Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the Amendment filed 08/11/2022. 
In the Instant Amendment, claims 1, 12 and 19 are amended; claims 1, 12 and 19 are independent claims; Claims 1-20 are pending in this application. THIS ACTION IS MADE FINAL. 


Response to Arguments
Applicant’s arguments in the instant Amendment, filed on 08/11/2022 with respect to the 35 U.S.C. 101 rejection, have been fully considered but they are not persuasive. 
Applicant argues that on (pages 7-10): that the 35 U.S.C. 101 rejection to claims 1-20 should be withdrawn because applicant amended the claims to including “determining, by the computing device and for the vulnerability, a mitigating factor score, wherein the mitigating factor score is indicative of a mitigation applied to the vulnerability by an enterprise organization, wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible, generating, by the computing device and for the vulnerability, a risk score, wherein the risk score is a composite of the updated temporal score and the mitigating factor score; determining, based on the risk score for the vulnerability, an enterprise risk score for the enterprise organization ... and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization.” These amended claims are not in a group of (a) mathematical concepts, (b) certain methods of organizing human activities, or (c)  mental processes and thus are not abstract under Prong One and Prong Two of Revised Step 2A. The claims include “something more” than the abstract idea and, thus, are arguably patent-eligible (thus, Step 2B: Yes). Here, the claims are arguably patent eligible under section 101 and recite “significantly more” than an abstract idea as they affect an improvement in the technology and/or technical field of cybersecurity by providing a method that determines a risk score, which is a composite of the updated temporal score and a mitigating factor score, and aggregates all of the risk scores together to produce an enterprise risk score for the enterprise organization.

The Examiner respectfully disagrees with the applicant’s arguments because the claims reciting  “determining, by the computing device and for the vulnerability, a mitigating factor score, wherein the mitigating factor score is indicative of a mitigation applied to the vulnerability by an enterprise organization, wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible, generating, by the computing device and for the vulnerability, a risk score, wherein the risk score is a composite of the updated temporal score and the mitigating factor score; determining, based on the risk score for the vulnerability, an enterprise risk score for the enterprise organization ... and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization,” are directed to an abstract idea as the claims recite an abstract idea as the claims recite a mental process that could be done in the human mind. Thus the claims as amended recite an abstract idea. The claims are a whole do not integrate the exception into a practical application or provide an inventive concept. It’s noted that the claims recite the step of automatically rolling out the mitigation applied to the vulnerability to one or more enterprise assets of the enterprise organization.” The claims are written very generically and do not integrate the exception into a practical application. It’s also noted that the claims recite additional elements (i.e., processor, and a memory unit). However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function “determining,” “generating,” “determining,” “roll(ing) out,” such that it amounts no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are not integrated into a practical application. Therefore, the 35 U.S.C. 101 rejection is maintained. 

Applicant’s arguments with respect to claim(s) 1, 12 and 19 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrating into practical application or significantly more.
Regarding claims 1, 12 and 19, claims 1, 12 and 19 are/is rejected under 35 USC 101 because the claims are/is directed to an abstract idea without being integrated into a practical application or amount to significantly more.

The claims reciting the limitations “determining, [], a mitigating factor score,” “generating, [], a risk score” and “determining, [], an enterprise risk score,” “roll out, [] the mitigation are directed to an abstract idea as the claims recite a mental process that could be done in human mind. Accordingly, the claims recite an abstract idea.
The claims as a whole do not integrate the exception into a practical application or provide an inventive concept. It’s noted that the claims recite the step of displaying ‘risk score;’ however, displaying a score does not integrate the exception into a practical application. The claims as amended recite “automatically roll out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization,” which are written very generically and do not integrate the exception into a practical application. 
It’s also noted that the claims recite additional elements (i.e., processor, and a memory unit). However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function “determining,” “generating,” “determining,” “roll(ing) out,” such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are not integrated into a practical application.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer “determining,” “generating,” “determining,” “roll(ing) out” functions routinely used in information technology field. None of the steps recited in claims 1, 12 and 19 transform the nature of the claim into patent-eligible subject matter. As a result, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform “determining,” “generating,”  “determining,” “rolling out,” steps amount to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.

Regarding claims 2-11, 13-18 and 20, claims 2-11, 13-18 and 20 are also rejected under 35 U.S.C 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims are directed to abstract idea without being integrated into a practical application nor being significantly more.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Rosauer et al (“Rosauer,” US 20120072247) in view of Williams et al (“Williams,” US 20130253979) and further in view of Patel et al (“Patel,” US 20180351987). 

