OPERATIONAL CYBERSECURITY RISK ASSESSMENT

§101 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status [1] The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 [2] A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 2 February 2026 has been entered. Notice to Applicant [3] This communication is in response to the Amendment and the Request for Continued Examination (RCE) filed 2 February 2026. Claims 1, 5-6, 10-11, and 15 have been amended. Claims 1-15 are pending. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. [4] Previous rejection(s) of claims 1-15 under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter, specifically an abstract idea without significantly more has/have not been overcome by the amendments to the subject claims and is/are maintained. The revised statement of rejection presented below is necessitated by amendment and addresses the present amendments to the pending claims. The following analysis is based on the framework for determining patent subject matter eligibility under 35 U.S.C. 101 established in the decisions of the Supreme Court in Mayo Collaborative Services v. Prometheus Labs., Incorporated and Alice Corporation Pty. Ltd. v. CLS Bank International, et al. (See MPEP 2106 subsection III and 2106.03-2106.05). Claim(s) 1-15 as a whole is/are determined to be directed to an abstract idea. The rationale for this determination is explained below: Abstract ideas are excluded from patent eligibility based on a concern that monopolization of the basic tools of scientific and technological work might serve to impede, rather than promote, innovation. Still, inventions that integrate the building blocks of human ingenuity into something more by applying the abstract idea in a meaningful way are patent eligible (See MPEP 2106.04). Consistent with the findings of the Supreme Court in Mayo Collaborative Services v. Prometheus Labs., Incorporated and Alice Corporation Pty. Ltd. v. CLS Bank International, et al. ineligible abstract ideas are defined in groups, namely: (1) Mathematical Concepts (e.g., mathematical relationships, mathematical formulas or equations, and mathematical calculations; (2) Mental Processes (e.g., concepts performed or performable in the human mind including observations, evaluations, judgements, or opinions); and (3) Certain Methods of Organizing Human Activity. Groupings of Certain Methods of Organizing Human Activity include three sub-categories within the group, namely: (1) fundamental economic principles or practices; (2) commercial or legal interactions (e.g., agreements in the form of contracts, legal obligations, advertising, marketing or sales activities or behaviors, and business relations); (3) managing personal behavior or relationships or interactions between people (e.g., social activities, teaching, and following rules or instructions) (See MPEP 2106.04(a). Eligibility Step 1: Four Categories of Statutory Subject Matter (See MPEP 2106.03): Independent claims 1, 6, and 11 are directed to a method, a system, and non-transitory computer-readable storage medium and are reasonably understood to be properly directed to one of the four recognized statutory classes of invention designated by 35 U.S.C. 101; namely, a process or method, a machine or apparatus, an article of manufacture, or a composition of matter. While the claims, generally, are directed to recognized statutory classes of invention, each of method/process, system/apparatus claims, and computer-readable media/articles of manufacture are subject to additional analysis as defined by the Courts to determine whether the particularly claimed subject matter is patent-eligible with respect to these further requirements. In the case of the instant application, each of claims 1, 6, and 11 are determined to be directed to ineligible subject matter based on the following analysis/guidance: Eligibility Step 2A prong 1: (See MPEP 2106.04): In reference to claim 1, the claimed invention is directed to non-statutory subject matter because the claim(s) as a whole, considering all claim elements both individually and in combination, do/does not amount to significantly more than an abstract idea. The claim(s) is/are directed to the abstract idea of assessing and analyzing business operations and business environments to determine a cybersecurity risk and threat profile for the business, which is reasonably considered to be method limited to steps/processes performable by Human Mental Processing (e.g., concepts performed or performable in the human mind including observations, evaluations, judgements, or opinions). In particular, the general subject matter to which the claims are directed illustrates a sequence of analyses and evaluations of business information and environmental factors to identify gaps in risk control measures, assemble threat, risk, and impact profiles and initiate risk mitigation measures to lower a level of cybersecurity risk, which is an ineligible inventive process limited to claimed human mental observations and evaluations. The courts have previously identified subject matter limited to steps/processes performable by Human Mental Processing and/or by a human using pen and paper to be ineligible abstract ideas (See CyberSource Corp v. Retail Decisions, Inc., 654 F.3d 1366, 1373 (Fed. Cir. 2011). Further, mental processes or concepts performed in the human mind including observation and evaluation are considered to be ineligible abstract ideas. