DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 09/08/2022. Claims 16, 9, 14, and 17 are amended. Claims 1-20 are pending in this examination.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/859,632.
                                                              Examiner notes

Applicant is encouraged to review the relevant references mentioned at the conclusion section of this office action and PTO-892 Notice of References Cited filed with this office action.
Applicant’s amendment to independent claim 17 obviates previously raised claims 17-20 35 U.S.C .101 rejection.
Response to Argument
Applicant’s arguments with respect to independent claims for newly added limitation have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
First Set of Rejections:

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US2017/0171235) (corresponds to EP3179696 filed in IDS 01/12/2022) issued to Mulchandani and in view of US Patent No. (US11,283,824) issued to Berger.
Regarding claims 1, and 9,  Mulchandani discloses  A method for monitoring and assessing an overall cybersecurity posture level of an operation technology environment to increase said level when the level is determined to be below a setpoint value for the operation technology environment, the method comprising [¶17, this specification describes systems, methods, and computer programs for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. For example, an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain. A connected security system can include multiple components that process data related to the attacks, provide visualization data related to the attacks, and implement courses of action based on the attacks (e.g. to mitigate the attacks). The underlying components may utilize a common framework, or protocol based on a framework or set of standards, to share information. For example, the underlying components may use a predefined data structure that includes multiple different data constructs to share the information] ,and [¶¶18-26], and [¶56, , the event management module 130 generates an incident data construct 135 for each identified anomalous and/or malicious activity path that has a risk score that satisfies a specified threshold (e.g., by meeting or exceeding the threshold)(equated to setpoint)], and [¶¶57-58]; and 
receiving metrics data for a corresponding one of each of a plurality of cybersecurity posture indices (CPI) for the operation technology environment [¶¶45-51, the event management module 130 can receive IT activity data 163 that includes event/alert data from the IT network 161 and can receive operational technology (OT) activity data 167 that includes event/alert data from the OT network 165… The IT activity data 163 and the OT activity data 167 can include event and/or alert data… The event management system 130 can receive the IT activity data 163 and the OT activity data 167, and can standardize, filter, aggregate, and correlate the data to detect anomalies and potentially malicious activity associated with multi-stage, multi-domain attacks…  Upon receiving the IT activity data 163 and the OT activity data 167, the event management module 130 can use a filter 131 to filter the data….  After aggregating the event/alert data, for example, aggregated data can be provided by the aggregator 132 to a correlator 133. In general, the event management module 130 can use the correlator 133 to generate a chain of events/alerts that may correspond to a threat scenario…], and [¶¶56-62, the event management module 130 generates an incident data construct 135 for each identified anomalous and/or malicious activity path that has a risk score that satisfies a specified threshold (e.g., by meeting or exceeding the threshold) … The indicator data constructs 136 can include data describing observable patterns (e.g., attack patterns) identified by the event management module 130… The indicator data construct 136 can include one or more observable data constructs… The actor data constructs 137 can include data describing potential malicious actors that may cause security incidents… The event management module 130 can generate an actor construct for any newly identified actors, e.g., found in the IT activity data 163 and/or the OT activity data 167…  The event management module 130 can transmit the incident data constructs 135, the indicator data constructs 136, and/or the actor data constructs 137 to the threat intelligence module 120…], and [¶¶75-76, determine a risk score]; and
determining a cybersecurity posture index (CPI) value for each of the plurality of cybersecurity posture indices (CPI) based on the metrics data [¶56, , the event management module 130 generates an incident data construct 135 for each identified anomalous and/or malicious activity path that has a risk score that satisfies a specified threshold (e.g., by meeting or exceeding the threshold)(equated to setpoint)], and [¶¶75-76, …Risk scores for a particular kind of risk or particular outcome…The threat intelligence module 120 can use the threat data 175 and the data constructs received from the event management module 130 to determine a risk score for one or more potential outcomes and based on one or more threat paths. The threat intelligence module 120 can use the risk scores and threat data to determine and prioritize courses of action to mitigate the risk(s)…], and [¶¶95-98, …determine the risk associated with particular business processes and outcomes… The summary data 204 includes a risk score that indicates the likelihood of the outcome occurring (i.e. 69%), the top targeted process that could lead to the outcome (i.e., PI Data Store), the top COAs and advisories (i.e., 21), and the number of detected security events (i.e., 237) … The user interface 300 includes a risk score for each actor that contributed to the overall risk score for the outcome operation disruption….], and [¶¶98-100}; and
generating a notification message, including image rendering data and commands; and sending the notification message to a computer resource asset to render an image of a snapshot cybersecurity posture level for at least one of the plurality of cybersecurity posture indices (CPIi) [ ¶¶97-101, see FIG3, … The example user interface 200 includes details related to threat actors that contribute to the risk of a particular outcome (operation disruption) … The user interface 300 includes a risk score for each actor that contributed to the overall risk score for the outcome operation disruption. The risk score for each actor indicates the likelihood that the actor will cause the outcome if not mitigated. The overall risk score for the outcome operation disruption is based on each of the risk scores. For example, the overall risk score may be the sum, average, or weighted average of the risk scores for each of the actors…], and [see FIGS 4-7 and corresponding text for more detail, disclosing | the display of a the (overall) risk scores, presented on a screen of a display].