Regarding claim 1, Rosauer discloses a method comprising:
retrieving, from an industry standard setting scoring system and by a computing device and for a vulnerability, a temporal score based on a pre-revision version of a scoring system; (Rosauer, [0096] & FIG 9 describes retrieving, from an industry standard setting scoring system and by a computing device and for a vulnerability, a score based on time based on a pre-revision version of a scoring system and these may be stratified as a histogram, for example, by scoring relative risk according to decile 904)
predicting, based on a machine learning model and the temporal score based on the pre-revision version of the scoring system, an updated temporal score based on a post-revision version of the scoring system; (Rosauer, [0094] & FIG 1 describes predicting, based on a machine learning model and the score based on time based on the pre-revision version of the scoring system, an updated score based on time based on a post-revision version of the scoring system by use of algorithms that are provided as natural intelligent learning algorithms may be used to train themselves from the raw data of dataset 108, or by use of interim calculation results)
determining, by the computing device and for the vulnerability, a mitigating factor score, wherein the mitigating factor score is indicative of a mitigation applied to the vulnerability by an enterprise organization; (Rosauer, [0076] & FIG 1 describes determining, by the computer and for the vulnerability, a mitigating factor score, wherein the mitigating factor score is indicative of a mitigation applied to the vulnerability by an enterprise organization because as a pattern recognition engine 126 selects and combines statistically significant data fields by performing statistical analysis, such as a multivariate statistical analysis, relating these data fields to a risk value under study. Generally, the multivariate analysis combines the respective data fields using a statistical processing technique to stratify a relative risk score and relate the risk score to a risk value under study)
generating, by the computing device and for the vulnerability, a risk score, wherein the risk score is a composite of the updated temporal score and the mitigating factor score; (Rosauer, [0087] & FIG 4 describes generating, by the computer and for the vulnerability, a risk score, wherein the risk score is a composite of the updated score based on time and the mitigating factor score because the aggregator 416 operates
upon prior history to roll up or accumulate extracted values over a predetermined time interval)
determining, based on the risk score for the vulnerability, an enterprise risk score for the enterprise organization, wherein the enterprise risk score is an aggregate of risk scores for vulnerabilities in a collection of vulnerabilities, (Rosauer, [0124] describes determining based on the risk score for the vulnerability, an enterprise risk score for the enterprise organization, wherein the enterprise risk score is an aggregate of the risk scores for vulnerabilities in a collection of vulnerabilities because the relative risk score may be, for example, an overall change of incurring a loss as predicted by an ensemble and scaled to a range of 0 to 100 on the basis of the model output a histogram or frequency distribution of this predictive value) and
displaying, via a graphical user interface, the enterprise risk score, (Rosauer, [0159], Figures 1 and 17 describe displaying by a graphical user interface, the enterprise risk score because modeling desktop 2014 is a user interface that facilitates model development, for example, according to processes shown in FIG.1. This type of desktop may be used by the respective masters and workers of FIG.17).
Rosauer fails to explicitly disclose enterprise organization, wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible; and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization. 
However, in an analogous art, Williams discloses wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, (Williams, [0004], [0167], [0166], 1900, FIG 19 shows the mitigation score is increased responsive to a determination that the mitigation is able to be rolled out to enterprise assets of the enterprise organization)
and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible; (Williams, [0004], [0154]-[0155]; [0157]-[0159] describe wherein the mitigation maturity score is increased responsive to a determination that the mitigation is irreversible)
and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization (Williams, [0004], [0132], FIG 7, FIG 26, [0042] describes and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Williams with the method/system of Rosauer to include wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible; and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization. One would have been motivated to manage risk by computing an organizational maturity score based on the ability of the organization to mitigate the actions of the potential threat and recover from a given scenario (Williams, [0004]). 
Rosauer and Williams fail to explicitly disclose and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization.
However, in an analogous art, Patel discloses and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization, (Patel, [0088], [0019], [0157], describe and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Patel with the method/system of Rosauer and Williams to include and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization. One would have been motivated to remediate or mitigate cyber-related operability issues (Patel, [0004]). 