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for a recitation of generic computer components, then the claim is still to be grouped as a mental process unless the limitation cannot practically be performed in the human mind (See MPEP 2106.04(a)(2)). With respect to functions/steps limited to processes performable by Human Mental Processing and/or by a human using pen and paper, representative claim 1 recites: “…acquiring information of an industrial environment and operations of an entity, the industrial environment comprising a network; determining an engagement scope through facilitated sessions;…”, “…performing cybersecurity control review to determine a cybersecurity control gap comprising a network deficiency leading to a risk exposure associated to a security breach; generating, using the cybersecurity control gap, a control gap report and a control effectiveness report;…”, “…performing cybersecurity threat analysis to generate an operational threat profile;…”, “…performing the cybersecurity risk assessment by using the operational threat profile, to generate an operational risk profile;…”, “…performing an impact assessment, by using the operational risk profile, to generate an operational impact profile;…”, and “…applying one or more mitigation measures based on the cyber security risk assessment…” Respectfully, absent further clarification of the processing steps executed by the recited processors and executable instructions present in claims 6 and 11 but presently absent from claim 1, one of ordinary skill in the art would readily understand that assessing and evaluating acquired information regarding a computer network to profile a level of cybersecurity risk and/or security control gap and further determine mitigation actions to reduce the risk are practicable and/or performable by a human using pen and paper and/or employing by the human mental processing (See CyberSource Corp v. Retail Decisions, Inc., 654 F.3d 1366, 1373 (Fed. Cir. 2011) (“a method that can be performed by human thought alone is merely an abstract idea and is not patent eligible under 35 U.S.C 101). While the elements added by amendment further define mental processes applied to received data to determine control gaps and mitigation actions and further indication general actions taken to mitigate a security threat using the claimed profiles, the amended limitations to not modify the general directive of the claimed invention to assessing and analyzing business operations and business environments to determine a cybersecurity risk and threat profile for the business. The above noted amendments introduce technical elements and processes which constitute recited functions and features. These elements have been considered at each step of Examiner’s analysis but are determined to be limited to generic computing structures executing generic computing functions previously identified by the courts, as further analyzed under Step 2A prong 2 and Step 2B below. Eligibility Step 2A prong 2: (See MPEP 2106.04(d)): Under step 2A prong two, Examiners are to consider additional elements recited in the claim beyond the judicial exception and evaluate whether those additional elements integrate the exception into a practical application. Further, to be considered a recitation of an element which integrates the judicial exception into a practical application, the additional elements must apply, rely on, or use the judicial exception in a manner that imposes meaningful limits on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the exception. As presented by amendment, additional technical elements identified in claim 1 are limited to an indication that the previously recited “environment” comprises an “…industrial environment comprising a network…”. With respect to the recited “network”, claim 1 has been further amended to specify that the previously recited “performing a cybersecurity review” is “…to determine a cybersecurity control gap comprising a network deficiency leading to a risk exposure…” and further “…generating, using the cybersecurity control gap, a control gap report and a control effectiveness report…”. Additionally, claim 1 includes a further step of “…applying one or more mitigation measures based on the cyber security risk assessment the one or more mitigation measures comprising updating the network by isolating a portion of the network, through segmentation, to separate the portion of the network from the remaining parts of the network to limit a potential impact of the security breach and thereby adjust the operational impact profile…”. Claim 1 retains the indication that the claimed method is directed to “cybersecurity risk”, i.e., the method focuses on risk to computers operating in a network environment, as designated in the preamble. Claims 6 and 11, directed to an apparatus and a system introduce a “processor” and non-transitory computer readable storage medium storing processor-executable “instructions”. The recited “memory modules” of claim 11 are understood in light of the supportive disclosure to be memory elements storing executable instructions and are addressed as a computer-readable medium storing instructions as provided with respect to the stored processor-executable “instructions” below. (1) The “processor”, and “instructions” are identified as engaged in an unspecified, general manner in the performance of each of the recited steps/functions. (2) The “network” is identified as being the subject/target of the recited determination of as cybersecurity control gap which comprises a “…network deficiency…”. (3) The “network” is further identified as being the target of the recited mitigations in which the mitigation measures are comprising “…updating the network by isolating a portion of the network, through segmentation, to separate the portion of the network from the remaining parts of the network to limit a potential impact of the security breach and thereby adjust the operational impact profile…”. With respect to the amendments to the claims to specify that “…updating the network by isolating a portion of the network, through segmentation, to separate the portion of the network from the remaining parts of the network to limit a potential impact of the security breach and thereby adjust the operational impact profile…”, Examiner respectfully submits that as presently claimed, the limitation provides a general idea of isolating a portion of the network can separate a vulnerability of the system from an attack. While stating that this is accomplished “through segmentation”, there are no actual processes or functions performed in which a vulnerable portion of the network is identified and configurationally separated from other portions of the network. In other words, the