 Mulchandani does not explicitly disclose, however, Berger discloses  comparing each CPIi value to a respective threshold CPI-TH;  if a given CPIi value is less than or equal to the respective threshold CPI-TH, modifying the given CPIi value; if the given CPIi value is greater than the respective threshold CPI-TH, generating a notification message, including image rendering data and commands[Col. 16 lines 3-23,  At block 725, the cybersecurity unit 140 or some other component of the cybersecurity assessment system 120 may adjust the initial scores for various cybersecurity factors based on scan data associated with the corresponding cybersecurity factor. In some embodiments, scores may be adjusted between a minimum and maximum threshold, such as 0 and 1 respectively. To determine the specific adjustment to be made for a particular cybersecurity factor, cybersecurity unit 140 may access scan data that relates to the cybersecurity factor, perform a rules-based analysis of the scan data, and generate a specific adjustment. In some embodiments, the rules-based analysis may be implemented as a series of rules, applied in a predetermined or dynamically determined sequence, in which a data value is evaluated to determine whether the data value satisfies a threshold or range for the particular data value. If the data value satisfies the criterion (or criteria) for a given rule, then the rules-based analysis may specify a particular outcome or additional rule to be applied; otherwise, the analysis may specific a different outcome or rule to be applied (modifying the rules which will generate different score or value)], and [Col.17. lines 4-15, In block 730, the cybersecurity assessment system may generate an overall score to represent the overall cybersecurity posture of the target network 100. As shown in overall score 866 in FIG. 8, the adjusted scores of each individual control in list 862 are summed to generate the overall score 866. In some embodiments, the overall score may be a numerical value between a minimum and maximum threshold, such as 0 and 100 respectively. In this example, 0 indicates that no cybersecurity factor or control has been satisfied, and 100 indicates successful compliance with all cybersecurity factors for the current cybersecurity assessment framework].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Lerner with the teaching of Mastering in order to provide cybersecurity assessment system for monitoring, assessing, and addressing the cybersecurity status of a target network. The cybersecurity assessment system can analyze the scan data and determine a degree to which the current status of the target network satisfies a particular cybersecurity readiness standard [ Berger, Abstract].
Regarding claims 2, and 10, Mulchandani discloses further comprising: effectuating remediation based on the overall cybersecurity posture level of the operation technology environment [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].
Regarding claims 3, and 11, Mulchandani discloses further comprising: effectuating remediation based on the snapshot cybersecurity posture level [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].
Regarding claims 4, and 12, Mulchandani discloses wherein the snapshot cybersecurity posture level includes a near-real-time (NRT) snapshot cybersecurity posture level [ See FIGS 4-7 and corresponding text for more details, ¶¶99-107, The graph 502 presents the number of security events detected over time. In this example, the graph 502 presents the number of security event detected for an IT network, e.g., the IT network 161 of FIG. 1, and the number of security events detected for an OT network, e.g., the OT network 165 of FIG. 1…The example user interface 600 includes a graph 602 that presents the relative number of security events detected for particular sources over time. In this example, the size of the graph 600 covered by a particular source indicates the number of security events detected for a particular time period. The user interface 600 includes a selectable timeline 604 that allows a security administrator to select the time period for which data should be presented in the graph 600].
Regarding claims 5, and 13, Mulchandani discloses wherein the overall cybersecurity posture level of the operation technology environment includes a near-real-time (NRT) snapshot overall cybersecurity posture level [ See FIGS 4-7 and corresponding text for more details, ¶¶99-107, The graph 502 presents the number of security events detected over time. In this example, the graph 502 presents the number of security event detected for an IT network, e.g., the IT network 161 of FIG. 1, and the number of security events detected for an OT network, e.g., the OT network 165 of FIG. 1…The example user interface 600 includes a graph 602 that presents the relative number of security events detected for particular sources over time. In this example, the size of the graph 600 covered by a particular source indicates the number of security events detected for a particular time period. The user interface 600 includes a selectable timeline 604 that allows a security administrator to select the time period for which data should be presented in the graph 600].
