DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to communication filed on 1/23/2026.
Claims 1-20 are subject to examination.
An IDS filed on 10/10/2023 has been considered and entered by the Examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2, 6-7, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tsalakopoulous et al. U.S. Patent Publication # 2006/0184371 (hereinafter Tsal) in view of Vescio et al. U.S. Patent Publication # 2020/0050986 (hereinafter Vescio) further in view of Apger et al. U.S. Patent Publication # 2023/0139000 (hereinafter Apger)
With respect to claim 1, Tsal teaches a method, comprising:
-obtaining, by a computing device, a plurality of risk events (Paragraph 75, 77, 86-87)
-mapping, by the computing device, treatment actions to each of the plurality of the risk events (Paragraph 77-79, 86-87, 107-109)
-determining, by the computing device, an impact of the treatment actions on each of the plurality of the risk events (Fig. 11)(Paragraph 95, 105, 107-109);
determining, by the computing device, a probability (i.e. likelihood) of implementation of the treatment actions (Paragraph 95-97, 107-109)
-calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 130) based on the determining steps; and
-providing, by the computing device, a recommendation of optimal risk mitigation based on how the first treatment actions affect the other risk events (Paragraph 95-96)
Although Tsal teaches calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 130) but Tsal does not teach based on the determining steps and wherein each of the plurality of risk events is associated with a potential threat or a vulnerability to information technology infrastructure.
Vescio teaches obtaining by a computing device, a plurality of risk events (Paragraph 102, 103), wherein each of the plurality of risk events (i.e. residual risk reports, residual risk summary, implicit risk etc.)(Paragraph 102-105) is associated with a potential threat or a vulnerability to information technology infrastructure (i.e. a residual risk report may include breakdown of risks faced by each asset group of the business, in a risks per asset group includes risk scores for each systems for example, servers and apps, business networks, end user systems, terminals etc.)(Paragraph 102-103, 104); calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 68) based on determining, by the computing device, a probability of implementation of the treatment actions (Paragraph 65). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Vescio’s teaching in Tsal’s teaching to come up with calculating how the treatment actions affect other risk factors based on probability of implementations. The motivation for doing so would be to come up with and be ready with appropriate remedial action for corrective measure therefore the impact is minimized and controlled.
Although, Vescio teaches wherein each of the plurality of risk events (i.e. residual risk reports, residual risk summary, implicit risk etc.)(Paragraph 102-105) is associated with a potential threat or a vulnerability to information technology infrastructure (i.e. a residual risk report may include breakdown of risks faced by each asset group of the business, in a risks per asset group includes risk scores for each systems for example, servers and apps, business networks, end user systems, terminals etc.)(Paragraph 102-103, 104); Apger explicitly teaches wherein each of the plurality of risk events is associated with a potential threat or a vulnerability (i.e. plurality of event records wherein notable event record is indicative of a potential security threat associated with a respective entity on the computer network, wherein the notable event record contains an association of the respective entity with a risk object) to information technology infrastructure (i.e. computer network) (Paragraph 292, 301). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Apger’s teaching in Tsal and Vescio’s teaching to come up with having plurality of risk events is associated with a potential threat or a vulnerability to information technology infrastructure. The motivation for doing so would be to outputting the threat report for display to the user and the administrator to take corrective action beforehand.
With respect to claim 2,Tsal, Vescio and Apger teaches the method of claim 1, but Vescio further teaches wherein the calculating is a residual function to create an optimal plan of improvement of risk reduction (Paragraph 95-96)
With respect to claim 6, Tsal, Vescio and Apger teaches the method of claim 2, but Tsal further teaches wherein the residual function comprises a residual risk assessment which considers all possible scenarios of treatment actions subsequent to an implementation on the risk events (Paragraph 95-96, 104-105, 107-108)
With respect to claim 7, Tsal, Vescio and Apger teaches the method of claim 2, but Tsal further teaches further comprising obtaining a matrix characterization based on an association between the treatment actions to each of the plurality of the risk events, an impact of treatment action on a risk factor (Paragraph 111-113)
With respect to claim 20, Tsal teaches system comprising: a processor, a computer readable memory, one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions executable to: obtain, by a computing device, a plurality of risk events (Paragraph 75, 77, 86-87)
map, by the computing device, treatment actions to each of the plurality of the risk events (Paragraph 77-79, 86-87, 107-109)
determine, by the computing device, an impact of the treatment actions on each of the plurality of the risk events (Fig. 11)(Paragraph 95, 105, 107-109);
determine, by the computing device, a probability of implementation of the treatment actions (Paragraph 95-97, 107-109)
calculate, by the computing device, how a first treatment action on a first risk of the plurality of risk events affects other risk factors (Paragraph 130); and provide, by the computing device, a recommendation of optimal risk mitigation based on how the first treatment action on the first risk of the plurality of risk events affects the other risk events (Paragraph 95-96)
Although Tsal teaches calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 130) but Tsal does not teach based on the determining steps and wherein each of the plurality of risk events is associated with a potential threat or a vulnerability to information technology infrastructure.