Regarding claim 2, Rosauer, Williams and Patel disclose the method of claim 1.
Rosauer further discloses further comprising:
determining (1) an effectiveness measure indicative of a success of the mitigation, (Rosauer, [0075] describes determining an effectiveness measure indicative of a success of the mitigation because the target data may also be reported in multiplicative combinations, such as frequency of loss and severity of loss. Segmentation may occur in an automated way based upon an empirical splitting function. such as a function that segments data on the basis of prior claims history, prior criminal history, geography, demographics, industry type, insurance type, policy size as measured by a number of covered individuals, policy size as measured by total amount of insurance, and combinations of these parameters) 
(2) a completeness measure indicative of a percentage of total enterprise assets that the mitigation has been applied to, (Rosauer, [0075] describes a completeness measure indicative of a percentage of total enterprise assets that the mitigation has been applied to because the target data may also be reported in multiplicative combinations, such as frequency of loss and severity of loss. Segmentation may occur in an automated way based upon an empirical splitting function. such as a function that segments data on the basis of prior claims history, prior criminal history, geography, demographics, industry type, insurance type, policy size as measured by a number of covered individuals, policy size as measured by total amount of insurance, and combinations of these parameters) and 
(3) an enforcement measure indicative of a success in enforcing the mitigation; (Rosauer, [0075] describes an enforcement measure indicative of a success in enforcing the mitigation because the target data may also be reported in multiplicative combinations, such as frequency of loss and severity of loss. Segmentation may occur in an automated way based upon an empirical splitting function. such as a function that segments data on the basis of prior claims history, prior criminal history, geography, demographics, industry type, insurance type, policy size as measured by a number of covered individuals, policy size as measured by total amount of insurance, and combinations of these parameters) and
wherein determining the mitigating factor score further comprises determining a combination of the effectiveness measure, the completeness measure, and the enforcement measure, (Rosauer, [0075] describes wherein determining the mitigating factor score further comprises determining a combination of the effectiveness measure, the completeness measure and enforcement measure because the target data may also be reported in multiplicative combinations, such as frequency of loss and severity of loss. Segmentation may occur in an automated way based upon an empirical splitting function. such as a function that segments data on the basis of prior claims history, prior criminal history, geography, demographics, industry type, insurance type, policy size as measured by a number of covered individuals, policy size as measured by total amount of insurance, and combinations of these parameters) 

Regarding claim 3, Rosauer, Williams and Patel disclose the method of claim 2. 
Rosauer further discloses further comprising:
applying a first weight to the effectiveness measure; (Rosauer, [0093] & FIG 6 describes applying a first weight to the effectiveness measure)
applying a second weight to the completeness measure; (Rosauer, [0093] & FIG 6 describes applying a second weight to the completeness measure)
applying a third weight to the enforcement measure; (Rosauer, [0093] & FIG 6 describes applying a third weight to the enforcement measure) and
wherein determining the combination of the effectiveness measure, the completeness measure, and the enforcement measure further comprises determining a weighted combination based on the first weight, the second weight, and the third weight, (Rosauer, [0093] & FIG 6 describes wherein determining the combination of the effectiveness measure, the completeness measure, and the enforcement measure further comprises determining a weighted combination based on the first weight, the second weight, and the third weight)

Regarding claim 4, Rosauer, Williams and Patel disclose the method of claim 2. 
wherein determining the enforcement measure further comprises: determining whether the mitigation may be automatically rolled out to all enterprise assets (Rosauer, [0139], describes wherein the determining the enforcement measure further comprises: determining whether the mitigation may be automatically rolled out to all enterprise assets because these may be combined as a computational learning technique for developing risk scores. In another embodiment, these may be combined as ‘using grid computing to develop a risk score. Another combination might include automating the risk scoring process. These may be combined as any combination or
permutation, considering that the modeling results may vary as a matter of selected processing sequences)

Regarding claim 5, Rosauer, Williams and Patel disclose the method of claim 2. 
Rosauer further discloses wherein determining the enforcement measure further comprises: determining whether the enforcing of the mitigation may be prevented, (Rosauer, [0090] & FIG 4, describes wherein determining the enforcement measure further comprises determining whether the enforcing of the mitigation may be prevented because pattern 440 is a leveler protocol that places boundaries on the risk information to avoid either undue reliance on a particular indicator or excess exposure in the case of high damages exposure)