Regarding claims 6, and 14, Mulchandani discloses wherein said snapshot cybersecurity posture level comprises a near-real-time (NRT) snapshot cybersecurity posture level for at least one of: a number of users authorized access to the operation technology environment; a network security level for the operation technology environment; a number cyber awareness sessions performed on the operation technology environment; a number of cyber drills performed on the operation technology environment; a number of cybersecurity incidents in the operation technology environment; a patch compliance ratio for computer resource assets in the operation technology environment; a backup availability ratio for computer resource assets in the operation technology environment; and an endpoint security compliance ratio for computer resource assets in the operation technology environment [¶60-70, The actor data constructs 137 can include data describing potential malicious actors that may cause security incidents. For example, the actor data constructs 137 can include fields for data identifying the actor and/or data that characterize the actor. The actor data constructs 137 can also include data regarding the suspected motivation of the actor, the suspected intended effect of security incidents or attack patterns caused by the actor, historically observed tactics, techniques, and procedures (TTPs) used by the actor historical campaigns believed to be associated with the actor, other actors believed to be associated with the actor, confidence in the characterization of the actor, the source of the data regarding the actor, and/or other appropriate data regarding the actor. The event management module 130 can generate an actor construct for any newly identified actors, e.g., found in the IT activity data 163 and/or the OT activity data 167. For example, when the event management module 130 identifies a security event in the IT activity data 163 and/or the OT activity data 167, the event management module 130 may generate an actor data construct 137 for the actor associated with the security event…], and [¶91,The Sankey diagram 202 shows a visual representation of the magnitude of flow between nodes in a network, such as the IT network 161 and/or the OT network 165 of FIG. 1. In particular, the Sankey diagram 202 illustrates the flow between particular threats to particular outcomes for an organization. Going from right to left, the Sankey diagram 202 illustrates IT assets and OT assets of the organization that the particular threats, and threat actors, can affect. A link between a particular threat and/or threat actor and a particular asset indicates that the particular threat may affect the particular asset. For example, the Sankey diagram 202 includes links between NetTraveler and a SCADA, a PI Historian, and an Asset Management system…].
Regarding claims 7, and 15, Mulchandani discloses wherein effectuating remediation comprises fixing a vulnerability on a computer resource asset in the operation technology environment [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].
Regarding claims 8, and 16, Mulchandani discloses wherein effectuating remediation comprises guiding, on said computer resource asset, mitigation of a vulnerability on a different computer resource asset in the operation technology environment [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].
Regarding claim17, this claim is interpreted and rejected for the same rational set forth in claim 1.
Regarding claim 18, Mulchandani discloses wherein the cybersecurity assessment and remediation (CPAR) stack comprises at least one of: SA430600501/008305-USO a cybersecurity incidence level metrics (CILM) unit; a backup Availability Ratio Metrics (BARM) unit; a Patch Compliance Ratio Metrics (PCRM) unit; an Endpoint Compliance Ratio Metrics (ECRM) unit; a Network Security Level Metrics (NSLM) unit; a Security Awareness Level Metrics (SALM) unit; and a Drill Compliance Level Metrics (DCLM) unit[ ¶¶97-101, see FIG3, … The example user interface 200 includes details related to threat actors that contribute to the risk of a particular outcome (operation disruption) … The user interface 300 includes a risk score for each actor that contributed to the overall risk score for the outcome operation disruption. The risk score for each actor indicates the likelihood that the actor will cause the outcome if not mitigated. The overall risk score for the outcome operation disruption is based on each of the risk scores. For example, the overall risk score may be the sum, average, or weighted average of the risk scores for each of the actors…], and [see FIGS 4-7 and corresponding text for more detail, disclosing | the display of a the (overall) risk scores, presented on a screen of a display].
Regarding claim 19, Mulchandani discloses the system further comprising: an operation technology key performance index mitigation unit arranged to effectuate remediation of a vulnerability on a computer resource asset in the operation technology environment to increase said snapshot cybersecurity posture level for the at least one of the plurality of cybersecurity posture indices (CPi) [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…]
Regarding claim 20, Mulchandani discloses, wherein the effectuate remediation comprises guiding remediation of the vulnerability on the computer resource asset [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].

Second Set of Rejections:
Claims 1-3, 6-11, and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US2016/0359895) (filed in IDS 01/12/2022) issued to Chiu and in view of US Patent No. (U2018/0124091) issued to Sweeney.