limitation presents a general concept that separating portion of the network can limit impact of a threat or attack. Accordingly, the limitation is reasonably understood to present a general intention encompassing any known generic process for separating a portion of the network inconsideration of a general statement of risk, i.e., a profile. NOTE: For Applicant’s benefit, Examiner suggests that amendments to clarify how the system identifies a vulnerable portion of the network and configures the network to segment the vulnerable portion of the network would likely establish a technical element which practically integrates the claimed invention into a practical application of the ineligible processes. Examiner further suggests a review of Example 40 of the 2019 Patent Eligibility Guidance. In contrast to the network traffic monitoring and subsequent initiation of collecting additional NetFlow protocol data based on the observed traffic data attributes, the instant claims assemble profiles and recite a general observation that network isolation can reduce general impact of an attack. With respect to the above noted functions attributable to the identified additional elements, MPEP 2106.05 stipulates that: There are no additional elements in the claim; Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f); and/or Generally linking the use of the judicial exception to a particular technological environment or field of use – see MPEP 2106.05(h) serve as indications that the use of the technology recited does not indicate integration into a practical application of the judicial exception. Each of the above noted limitations states a result (e.g., information is acquired, control effectiveness is assessed, threats, risks, and impacts are assessed, profiles are generated etc.) as associated with a respective “processor” or “executable instructions”. Beyond the general statement that claimed method is directed to a technical field, e.g., cybersecurity, and the functions are performed utilizing instructions and a processor in an unspecified manner the limitations provide no further clarification with respect to the functions performed by the “processor” and “executable instructions” in producing the claimed result. A recitation of “by a processor” or “executing instructions”, absent clarification of particular processing steps executed by the underlying technology to produce the result are reasonably understood to be an equivalent of “apply it”. The technology as engaged is solely identified as storing and retrieving information, performing tasks that are otherwise performable in the human mind (e.g., performing assessments and generating profiles), and sending and receiving information over a network (See MPEP 2106.05(f)). Accordingly, claim 1 is reasonably understood to be conducting standard, and formally manually performed process of assessing and analyzing business operations and business environments to determine a cybersecurity risk and threat profile for the business using the generic devices as tools to perform the abstract idea. The identified functions of the recited additional elements reasonably constitute a general linking of the abstract idea to a generic technological environment. The claimed assessing and analyzing business operations and business environments to determine a cybersecurity risk and threat profile for the business benefits from the inherent efficiencies gained by data transmission, data storage, and information display capacities of generic computing devices, but fails to present an additional element(s) which practical integrates the judicial exception into a practical application of the judicial exception. Eligibility Step 2B: (See MPEP 2106.05): Analysis under step 2B is further subject to the Revised Examination Procedure responsive to the Subject Matter Eligibility Decision in Berkheimer v. HP, Inc. issued by the United States Patent and Trademark Office (19 April 2018). Examiner respectfully submits that the recited uses of the underlying computer technology constitute well-known, routine, and conventional uses of generic computers operating in a network environment. In support of Examiner’s conclusion that the recited functions/role of the computer as presented in the present form of the claims constitutes known and conventional uses of generic computing technology, Examiner provides the following: In reference to the Specification as originally filed, Examiner notes paragraphs [0058]-[0066]. In the noted disclosure, the Specification provides listings of generic computing systems, e.g., a general computing platform including exemplary servers, network configurations and various processor configuration which are identified as capable and interchangeable for performing the disclosed processes. The disclosure does not identify any particular modifications to the underlying hardware elements required to perform the inventive methods and functions. Accordingly, it is reasonably understood that this disclosure indicates that the hardware elements and network configurations suitable for performing the inventive methods are limited to commercially available systems at the time of the invention. Absent further clarification, it is reasonably understood that any modifications/improvements to the underlying technology attributable to the inventive method/system are limited to improvements realized by the disclosed computer-executable routines and the associated processes performed. While the above noted disclosure serves to provide sufficient explanation of technical elements required to perform the inventive method using available computing technology, the disclosure does not appear to identify any particular modifications or inventive configurations of the underlying hardware elements required to perform the inventive methods and functions. Accordingly, it is reasonably understood that the disclosure indicates that the hardware elements and network configurations suitable for performing the inventive methods are limited to commercially available systems at the time of the invention. Further, absent