Regarding claim 6, Rosauer, Williams and Patel disclose the method of claim 2. 
Rosauer further discloses wherein determining the enforcement measure further comprises: determining whether the applying of the mitigation is reversible, (Rosauer, [0088] & FIG 4, describes wherein determining the enforcement measure further comprises determining whether the applying of the mitigation is reversible because pattern 424 is a feature extractor that contains a lookup pre-processor 426. The lookup pre-processor 426 accesses external data 114 to provide or report from derived data 428, which has been obtained as described above. This data receives special handling to form ensembles in an expert way according to a predetermined set of derived data rules 428)

Regarding claim 7, Rosauer, Williams and Patel disclose the method of claim 1. 
Rosauer further discloses wherein the risk score is based on an additive relationship between the updated temporal score and the mitigating factor score, (Rosauer, [0075], describes wherein the risk score is based on an additive relationship between the updated score based on time and the mitigation factor score because subpopulations of dataset 108 may be further limited to types of violations, such as speeding or running a red light, and as particular geography, such as a residence in a particular state or city. According to this strategy, a target variable is reported on the basis of a parameter that operates as a filter. The target data may be reported into additive components, such as physical damage of loss and assessment of liability, for example, where a driver may have had an accident that caused a particularly large loss, but the driver was not at fault)

Regarding claim 8, Rosauer, Williams and Patel disclose the method of claim 1. 
Rosauer further discloses wherein the risk score is based on a product of the updated temporal score and an exponential decay value of the mitigating factor score, (Rosauer, [0087] & FIG 4 describes wherein the risk score is based on a product of the updated score based on time and an exponential decay value of the mitigating factor score because in another instance, pattern 412 addresses a sequencer analysis. Historical risk values, such as those for loss ratio field 414, may be time-segregated to ascertain the relative predictive value of the most current information versus older data. The sequencer provides a temporal abstract that may shift a variable over time. This feature may be used to search for lagging variables in a dataset, such as prior claim history)

Regarding claim 9, Rosauer, Williams and Patel disclose the method of claim 1. 
Rosauer further discloses wherein the risk score is based on an additive relationship between the updated temporal score and an exponential decay value of the mitigating factor score (Rosauer, [0163], describes wherein the risk score is based on an additive relationship between the updated score based on time and an exponential decay value of the mitigating factor score because sources of external data may be continuously updated, so this preprocessing based upon a call from the ensemble to perform data enrichment and preprocessing is one way to update the predictive accuracy of the model as time progresses after model development).

Regarding claim 10, Rosauer, Williams and Patel disclose the method of claim 1. 
Rosauer further discloses wherein the machine learning model utilizes a gradient boosting technique, (Rosauer, [0086] & FIG 4 describe wherein the machine learning model uses a gradient boosting technique because the process library 312 may be provided as an expert system that contains rules for analysis of the data. Experts in these fields and experts in the field of mode! building may be consulted to provide options for ensemble building, and these options may be provided as a system of expert rules. This is useful in the development of relationships or associations among the various parts of the ensemble. Pattern 400 constitutes a temporal! boost. In this case, industry experts are consulted to identify underwriting parameters that foment rules 402, 404, 406 constituting predetermined parameters to boost long, short, and medium term policy financial results)

Regarding claim 11, Rosauer, Williams and Patel disclose the method of claim 1. 
Rosauer further discloses further comprising: training the machine learning model to predict the updated temporal score, (Rosauer, [0127], describes training the machine learning model to predict the updated score based on time because only a small fraction of risk factors are predictive. The above procedure uses massive computational power to develop a model around the most representative risk factors. Artificial intelligence techniques and computational learning technology may be used to cycle through different proxy models iteratively, observe the results, learn from those results, and use that learning to decide which model to iterate next)