Regarding claims 1, and 9, Chiu discloses  a method for monitoring and assessing an overall cybersecurity posture level of an operation technology environment to increase said level when the level is determined to be below a setpoint value for the operation technology environment, the method comprising [¶42,  FIG. 1 illustrates an example scenario 100 in which cybersecurity analysis can be provided for operational technologies and information technologies, in accordance with an embodiment of the present disclosure. It should be understood that all examples herein are provided for illustrative purposes and that many variations are possible. In the example scenario 100, an example cybersecurity analysis module 102 can be configured to acquire data from operational technologies and information technologies in an energy delivery network or system. Based on the acquired data, the cybersecurity analysis module 102 can facilitate providing cybersecurity analysis based on operational technologies and information technologies in the energy delivery network], and [Abstract, ¶¶18-20, …  a supervisory control and data acquisition (SCADA) command and control service… the collection of services can include at least one of a phone service, a meter data management service, a customer information service, a geographic information service, a work management service, an enterprise asset management service, a smart meter head end service, an energy management service, a demand management service, an outage management service, a customer care and billing service, an enterprise communications service, or a threat and vulnerability detection library service], and [¶68, impact metrics are generated with regards to threshold of reliability]; and
receiving metrics data for a corresponding one of each of a plurality of cybersecurity posture indices (CPI) for the operation technology environment[ ¶4,  acquire sets of data, from a plurality of energy delivery network components, permitting the generation of a first and a  second metric of cybersecurity], and[ [¶41,  A first metric indicating a likelihood that a particular network component, from the plurality of network components, is affected (i.e., is currently affected, has been affected, may be affected, and/or will be affected, etc.) by one or more cyber vulnerabilities can be generated based on the first set of data. A second set of data can be acquired from a second group of data sources including a collection of services associated with the energy delivery network. A second metric indicating a calculated impact to at least a portion of the energy delivery network when the one or more cyber vulnerabilities affect the particular network component can be generated based on the second set of data. A third metric indicating an overall level of cybersecurity risk associated with the particular network component can be generated based on the first metric and the second metric], and ¶¶51-52, 58-60]; and
 determining a cybersecurity posture index (CPI) value for each of the plurality of cybersecurity posture indices (CPI) based on the metrics data [ ¶¶4-5, acquire a first set of data from a first group of data sources including a plurality of network components within an energy delivery network. A first metric indicating a likelihood that a particular network component, from the plurality of network components, is affected by one or more cyber vulnerabilities can be generated based on the first set of data. A second set of data can be acquired from a second group of data sources including a collection of services associated with the energy delivery network. A second metric indicating a calculated impact to at least a portion of the energy delivery network when the one or more cyber vulnerabilities affect the particular network component can be generated based on the second set of data. A third metric indicating an overall level of cybersecurity risk associated with the particular network component can be generated based on the first metric and the second metric. A plurality of third metrics including the third metric indicating the overall level of cybersecurity risk associated with the particular network component can be generated. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The plurality of network components can be ranked based on the plurality of third metrics to produce a ranked list of network components. At least a portion of the ranked list of network components can be provided to an energy provider that utilizes the energy delivery network], and [¶¶41. 52-59, 61-62 cyber vulnerability matric)]; and
generating a notification message, including image rendering data and commands; and sending the notification message to a computer resource asset to render an image of a snapshot cybersecurity posture level for at least one of the plurality of cybersecurity posture indices (CPIi)[¶¶71-73, FIG. 5 illustrates an example screenshot 500 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The example screenshots 500 shows an example interface for providing cybersecurity analysis based on operational technologies and information technologies…  a set of visualizations (e.g., graphical elements) for a set of network components identified in the ranked list of network components can be generated. The example interface can further provide an interface portion 508 that presents the generated set of visualizations for the set of network components identified in the ranked list of network components. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. In some instances, each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component. Again, the example screenshots 500 and other examples herein are provided for illustrative purposes and it is contemplated that many variations are possible].
Chiu  does not explicitly disclose, however, Sweeney discloses comparing each CPIi value to a respective threshold CPI-TH; if a given CPIi value is less than or equal to the respective threshold CPI-TH, modifying the given CPIi value; if the given CPIi value is greater than the respective threshold CPI-TH, generating a notification message, including image rendering data and commands [see claim 20,  The system of claim 14, wherein the processor is further configured to compare the cyber risk indicator index to a pre-determined threshold], and [¶79,  The cyber risk indicator index score can then optionally be reported to a user and/or a user interface. According to one embodiment, the determined cyber risk indicator index score may be reported as a number or other format to a user through a user interface, or can be communicated to the user via a wired and/or wireless communications network. For example, the score may be communicated as a report, an email, a text message, a haptic indicator, a visual indicator, and/or an audible indicator, or any of a wide variety of other indications or communications. As another example, the score can be compared or normalized to a reporting mechanism such as a constant display or other user interface. When the score is below a predetermined threshold, the display reports the information, such as by displaying the color green. When the score exceeds a predetermined threshold, the display reports the information to the user, such as by displaying the color red. Many other displays and/or notification systems and methods are possible], and [¶80,  Alternatively or in addition to reporting the cyber risk indicator index score to a user, the system can be designed or configured to automatically process the cyber risk indicator index score in order to perform an Information Technology orchestration automation, implement an additional compliance rule, adapt the acceptable risk index score thresholds, or automatically produce alerts of risk rule violations via e-mail, text, or perform any other action as necessary. For example, according to an embodiment the system can take one or more preprogrammed preventative actions based on the score, such as inactivating a system or sub-system, blocking and/or inactivating a communications network, changing or deleting permissions, or any of a wide variety of other actions.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chiu with the teaching of Sweeney in order for assessing a cyber security risk and providing an automated, continuous cyber security risk assessment measurement [ Sweeney, Abstract, ¶1].
