic display, or via another user interface, ¶ 0082. Dashboard (10) can provide various visualizations. Visualizations can include, but are not limited to: graphs with configurable filtering and timeframe options, heat maps, or a timeline representation showing when milestones were achieved (such as reaching compliance with a framework). Example heatmaps can plot risk, likelihood of an adverse event vs. the severity of that event, and associated costs for preventing or mitigating a risk, ¶ 0083).
As per claim 4, Sarkissian discloses wherein the user interface comprises an installed applications panel listing software applications installed upon the asset (i.e., "Risk Data" can include, but is not limited to: relevant sections of the platform or application or meta-information, ¶ 0039).
As per claim 5, Sarkissian discloses receiving a user interaction at a portion of a second user interface corresponding to the asset; wherein the user interface for the asset is generated responsive to receiving the user interaction (i.e., decisions regarding suggestions (or recommended treatments and solutions) or other items in the Stream (1c) can include, e.g., decisions to accept a recommendation, accept a risk (e.g., refuse a recommendation), or postpone a decision. Other actions can take in the form of a confirmation (or a decision) of an advice, reminder, notification or alert by clicking Confirm, Decline, OK, or Skip, ¶ 0043, wherein Various examples determine commands, e.g., commands to present recommendations of actions which users will find useful via a user interface (e.g., FIGS. 11, 15, 16, 18, 20), or commands to carry out those actions (e.g., configuration commands) (e.g., FIGS. 12, 22, 24), ¶ 0091).
As per claim 6, Sarkissian discloses wherein the user interface comprises a risk score for the asset (i.e., In some examples, the Stream is configured to surface (e.g., present an indication of via a UI) risks of various importances (critical, high, medium, low, compliant) to a particular system (e.g., Client) on a per-system basis,  ¶ 0053, wherein system can determine risk scores. An example risk-scoring mechanism is: 1--critical, 2--high, 3--medium, 4--low, 5--compliant or N/A; another is a score of 1-3; still another is a score indicating likelihood versus impact. Some examples can use compute risk scores based at least in part on adding weights, likelihoods, or impacts of risks, or costs of remediations. Various examples standardize or index scores from different scales into grouped comparable data, ¶ 0054).
As per claim 7, Sarkissian discloses wherein the user interface comprises an indicator of a potential change in risk score if recommendations are implemented (i.e., Once a single assessment is done, module 2 can update the risk model, and can provide alerts (e.g., in the form of commands to user-interface devices) if the assessed organization may not stay within a predetermined risk-score range (e.g., below a threshold), ¶ 0108).
Claims 8 and 10-14 are rejected based upon the same rationale as the rejection of claims 1 and 3-7, respectively, since they are the computer readable medium claims corresponding to the method claims.
Claims 15 and 17-20 are rejected based upon the same rationale as the rejection of claims 1, 3 and 5-7, respectively, since they are the system claims corresponding to the  method claims.

Response to Arguments
 	In the Remarks, Applicant argues Argoeti's scores, as well as the respective "recommendation score threshold," do not teach or suggest the claim features, particularly "a respective measure of effectiveness of a respective security control" and "a respective threshold measure of effectiveness." 
The claimed invention's "respective measure of effectiveness" is of a respective security control, e.g., the effectiveness of the security control to mitigate the risk posed by the vulnerability to which that security control corresponds. This is not taught or suggested by Argoeti's "risk score" or "recommendation score," the inverse of the risk score, which is a value generated by a machine-learned model to estimate the threat posed by a particular actor (e.g., user, group, IP address - see Argoeti, Abstract) to a particular resource. The claimed invention's measure is that of a security control, whereas Argoeti's score is for a threat, specifically for a certain resource.  
Furthermore, Argoeti does not teach or suggest the use of measures or thresholds as claimed. Cited paragraph 287 of Argoeti simply involves the display of a score threshold as "explanatory content[]." This does not teach or suggest, for example, generating a targeted recommendation responsive to a measure of effectiveness passing a threshold. 
The Office action at pp. 9-12, in the Response to Arguments, points to Argoeti's "risk assessment process" which scores the actor/resource tuple mentioned above. The Office action then continues to purport that Argoeti performs "some action" as a result of this risk assessment process. Again, none of the cited portions of Argoeti involve a measure of effectiveness of a respective security control, as explained above. The Examiner respectfully disagrees.
As discussed in the updated rejection, Argoeti et al disclose the risk assessment 1210 process 1200, 1300, 1400 also includes performing 1310 at least one cybersecurity action 1100 based on the recommendation score, including at least one of: a risk acceptance action 1112 which accepts 1112 a risk R 804, and a risk mitigation 1102 action 1102 which aids mitigation 1102 of the risk R 804 (¶ 0263).
Some possible actions 1100 include preventing 1104 access to the storage item or resource identified in the request, terminating 1106 an access-in-progress to the storage item or resource identified in the request, alerting 1108 an administrator (a person), or actively allowing 1118 the access after comparison of the recommendation score to pertinent threshold(s) 1208 subject to 1408 the inverse relationship 1406 between recommendations and risk measures (¶ 0276).
Technical methods shown in the Figures or otherwise disclosed will be performed automatically, e.g., by cybersecurity system 800, unless otherwise indicated. Methods may also be performed in part automatically and in part manually to the extent action by a human administrator or other human person is implicated, e.g., a person may set thresholds 1208 that determine which action 1100 is taken. No method contemplated as innovative herein is entirely manual. In a given embodiment zero or more illustrated steps of a method may be repeated, perhaps with different parameters or data to operate on (¶ 0277).
Inversion 1406 may also be implicit in the comparison tests, thresholds 1208, and actions 1100 take, e.g., code that allows 1118 an access 1120 continue or to occur when a recommendation_score is above 0.75 in a range of [0 . . . 1], attempts to prevent 1104 or terminate 1106 an access when the recommendation_score is below 0.5, and otherwise flags 1110 the access attempt for review. In each case in these examples, however, the risk assessor code 806 or other code 122 takes 1310 cybersecurity action 1100 based on the recommendation score 810 (¶ 0303).
As a result, and contrary to Applicant’s assertion, Argoeti et al indeed discloses for each vulnerability in the set of vulnerabilities, determining whether a respective measure of effectiveness of a respective security control has breached a respective threshold measure of effectiveness of the respective security control; and for each vulnerability in a subset of the set of vulnerabilities, responsive to determining that the respective measure of effectiveness of the respective security control has breached the respective threshold measure of effectiveness of the respective security control, generating a targeted recommendation to implement a security control on the asset for mitigating the vulnerability.

Conclusion
 	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDRE D BOYCE whose telephone number is (571)272-6726. The examiner can normally be reached M-F 10a-6:30p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao (Rob) Wu can be reached on (571) 272-6045. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANDRE D BOYCE/Primary Examiner, Art Unit 3623                                                                                                                                                                                                        November 13, 2022