Regarding claim 12, Rosauer discloses an apparatus, comprising: 
a memory unit storing computer-executable instructions, which when executed by the
processor, cause the apparatus to:
predict, based on a machine learning model and based on a temporal score based on a pre-revision version of a scoring system, an updated temporal score based on a post-revision version of the scoring system; (Rosauer, [0094] & FIG 1 describes predicting, based on a machine learning model and the score based on time based on the pre-revision version of the scoring system, an updated score based on time based on a post-revision version of the scoring system by use of algorithms that are provided as natural intelligent learning algorithms may be used to train themselves from the raw data of dataset 108, or by use of interim calculation results)
determine, by the computing device and for the vulnerability, a mitigating factor
score, wherein the mitigating factor score is indicative of a mitigation applied to the
vulnerability by an enterprise organization; (Rosauer, [0076] & FIG 1, describes determine, by the computing device and for the vulnerability, a mitigating factor score, wherein the mitigating factor score is indicative of a mitigation applied to the vulnerability by an enterprise organization because the pattern recognition engine 126 selects and combines statistically significant data fields by performing statistical analysis, such as a multivariate statistical analysis, relating these data fields to a risk value under study. Generally, the multivariate analysis combines the respective data fields using a statistical processing technique to stratify a relative risk score and relate the risk score to a risk value under study)
generate, by the computing device and for the vulnerability, a risk score,
wherein the risk score is a composite of the updated temporal score and the mitigating
factor score; (Rosauer, [0087] & FIG 4, describes generating by the computer and for the vulnerability, a risk score wherein the risk score is a composite of the updated score based on time and the mitigating factor score because the aggregator 416 operates upon prior history to roll up or accumulate extracted values over a predetermined time interval)
determine, based on the risk score for the vulnerability, an enterprise risk score
for the enterprise organization, wherein the enterprise risk score is an aggregate of risk
scores for vulnerabilities in a collection of vulnerabilities,(Rosauer, [0124], describes determine, based on the risk score for the vulnerability, an enterprise risk score for the enterprise organization, wherein the enterprise risk score is an aggregate of risk scores for vulnerabilities in a collection of vulnerabilities because the relative risk score may be, for example, an overall change of incurring a loss as predicted by an ensemble and scaled to a range of 0 to 100 on the basis of the model output a histogram or frequency distribution of this predictive value, para (0124]) and
display, via a graphical user interface, the enterprise risk score, (Rosauer, [0159], Figures 1 and 17 describe display by a graphical user interface, the enterprise risk score because modeling desktop 2014 is a user interface that facilitates model development, for example, according to processes shown in FIG.1. This type of desktop may be used by the respective masters and workers of FIG.17).
Rosauer fails to explicitly disclose wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible; and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization; and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization.
However in an analogous art, Williams discloses wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, (Williams, [0004], [0167], [0166], 1900, FIG 19 shows the mitigation score is increased responsive to a determination that the mitigation is able to be rolled out to enterprise assets of the enterprise organization)
and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible; (Williams, [0004], [0154]-[0155]; [0157]-[0159] describe wherein the mitigation maturity score is increased responsive to a determination that the mitigation is irreversible)
and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization, (Williams, [0004], [0132], FIG 7, FIG 26, [0042] describes and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Williams with the method/system of Rosauer to include wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible; and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization. One would have been motivated to manage risk by computing an organizational maturity score based on the ability of the organization to mitigate the actions of the potential threat and recover from a given scenario (Williams, [0004]).
Rosauer and Williams fails to explicitly disclose and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization; 
However, in an analogous art, Patel discloses and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization; (Patel, [0088], [0019], [0157], describe and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Patel with the method/system of Rosauer and Williams to include and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization. One would have been motivated to remediate or mitigate cyber-related operability issues (Patel, [0004]). 

Regarding claim 13, Rosauer, Williams and Patel disclose the apparatus of claim 12.  
Rosauer further discloses wherein the computer-executable instructions to predict the updated temporal score comprise computer-executable instructions, when executed by the processor, further cause the apparatus to: retrieve, from an industry standard scoring system and by a computing device and for a vulnerability, the temporal score based on the pre-revision version of the scoring system (Rosauer, [0171] & FIG 28, describes retrieving from an industry standard scoring system and by a computer and for the vulnerability, the score based on time based on the pre-revision version of the scoring system because price risk relationship 2800 results from conventional modeling practices in the insurance industry. Because these conventional models are perceived as requiring explainability and they are based upon the analysis of too few risk factors, the price-risk relationship is often keyed to a midrange pricing point 2802). 

Regarding claim 14, claim 14 is directed to the apparatus of claim 13. Claim 14 is similar in scope to claim 11 and is therefore rejected under the same rationale.

Regarding claim 15, Rosauer, Williams and Patel disclose the apparatus of claim 12. 
Raseauer further discloses wherein the machine learning model utilizes a gradient boosting technique, (Rosauer, [0086] & FIG 4, describes wherein the machine learning model uses a gradient boosting technique because the process library 312 may be provided as an expert system that contains rules for analysis of the data. Experts in these fields and experts in the field of model building may be consulted to provide options for ensemble building, and these options may be provided as a system of expert rules. This is particularly useful in the development of relationships or associations among the various parts of the ensemble. Pattern 400 constitutes a temporal boost. In this case, industry experts are consulted to identify underwriting parameters that foment rules 402, 404, 406 constituting predetermined parameters to boost long, short, and medium term policy financial results)

Regarding claim 16, claim 16 is directed to the apparatus of claim 12. Claim 16 is similar in scope to claim 2 and is therefore rejected under the same rationale.