Regarding claims 2, and 10, Chiu discloses further comprising: effectuating remediation based on the overall cybersecurity posture level of the operation technology environment [ ¶56, Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claims 3, and 11, Chiu discloses further comprising: effectuating remediation based on the snapshot cybersecurity posture level [ ¶56, Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claims 6, and 14, Chiu discloses wherein said snapshot cybersecurity posture level comprises a near-real-time (NRT) snapshot cybersecurity posture level for at least one of: a number of users authorized access to the operation technology environment; a network security level for the operation technology environment; a number of cyber awareness sessions performed on the operation technology environment; a number of cyber drills performed on the operation technology environment; a number of cybersecurity incidents in the operation technology environment; a patch compliance ratio for computer resource assets in the operation technology environment; a backup availability ratio for computer resource assets in the operation technology environment; and an endpoint security compliance ratio for computer resource assets in the operation technology environment[ ¶¶62-64,  analyzing the detected network traffic can include utilizing at least one of a syntax (or rule-based) indicator, a computed (or analytical) indicator, and/or an advanced behavioral indicator, etc. Moreover, the likelihood that the particular network component is affected by the one or more cyber vulnerabilities can be calculated, by the vulnerability metric module 306, based on the at least one of the syntax indicators, the computed indicator, or the advanced behavioral indicator…  the cyber vulnerability module 302 can identify patterns and develop rules or syntax indicators for detecting illegitimate activities…, the cyber vulnerability module 302 can perform analytics and/or detect computed indicators. For example, if the cyber vulnerability module 302 detects protocol anomalies, unexpected device appearances, unexpected MAC addresses, unauthorized access attempts, and/or unexpected privilege escalations (e.g., a user unexpectedly attempting to perform an unpermitted task), etc…, the cyber vulnerability module 302 can detect advanced behavior indicators. For example, if the cyber vulnerability module 302 detects unexpected bandwidth spikes, unexpected CPU usage spikes, a command received at an unexpected time, and/or a trust boundary violation, then the first metric can be increased….  the syntax indicator can be based on analysis of at least one of an Internet Protocol (IP) address associated with the detected network traffic or an email address associated with the detected network traffic…], and [¶¶69-70], and see claim 15,  wherein the first group of data sources further includes at least one of a supervisory control and data acquisition (SCADA) command and control service, an enterprise firewall service, a log service, an intrusion prevention service, a security information and event management service (SIEM), or an intrusion protection service].
Regarding claims 7, and 15, Chiu discloses wherein effectuating remediation comprises fixing a vulnerability on a computer resource asset in the operation technology environment [ ¶56, Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claims 8, and 16,  Chiu discloses wherein effectuating remediation comprises guiding, on said computer resource asset, mitigation of a vulnerability on a different computer resource asset in the operation technology environment[ ¶56,  Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claim17, this claim is interpreted and rejected for the same rational set forth in claim 1.
Regarding claim 18,  Chiu discloses wherein the cybersecurity assessment and remediation (CPAR) stack comprises at least one of: SA430600501/008305-USO a cybersecurity incidence level metrics (CILM) unit; a backup Availability Ratio Metrics (BARM) unit; a Patch Compliance Ratio Metrics (PCRM) unit; an Endpoint Compliance Ratio Metrics (ECRM) unit; a Network Security Level Metrics (NSLM) unit; a Security Awareness Level Metrics (SALM) unit; and a Drill Compliance Level Metrics (DCLM) unit[¶¶71-73, FIG. 5 illustrates an example screenshot 500 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The example screenshot 500 shows an example interface for providing cybersecurity analysis based on operational technologies and information technologies…  a set of visualizations (e.g., graphical elements) for a set of network components identified in the ranked list of network components can be generated. The example interface can further provide an interface portion 508 that presents the generated set of visualizations for the set of network components identified in the ranked list of network components. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. In some instances, each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component. Again, the example screenshot 500 and other examples herein are provided for illustrative purposes and it is contemplated that many variations are possible]. 
Regarding claim 19,  Chiu discloses the system further comprising: an operation technology key performance index mitigation unit arranged to effectuate remediation of a vulnerability on a computer resource asset in the operation technology environment to increase said snapshot cybersecurity posture level for the at least one of the plurality of cybersecurity posture indices (CPi)[ ¶56,  Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claim 20, Chiu discloses, wherein the effectuate remediation comprises guiding remediation of the vulnerability on the computer resource asset [ ¶56, Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].

Claims 4-5, and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US2016/0359895)) issued to Lerner Chiu (filed in IDS 01/12/2022) and in view of US Patent No. (U2018/0124091) issued to Sweeney and further in view of US Patent No. (US10,210,470) issued to Datta (filed in IDS 04/27/2020).