Vescio teaches obtaining by a computing device, a plurality of risk events (Paragraph 102, 103), wherein each of the plurality of risk events (i.e. residual risk reports, residual risk summary, implicit risk etc.)(Paragraph 102-105) is associated with a potential threat or a vulnerability to information technology infrastructure (i.e. a residual risk report may include breakdown of risks faced by each asset group of the business, in a risks per asset group includes risk scores for each systems for example, servers and apps, business networks, end user systems, terminals etc.)(Paragraph 102-103, 104); calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 68) based on determining, by the computing device, a probability of implementation of the treatment actions (Paragraph 65); measure by the computing device, an effect of implementing the recommendation through a set of continual service improvement processes (i.e. first analysis and second analysis wherein if a second analysis of a business is conducted after a first analysis has been conducted and a first set of recommendations have been generated for a business, the threat likelihood values of the second analysis may include threat likelihood values representing changes in how attacks have been performed since the time the first recommendations were generated)(Paragraph 112-113) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Vescio’s teaching in Tsal’s teaching to come up with calculating how the treatment actions affect other risk factors based on probability of implementations. The motivation for doing so would be to come up with and be ready with appropriate remedial action for corrective measure therefore the impact is minimized and controlled.
Although, Vescio teaches wherein each of the plurality of risk events (i.e. residual risk reports, residual risk summary, implicit risk etc.)(Paragraph 102-105) is associated with a potential threat or a vulnerability to information technology infrastructure (i.e. a residual risk report may include breakdown of risks faced by each asset group of the business, in a risks per asset group includes risk scores for each systems for example, servers and apps, business networks, end user systems, terminals etc.)(Paragraph 102-103, 104); Apger explicitly teaches wherein each of the plurality of risk events is associated with a potential threat or a vulnerability (i.e. plurality of event records wherein notable event record is indicative of a potential security threat associated with a respective entity on the computer network, wherein the notable event record contains an association of the respective entity with a risk object) to information technology infrastructure (i.e. computer network) (Paragraph 292, 301). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Apger’s teaching in Tsal and Vescio’s teaching to come up with having plurality of risk events is associated with a potential threat or a vulnerability to information technology infrastructure. The motivation for doing so would be to outputting the threat report for display to the user and the administrator to take corrective action beforehand.
Claim(s) 4-5, 11-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tsalakopoulous et al. U.S. Patent Publication # 2006/0184371 (hereinafter Tsal) in view of Vescio et al. U.S. Patent Publication # 2020/0050986 (hereinafter Vescio) further in view of Apger further in view of in view of Sahni et al. U.S. Patent Publication # 2024/0037476 (hereinafter Sahni)
With respect to claim 4, Tsal, Vescio and Apger teaches the method of claim 2, but fails to further teaches further comprising determining a factorization of the risk events.
Sahni teaches determining a factorization of the risk events (Paragraph 23-24). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Sahni’s teaching in Tsal, Vescio and Apger’s teaching to come up with determining a factorization of the risk events. The motivation for doing so would be to apply weights and see how the scale changes.
With respect to claim 5, Tsal, Vescio, Apger and Sahni teaches the method of claim 4, but Sahni further teaches wherein the factorization is a set of risks to determine and mitigate an impact on risk uncertainty of a treatment action (Paragraph 23-24).
With respect to claim 11, Tsal, Vescio, Apger and Sahni teaches the method of claim 2, but Tsal further teaches further comprising iteratively repeating the mapping step, determining steps and calculating step to learn how the treatment actions affect the other risk factors to further refine the recommendation of the optimal risk mitigation(Paragraph 111-113) but does not teach learning using machine learning.
Sahni teaches learning using machine learning (Paragraph 46). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Sahni’s teaching in Tsal, Vescio and Apger’s teaching to come up with calculating to learn using machine learning how the treatment actions affect the other risk factors to further refine the recommendation of the optimal risk mitigation. The motivation for doing so would be provide best/optimal solutions based on machine learning and AI that can form plans and to make decisions to achieve their goals.
With respect to claim 12, Tsal, Vescio, Apger and Sahni teaches the method of claim 2, but fails to further teaches wherein the computing device includes software provided as a service in a cloud environment. Sahni teaches wherein the computing device includes software provided as a service in a cloud environment (Paragraph 44). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Sahni’s teaching in Tsal, Vescio and Apger’s teaching to come up with using software provided as service in a cloud environment. The motivation for doing so would be so the computing device can be assess remotely and remedy can be provided remotely.