Regarding claim 17, Rosauer, Williams and Patel disclose the apparatus of claim 16. 
Rosauer further discloses wherein the computer-executable instructions, when executed by the processor, further cause the apparatus to: determine one or more of whether the mitigation may be automatically rolled out to all enterprise assets, or whether the applying of the mitigation is reversible, (Rosauer, [0088] & FIG 4, describes determining one or more of whether the mitigation may be automatically rolled out to all enterprise assets or whether the applying of the mitigation is reversible because pattern 424 is a feature extractor that contains a lookup pre-processor 426. The lookup pre-processor 426 accesses external data 114 to provide or report from derived data 428, which has been obtained as described above. This data receives special handling to form ensembles in an expert way according to a predetermined set of derived data rules 428)

Regarding claim 18, Rosauer, Williams and Patel disclose the apparatus of claim 12. 
Rosauer further discloses wherein the risk score is based on one of: (1) a first additive relationship between the temporal score and the mitigating factor score, (Rosauer, [0075], describes wherein the risk score is based on one of a first additive relationship between the score based on time and the mitigating factor score because subpopulations of dataset 108 may be further limited. to types of violations, such as speeding or running a red light, and as particular geography, such as a residence in a particular state or city. According to this strategy, a target variable is reported on the basis of a parameter that operates as a filter. The target data may be reported into additive components, such as physical damage of loss and assessment of liability, for example, where a driver may have had an accident that caused a particularly large loss, but the driver was not at fault)
(2) a second additive relationship between the temporal score and an exponential decay value of the mitigating factor score, (Rosauer, [0163], describes a second additive relationship between the score based on time and an exponential decay value of the mitigating factor score because sources of external data may be continuously updated, so this preprocessing based upon a call from the ensemble to perform data enrichment and preprocessing is one way to update the predictive accuracy of the mode! as time progresses after model development)
or (3) a product of the temporal score and an exponential decay value of the mitigating factor score, (Rosauer, [0087], FIG 4, describe a product of the temporal score and an exponential decay value of the mitigating factor score because pattern 412 addresses a sequencer analysis. Historical risk values, such as those for loss ratio field 414, may be time-segregated to ascertain the relative predictive value of the most current information versus older data. The sequencer provides a temporal abstract that may shift a variable over time. This feature may be used to search for lagging variables in a dataset, such as prior claim history)