Regarding claims 4, and 12, Chiu discloses wherein the snapshot cybersecurity posture level includes a near-real-time (NRT) snapshot cybersecurity posture level
Even though Chiu discloses this limitation as: [¶¶71-73, FIG. 5 illustrates an example screenshot 500 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The example screenshot 500 shows an example interface for providing cybersecurity analysis based on operational technologies and information technologies…  a set of visualizations (e.g., graphical elements) for a set of network components identified in the ranked list of network components can be generated. The example interface can further provide an interface portion 508 that presents the generated set of visualizations for the set of network components identified in the ranked list of network components. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. In some instances, each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component. Again, the example screenshot 500 and other examples herein are provided for illustrative purposes and it is contemplated that many variations are possible].
Chiu  and Sweeney do not  explicitly disclose near-real-time snapshot , however, Datta discloses:[Abstract, Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter ], and [COL.15, lines 46-60 FIG. 4 shows an embodiment (400) of the invention in terms of the control hierarchy (401, 402, 403, 404, 405) associated with the monitored and controlled elements (MCE) of the enterprise-wide network. At each MCE (401, 402, 403, 404, 405), all of the messages relevant to that MCE are monitored and analyzed and control posture information is sent to all subscribing MCEs. This capability for monitoring, analyzing, and adjusting security and control postures is pervasively implemented for each MCE as a set of conceptually and structurally self-similar components (415).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chiu, and Sweeney with the teaching of Datta in order to implement enterprise business risk management. More particularly, the invention relates to pervasive, domain and situational-aware, adaptive, automated, and coordinated analysis and control of enterprise-wide computers, networks, and applications for mitigation of business and operational risks, including efficiency and effectiveness of business processes and enhancement of cyber security [Datta, COL. 1 lines 22-28].

Regarding claims 5, and 13, Chiu discloses wherein the overall cybersecurity posture level of the operation technology environment includes a near-real-time (NRT) snapshot overall cybersecurity posture level
Even though Chiu discloses this limitation as: [¶¶71-73, FIG. 5 illustrates an example screenshot 500 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The example screenshot 500 shows an example interface for providing cybersecurity analysis based on operational technologies and information technologies…  a set of visualizations (e.g., graphical elements) for a set of network components identified in the ranked list of network components can be generated. The example interface can further provide an interface portion 508 that presents the generated set of visualizations for the set of network components identified in the ranked list of network components. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. In some instances, each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component. Again, the example screenshot 500 and other examples herein are provided for illustrative purposes and it is contemplated that many variations are possible].
Chiu and Sweeney do not explicitly disclose near-real-time snapshot, however, Datta discloses:
[Abstract, Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter ], and [COL.15, lines 46-60 FIG. 4 shows an embodiment (400) of the invention in terms of the control hierarchy (401, 402, 403, 404, 405) associated with the monitored and controlled elements (MCE) of the enterprise-wide network. At each MCE (401, 402, 403, 404, 405), all of the messages relevant to that MCE are monitored and analyzed and control posture information is sent to all subscribing MCEs. This capability for monitoring, analyzing, and adjusting security and control postures is pervasively implemented for each MCE as a set of conceptually and structurally self-similar components (415).
 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chiu, and Sweeney with the teaching of Datta in order to implement enterprise business risk management. More particularly, the invention relates to pervasive, domain and situational-aware, adaptive, automated, and coordinated analysis and control of enterprise-wide computers, networks, and applications for mitigation of business and operational risks, including efficiency and effectiveness of business processes and enhancement of cyber security [Datta, COL. 1 lines 22-28].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Yampolskiy (US2016/0173521) [0091] At block 310, the scorecard system 200 compares the difference 308 to a cybersecurity difference threshold. The cybersecurity difference threshold can be set by a user of the scorecard system 200 or can be dynamically calculated based on processing performed by the scorecard system. When the scorecard system 200 detects that the difference 308 in overall cybersecurity risk score exceeds the cybersecurity difference threshold, the scorecard system 200 may generate an alert at block 312. In some embodiments, an alert comprises a user interface alert notification. In another embodiment, an alert comprises a real-time e-mail [ [0092] In some embodiments, rather than comparing the new calculated cybersecurity risk score for the entity to a previous score, new scores can be analyzed against the threshold without being compared to a previous score. For example, in some embodiments, the scorecard system 200 can calculate, for example on a periodic basis, updated cybersecurity risk scores for the entity based on data collected from the one or more data sources. The scorecard system 200 can then compare one or more of the updated cybersecurity risk scores to a threshold. In some embodiments, if the one or more updated cybersecurity risk scores is below the threshold, the scorecard system 200 can transmit, via the cybersecurity risk assessment portal, an alert. According to another embodiment, if the one or more updated cybersecurity risk scores are below the threshold, the scorecard system 200 can transmit, via the cybersecurity risk assessment portal, the one or more cybersecurity risk scores and an identification of one or more updated objectives to complete to improve the entity's cybersecurity risk score], and [0105] The method can also comprises generating an alert when the overall cybersecurity risk score exceeds a cybersecurity threshold. In another embodiment, the method can also comprises monitoring the one or more data in real time, wherein the alert is generated based, at least in part, on the real-time monitoring.