Claim(s) 13-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tsalakopoulous et al. U.S. Patent Publication # 2006/0184371 (hereinafter Tsal) in view of Sahni et al. U.S. Patent Publication # 2024/0037476 (hereinafter Sahni) further in view of Vescio
With respect to claim 13, Tsal teaches a computer program product comprising one or more computer readable storage media having program instructions collectively stored on the one or more computer readable storage media, the program instructions executable to:
-obtain a set of defined treatment actions (Paragraph 75, 77, 86-87)
-associate the set of defined treatment actions with a plurality of risk events (Paragraph 77-79, 86-87, 107-109)
-determine, for each for each of the plurality of risk events, a probability of implementation of the treatment action (Fig. 11)(Paragraph 95, 105, 107-109);
-calculate a residual risk assessment of the additional equivalence relation, the residual risk assessment considers all possible scenarios of treatment actions subsequent to an implementation on the risk events (Paragraph 130, 111-113)
generate a recommendation of a best scenario for optimal risk mitigation based on the residual risk assessment (Paragraph 95-96)
Tsal does not explicitly teach determine weights or risks vector (wor) comprising, for each of the plurality of risk events, a different impact on a final risk and determine a factorization of an additional equivalence relation on a set risks by grouping risks into risk event categories.
Sahni teaches determine weights or risks vector (wor) comprising, for each of the plurality of risk events, a different impact on a final risk (Paragraph 23-24) determine a factorization of an additional equivalence relation on a set risks by grouping risks into risk event categories (Paragraphs 25-28)
calculate a residual risk assessment utilizing the factorization (Paragraphs 26-28) of the additional equivalence relation, the residual risk assessment considers all possible scenarios of treatment actions subsequent to an implementation on the risk events (Paragraphs 26-29). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Sahni’s teaching in Tsal’s teaching to come up with determining weights for each risk events and a different impact on a final risk and calculating a residual risk assessment utilizing the factorization. The motivation for doing so would be to have overall score including distress indicators, therefore appropriate remedy can be implemented.
Tsal and Sahni does not teach wherein each of the plurality of risk events is associated with a potential threat or a vulnerability to information technology infrastructure.
Vescio teaches associate the set of defined treatment actions with a plurality of risk events (Paragraph 108-111) wherein each of the plurality of risk events (i.e. residual risk reports, residual risk summary, implicit risk etc.)(Paragraph 102-105) is associated with a potential threat or a vulnerability to information technology infrastructure (i.e. a residual risk report may include breakdown of risks faced by each asset group of the business, in a risks per asset group includes risk scores for each systems for example, servers and apps, business networks, end user systems, terminals etc.)(Paragraph 102-103, 104); calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 68) based on determining, by the computing device, a probability of implementation of the treatment actions (Paragraph 65). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Vescio’s teaching in Tsal and Sahni’s teaching to come up with calculating how the treatment actions affect other risk factors based on probability of implementations. The motivation for doing so would be to come up with and be ready with appropriate remedial action for corrective measure therefore the impact is minimized and controlled.
With respect to claim 14, Tsal, Sahni and Vescio teaches the computer program product of claim 13, but Sahni further teaches wherein the risk event categories comprise at least one of financial risks (Paragraph 29), architecture control, suppliers, currency and refresh of hardware (HW)/software (SW), or regulatory risks.
With respect to claim 15, Tsal, Sahni and Vescio teaches the computer program product of claim 13, but Tsal further teaches further comprising generating a matrix characterization of the defined treatment actions with a plurality of risk events (Paragraph 111-113)
Allowable Subject Matter
Claim 3, 8-10, 16-18, 19 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Response to Arguments
Applicant's arguments filed 12/29/2025 have been fully considered but they are not persuasive.
A). Applicant states Vescio does not teach “each of the plurality of risk events is associated with a potential threat or a vulnerability to information technology infrastructure”.
With respect to remark A, Examiner respectfully disagrees with the applicant because in Paragraph 102-105, 68, Vescio teaches obtaining by a computing device, a plurality of risk events (Paragraph 102, 103), wherein each of the plurality of risk events (i.e. residual risk reports, residual risk summary, implicit risk etc.)(Paragraph 102-105) is associated with a potential threat or a vulnerability to information technology infrastructure (i.e. a residual risk report may include breakdown of risks faced by each asset group of the business, in a risks per asset group includes risk scores for each systems for example, servers and apps, business networks, end user systems, terminals etc.)(Paragraph 102-103, 104); calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 68) based on determining, by the computing device, a probability of implementation of the treatment actions (Paragraph 65). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Vescio’s teaching in Tsal and Sahni’s teaching to come up with calculating how the treatment actions affect other risk factors based on probability of implementations. The motivation for doing so would be to come up with and be ready with appropriate remedial action for corrective measure therefore the impact is minimized and controlled.