Regarding claim 19, Rosauer discloses one or more non-transitory computer-readable media storing instructions that, when executed by a computing device, cause the computing device to:
retrieve, from an industry standard setting scoring system and by a computing device and for a vulnerability, a temporal score based on a pre-revision version of a scoring system; (Rosauer, [0096] & FIG 9, describe retrieve, from an industry standard setting scoring system and by a computer and for a vulnerability, a score based on time based on a pre-revision version of a scoring system because these may be stratified as a histogram, for example, by scoring relative risk according to decile 904)
update, based on a machine learning model and by the computing device and for the vulnerability, the temporal score based on the pre-revision version to an updated temporal score based on a post-revision version of the scoring system; (Rosauer, [0094] & FIG 1 describes update, based on a machine learning model and by a computer and for the vulnerability, the score based on time based on the pre-revision version to an updated score based on time based on a post-revision version of the scoring system because algorithms are provided as natural intelligent learning algorithms may be used to train themselves from the raw data of dataset 108, or by use of interim calculation results)
determine, by the computing device and for the vulnerability, a mitigating factor score, wherein the mitigating factor score is indicative of a mitigation applied to the 
vulnerability by an enterprise organization, (Rosauer, [0076] & FIG 1 describe determine, by the computer and for the vulnerability, a mitigating factor score, wherein the mitigating factor score is indicative of a mitigation applied to the vulnerability by an enterprise organization because the pattern recognition engine 126 selects and combines statistically significant data fields by performing statistical analysis, such as a multivariate statistical analysis, relating these data fields to a risk value under study. Generally, the multivariate analysis combines the respective data fields using a statistical processing technique to stratify a relative risk score and relate the risk score to a risk value under study)
and wherein the mitigating factor score is based on (1) an effectiveness measure indicative of a success of the mitigation, (2) a completeness measure indicative of a percentage of total enterprise assets that the mitigation has been applied to, and (3) an enforcement measure indicative of a success in enforcing the mitigation; (Rosauer, [0076], FIG 1, describes and wherein the mitigating factor score is based on an effectiveness measure indicative of a success of the mitigation, a completeness measure indicative of a percentage of total enterprise assets that the mitigation has been applied to and an enforcement measure indicative of a success in enforcing the mitigation because pattern recognition engine 126 selects and combines statistically significant data fields by performing statistical analysis, such as a multivariate statistical analysis, relating these data fields to a risk value under study. Generally, the multivariate analysis combines the respective data fields using a statistical processing technique to stratify a relative risk score and relate the risk score to a risk value under study)
generate, by the computing device and for the vulnerability, a risk score, wherein the risk score is a composite of the updated temporal score and the mitigating factor score; (Rosauer, [0087] & FIG 4, describes generate, by the computer and for the vulnerability, a risk score wherein the risk score is a composite of the updated temporal score and the mitigating factor score because the aggregator 416 operates upon prior history to roll up or accumulate extracted values over a predetermined time interval)
determine, based on the risk score for the vulnerability, an enterprise risk score for the enterprise organization, wherein the enterprise risk score is an aggregate of risk scores for vulnerabilities in a collection of vulnerabilities, (Rosauer, [0124], describes determine based on the risk score for the vulnerability, an enterprise risk score for the enterprise organization, wherein the enterprise risk score is an aggregate of risk score for vulnerabilities in a collection of vulnerabilities because the relative risk score may be, for example, an overall change of incurring a loss as predicted by an ensemble and scaled to a range of 0 to 100 on the basis of the model output a histogram or frequency distribution of this predictive value) and
display, via a graphical user interface, the enterprise risk score, (Rosauer, [0159], Figures 1 & 17, describes display via a graphical user interface the enterprise risk score because modeling desktop 2014 is a user interface that facilitates model development, for example, according to processes shown in FIG.1. This type of desktop may be used by the respective masters and workers of FIG.17).
Rosauer fails to explicitly disclose wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible;  and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization.
However, in an analogous art, Williams discloses wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, (Williams, [0004], [0167], [0166], 1900, FIG 19 shows the mitigation score is increased responsive to a determination that the mitigation is able to be rolled out to enterprise assets of the enterprise organization)
and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible;  (Williams, [0004], [0154]-[0155]; [0157]-[0159] describe wherein the mitigation maturity score is increased responsive to a determination that the mitigation is irreversible)
and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization, (Williams, [0004], [0132], FIG 7, FIG 26, [0042] describes and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Williams with the method/system of Rosauer to include wherein the mitigating factor score is increased responsive to a determination that the mitigation is able to automatically be rolled out to enterprise assets of the enterprise organization, and wherein the mitigation factor score is increased responsive to a determination that the mitigation is irreversible;  and wherein the collection of vulnerabilities is indicative of vulnerabilities associated with the enterprise organization. One would have been motivated to manage risk by computing an organizational maturity score based on the ability of the organization to mitigate the actions of the potential threat and recover from a given scenario (Williams, [0004]).
Rosauer and Williams fail to explicitly disclose and automatically roll out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization.
However, in an analogous art, Patel discloses and automatically roll out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization, (Patel, [0088], [0019], [0157], describe and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Patel with the method/system of Rosauer and Williams to include and automatically rolling out the mitigation applied to the vulnerability to one or more of the enterprise assets of the enterprise organization. One would have been motivated to remediate or mitigate cyber-related operability issues (Patel, [0004]). 

Regarding claim 20, Rosauer, Williams and Patel disclose the one or more non-transitory computer-readable media of claim 19. 
Rosauer further discloses wherein the machine learning model utilizes a gradient boosting technique, (Rosauer, [0086] & FIG 4 describes wherein the machine learning model uses a gradient boosting technique because the process library 312 may be provided as an expert system that contains rules for analysis of the data. Experts in these fields and experts in the field of model building may be consulted to provide options for ensemble building, and these options may be provided as a system of expert rules. This is particularly useful in the development of relationships or associations among the various parts of the ensemble. Pattern 400 constitutes a temporal boost. In this case, industry experts are consulted to identify underwriting parameters that foment rules 402,404,406 constituting predetermined parameters to boost long, short, and medium term policy financial results)



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/           Examiner, Art Unit 2439 



/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439