Yumer (US10,410,158) [ (6) In some embodiments, performing the security action may include using the cybersecurity risk score to derive a cost of insuring the entity against cyber-attacks. Additionally, or alternatively, the computer-implemented method may further include determining that the cybersecurity risk score is above a risk threshold. In such embodiments, performing the security action may include automatically increasing cybersecurity protection within the entity in response to determining that the cybersecurity risk score is above the risk threshold. (34) Additionally, calculation module 106 may extract a feature 402(1) (e.g., historical risk), a feature 402(2) (e.g., current risk), and a feature 402(3) (e.g., value) from information indicative of cybersecurity risk exposure 400. A prediction model 404 may then predict cybersecurity risk score 212 from features 402(1), 402(2), and 402(3) to determine a risk of entity 208 being attacked in the future. Cybersecurity risk score 212 may indicate a high risk to entity 208 based on information indicative of cybersecurity risk exposure 400. (38) In some embodiments, the systems described herein may include determining that cybersecurity risk score 212 is above a risk threshold, and performance module 108 may perform security action 214 by automatically increasing cybersecurity protection within entity 208 in response to determining that cybersecurity risk score 212 is above the risk threshold. In the example of FIG. 4, performance module 108 may update firewall security for entity 208 after determining cybersecurity risk score 212 is too high. In other examples, performance module 108 may prevent risky behavior of third-party entities by restricting access to entity 208. For example, performance module 108 may prevent a user who does not follow security policies from accessing sensitive data stored on entity 208].
VOLKOV(US2022/0159034) [ A method and a system of responding to a cybersecurity incident are disclosed. The method comprises: receiving incident data of at least one incident targeting a given computer system; analyzing the incident data of the at least one incident, including determining whether the at least one incident has been prevented before; in response to determining that the at least one incident has not been prevented yet in the given computer system, determining, based on the incident data, a threat severity of the at least one incident; and in response to the threat severity of the at least one incident exceeding a predetermined threat severity threshold, determining, based on the incident data, one or more responses to the at least one incident for responding thereto in the given computer system]. [0070] Thus, in response to the threat severity of the given cybersecurity incident being lower than or equal to the predetermined threat severity threshold, the processor 401 can be configured to stop analyzing the incident data associated with the given cybersecurity incident without determining the automated incident response thereto.[0071] However, in response to the threat severity of the given cybersecurity incident exceeding the predetermined threat severity threshold, the processor 401 can be configured to proceed to step 140 for determining the automated incident response thereto.Step 140: In Response to the Threat Severity of the at Least One Incident Exceeding a Predetermined Threat Severity Threshold, Determining, by the Processor, Based on the Incident Data, One or More Responses to the at Least One Incident for Responding Thereto in the Given Computer System[0112] In accordance with the flowchart diagram of FIG. 3, at step 121, the processor 401 can be configured to determine that the first cybersecurity incident has not been prevented yet in the computer system and the host where it has been detected is not the sandbox. Further, at step 130, the processor 401 can be configured to determine the threat severity of the first cybersecurity incident, that is the worm, which, in the present example, the processor 401 can be configured to determine as being high. Further, as the threat severity of the first cybersecurity incident may thus exceed the predetermined threat severity threshold being at a low level, for example, at step 150, the processor 401 can be configured to determine and cause execution of the respective automated incident response to the first cybersecurity incident. [0127] if the first cybersecurity incident originates from the privileged user account, the processor 401 can further be configured to compare the detection confidence level associated with the first cybersecurity incident (Confidence) (148) to a predetermined confidence level threshold (e.g. 80%). Further, if the processor 401 has determined that the detection confidence level is below the predetermined confidence level threshold, and also if the number of blocked privileged user accounts for the predetermined time is less than the N.sub.1 predetermined threshold number, the processor 401 can be configured to determine the respective automated incident response as blocking the privileged user account (143) at the corporate network level, in accordance with step 140 of the method 100 described above. However, if the number of blocked privileged user accounts for predetermined time exceeds the N.sub.1 predetermined threshold number, the processor 401 can be configured to cease to analyze the incident data associated with the first cybersecurity incident without determining the respective automated incident response thereto].
Kassoumeh (US10,546,135) (22) Embodiments also provide information and insight regarding a company's cybersecurity risk. For example, the system can generate and achieve reliable and timely questionnaires that can be used to evaluate cybersecurity risk levels of one or more companies, such as companies that have a relationship. The cybersecurity risk levels of a company can be used to classify a risk level of the company, provide a recommendation of one or more corrective actions to lower the cybersecurity risk level, calculate an overall cybersecurity risk score for the company, and/or generate an alert when the overall cybersecurity risk score exceeds a cybersecurity threshold. Additionally, the risk level of a company can be used to determine an industry cybersecurity percentile ranking for the company. Further still, the risk levels from multiple companies can be utilized to determine an aggregated calculated risk level for vendors for the company. A cybersecurity risk level can then be assigned to the company based on the aggregated calculated risk level for vendors for the company. (136) In some implementation, method 900 includes comparing the calculated cybersecurity risk level to a cybersecurity threshold; classifying the entity as high risk. An alert is generated when the overall cybersecurity risk score exceeds the cybersecurity threshold. Additionally, or alternatively, method 900 may include classifying the entity as high risk, medium risk, or low risk based on the calculated cybersecurity risk level.