B). Applicant states Tsal does not teach “calculating, how the treatment actions affect other risk factors based on determining step…”
With respect to remark B, Examiner respectfully disagrees with the applicant because in Paragraph 130-132, Tsal teaches calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 130-132). In Paragraph 130-131, Table, it clearly shows having example of identified risk and in Paragraph 131, it further provides treatment for risk is some action that is designed to in some way mitigate the exposure to that risk. It provides another example of treatment designed to target a supplier risk will only be able to structure a response that either alleviates a potential disruption with some contingency/work around plan and/or target the potential source of the threat in an attempt to lower the likelihood of that risk occurring. Furthermore, it provides potential legal implication of a certain type of supplier risk. This clearly shows the treatment actions effect other risk factors.
and wherein each of the plurality of risk events is associated with a potential threat or a vulnerability to information technology infrastructure.
Vescio teaches obtaining by a computing device, a plurality of risk events (Paragraph 102, 103), wherein each of the plurality of risk events (i.e. residual risk reports, residual risk summary, implicit risk etc.)(Paragraph 102-105) is associated with a potential threat or a vulnerability to information technology infrastructure (i.e. a residual risk report may include breakdown of risks faced by each asset group of the business, in a risks per asset group includes risk scores for each systems for example, servers and apps, business networks, end user systems, terminals etc.)(Paragraph 102-103, 104); calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 68) based on determining, by the computing device, a probability of implementation of the treatment actions (Paragraph 65). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Vescio’s teaching in Tsal’s teaching to come up with calculating how the treatment actions affect other risk factors based on probability of implementations. The motivation for doing so would be to come up with and be ready with appropriate remedial action for corrective measure therefore the impact is minimized and controlled.
Although, Vescio teaches wherein each of the plurality of risk events (i.e. residual risk reports, residual risk summary, implicit risk etc.)(Paragraph 102-105) is associated with a potential threat or a vulnerability to information technology infrastructure (i.e. a residual risk report may include breakdown of risks faced by each asset group of the business, in a risks per asset group includes risk scores for each systems for example, servers and apps, business networks, end user systems, terminals etc.)(Paragraph 102-103, 104); Apger explicitly teaches wherein each of the plurality of risk events is associated with a potential threat or a vulnerability (i.e. plurality of event records wherein notable event record is indicative of a potential security threat associated with a respective entity on the computer network, wherein the notable event record contains an association of the respective entity with a risk object) to information technology infrastructure (i.e. computer network) (Paragraph 292, 301). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Apger’s teaching in Tsal and Vescio’s teaching to come up with having plurality of risk events is associated with a potential threat or a vulnerability to information technology infrastructure. The motivation for doing so would be to outputting the threat report for display to the user and the administrator to take corrective action beforehand.
C). Applicant states Tsal does not teach “providing by the computing device, a recommendation of optimal risk mitigation based on how the first treatment actions affect the other risks”.
Examiner respectfully disagrees with the applicant because in Paragraph 95-96, 107-110, Tsal teaches providing, by the computing device, a recommendation of optimal risk mitigation based on how the first treatment actions affect the other risk events (Paragraph 95-96). In Paragraphs 95-96, it clearly shows having first solution A and solution B wherein the in Paragraph 95, it clearly shows having multiple initial condition with an impact value and likelihood value and provides a solution in to provide new risk B with a new node. Furthermore in Paragraphs 107-110, it shows having treatment A which completely mitigates and prior to treatment B being effect. It provides results after each of these treatments and shows how the value of the treatment has changed.
Tsal does not teach based on the determining steps
Vescio teaches calculating, by the computing device, how the treatment actions affect other risk factors (Paragraph 68) based on determining, by the computing device, a probability of implementation of the treatment actions (Paragraph 65). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Vescio’s teaching in Tsal’s teaching to come up with calculating how the treatment actions affect other risk factors based on probability of implementations. The motivation for doing so would be to come up with and be ready with appropriate remedial action for corrective measure therefore the impact is minimized and controlled.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
A). Duessel et al. U.S. Patent Publication # 2022/0366332 which teaches about risk-adaptive security investment optimization.
B). Murray et al. U.S. Patent Publication # 2021/0367963 which teaches about real-time compliance monitoring for automated risk assessment.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DHAIRYA A PATEL whose telephone number is (571)272-5809. The examiner can normally be reached M-F 7:30am-4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on 571-272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
DHAIRYA A. PATEL
Primary Examiner
Art Unit 2453
/DHAIRYA A PATEL/Primary Examiner, Art Unit 2453