Baikalov (US9,800,605) [ (28) In accordance with a preferred embodiment of the invention, normalization is preferably accomplished as a two-step process—classification and then normalization. First, raw risk scores may be classified by stack ranking the raw scores for each entity class (user, system and application). Next risk thresholds may be established to enable classifying the raw scores into discrete ranks or classification levels based upon percentages, where the discrete ranks reflect the enterprise's judgment as to the seriousness of the risks. Classification of risk scores by levels is useful for reporting and remediation within an entity class. Classification, however, may not enable risk scores of different entities to be compared or used directly to indicate an overall organizational risk. Accordingly, following classification raw scores are normalized by converting them to a normalized risk score. FIG. 8 illustrates the classification step of the process, and FIG. 9 illustrates the normalization step.
10. The method of claim 9, wherein said classifying comprises stack ranking raw risk scores, establishing threshold values for said discrete risk classification levels based upon percentages of distributions of said raw risk scores in said classification levels, and assigning said static risk and said inherent risk to classification levels based upon said static risk score and said inherent risk score, respectively.
17. The method of claim 16 further comprising comparing said normalized entity risk score to a predetermined threshold value to predict the risk of an attack within the computer infrastructure.
Mays (2013/0283336) [0062] With respect to the Group Security Policy KPI 118, an automated tool collects data settings that are system wide and controlled from the domain controllers (or manually configured in each computer in the case of a workgroup rather than a domain). Referring again to FIG. 2, the settings 116 of the Group Security Policies 118 are checked on each computer with the automated system 108 under analysis. In one example of the present embodiment the Group Security Policy KPI 118 is determined from ten groups of settings 116: policy enforcement, passwords, user accounts, auditing of security events, recovery console, interactive logon, system and devices, network access, network security and system cryptography, and illustrative but not exhaustive examples of each are provided supra. The findings are compared to a predefined cyber security profile for the automations system in question. Each setting 116 is given a score based on thresholds of the predefined cyber security profile, and the points in each group are added and an overall score is calculated and normalized on a 0-100% scale].
Pfleger de Aguiar (US2018/0136921) [0024] The method is implemented by the system of FIG. 8 or another system. For example, an industrial control system provides asset information to a server, such as a cloud server or a server of a government agency, a manager of industrial control systems, or manufacturer of industrial control systems. The server extracts asset characteristics and fits the model to the particular industrial control system and outputs a risk at a given time and an amount of time before increasing to a threshold level of risk, and/or predicted risk and timing. [0066] In another embodiment, a schedule to install a patch is transmitted. For example, the period before passing a threshold level of risk provides a schedule. The patch is scheduled for a time before the threshold level is reached. As another example, the operator of the asset or industrial control system inputs various planned asset and/or industrial control system downtimes. Based on the risk and state transition timing, the patching may be scheduled in one of the downtimes.
Lin (US10841338) [ Dynamic Rule Risk Score Determination in Cybersecurity Monitoring System, the present disclosure relates to a cybersecurity-monitoring system, method, and computer program for dynamically determining a rule's risk score based on the network and user for which the rule triggered…].
Volkov (US20220159034) [ ¶127, if the first cybersecurity incident originates from the privileged user account, the processor 401 can further be configured to compare the detection confidence level associated with the first cybersecurity incident (Confidence) (148) to a predetermined confidence level threshold (e.g. 80%). Further, if the processor 401 has determined that the detection confidence level is below the predetermined confidence level threshold, and also if the number of blocked privileged user accounts for the predetermined time is less than the N.sub.1 predetermined threshold number, the processor 401 can be configured to determine the respective automated incident response as blocking the privileged user account (143) at the corporate network level, in accordance with step 140 of the method 100 described above. However, if the number of blocked privileged user accounts for predetermined time exceeds the N.sub.1 predetermined threshold number, the processor 401 can be configured to cease to analyze the incident data associated with the first cybersecurity incident without determining the respective automated incident response thereto].
GILL(US20110126111) [ Method and Apparatus for Risk Visualization and Remediation].
Gilmore (US20180020021) [ COMPUTERIZED SYSTEM AND METHOD FOR PROVIDING CYBERSECURITY DETECTION AND RESPONSE FUNCTIONALITY].
Heckman (US20190207968) [ Methods and Systems for Providing an Integrated Assessment of Risk Management and Maturity for An Organizational Cybersecurity/Privacy Program].
                                                                                                                                                                                                 Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAHRIAR ZARRINEH/Examiner, Art Unit 2496