further clarification, it is reasonably understood that any modifications/improvements to the underlying technology attributable to the inventive method/system are limited to improvements realized by the disclosed computer-executable routines and the associated processes performed. The claims specify that the above identified generic computing structures and associated functions/routines include: (1) The “processor”, and “instructions” are identified as engaged in an unspecified, general manner in the performance of each of the recited steps/functions. (2) The “network” is identified as being the subject/target of the recited determination of as cybersecurity control gap which comprises a “…network deficiency…”. (3) The “network” is further identified as being the target of the recited mitigations in which the mitigation measures are comprising “…updating the network by isolating a portion of the network, through segmentation, to separate the portion of the network from the remaining parts of the network to limit a potential impact of the security breach and thereby adjust the operational impact profile…”. While Examiner acknowledges that the noted limitations are computer-implemented, Examiner respectfully submits that, in aggregate (e.g., “as a whole”) they do not amount to significantly more than the abstract idea/ineligible subject matter to which the claimed invention is primarily directed. While utilizing a computer, the claimed invention is not rooted in computer technology nor does it improve the performance of the underlying computer technology. The computer-implemented features of the claimed invention noted above are reasonably limited to: (1) receiving and sending data via a computer network (e.g., acquiring information, providing a risk assessment and profiles); (2) storing and retrieving information and data from a generic computer memory (e.g., information and profiles); and (3) performing repetitive calculations and/or mental observations using the obtaining information/data (e.g., performing assessments and generating profiles). The above listed computer-implemented functions are distinguished from the generic data storage, retrieval, transmission, and data manipulation/processing capacities of the generic systems identified in the Specification solely by the recited identification of particular data elements that are of utility to a user performing the specific method of assessing and analyzing business operations and business environments to determine a cybersecurity risk and threat profile for the business. In summary, the computer of the instant invention is facilitating non-technical aims, i.e., assessing and analyzing business operations and business environments to determine a cybersecurity risk and threat profile for the business, because it has been programmed to store, retrieve, and transmit specific data elements and/or instructions that is/are of utility to the user. The non-technical functions of assessing and analyzing business operations and business environments to determine a cybersecurity risk and threat profile for the business benefit from the use of computer technology, but fail to improve the underlying technology. In support, the courts have previously found that utilization of a computer to receive or transmit data and communications over a network and/or employing generic computer memory and processor capacities store and retrieve information from a computer memory are insufficient computer-implemented functions to establish that an otherwise unpatentable judicial exception (e.g. abstract idea) is patent eligible. With respect to the determinations of the Courts regarding using a computer for sending and receiving data or information over a computer network and storing and retrieving information from computer memory, see at least: receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362; sending messages over a network OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1093 (Fed. Cir. 2015) (sending messages over a network); receiving and sending information over a network buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network); storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015); OIP Techs., 788 F.3d at 1363, 115 USPQ2d at 1092-93 and see performing repetitive calculations, Flook, 437 U.S. at 594, 198 USPQ2d at 199; and Bancorp Services v. Sun Life, 687 F.3d 1266, 1278, 103 USPQ2d 1425, 1433 (Fed. Cir. 2012) with respect to the performance of repetitive calculations does not impose meaningful limits on the scope of the claims. Independent claims 6 and 11, directed to an apparatus/system and computer-executable instructions stored on computer-readable media for performing the method steps are rejected for substantially the same reasons, in that the generically recited computer components in the apparatus/system and computer readable media claims add nothing of substance to the underlying abstract idea. Dependent claims 2-5, 7-10, and 12-15, when analyzed as a whole are held to be ineligible subject matter and are rejected under 35 U.S.C. 101 because the additional recited limitation(s) fail(s) to establish that the claimed invention is not directed to an abstract idea. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. [5] Claim(s) 1-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over (United States Patent Application Publication No. 2019/0236661 hereinafter ‘Hogg’) in view of O’Reilly (United States Patent Application Publication No. 2018/0167414 hereinafter ‘O’Reilly’) and further in view of Thompson (United States Patent Application Publication No. 2024/0340301 hereinafter ‘Thompson’). With respect to (currently amended) claim 1, Hogg discloses a for cybersecurity risk assessment, comprising: acquiring information of business environment and business operations of a business entity; determining an engagement scope through facilitated sessions (Hogg et al.; paragraphs [0015] [0050] [0059]; See at least acquiring information about the business entity); performing cybersecurity review and gap assessment to generate a control gap report and a control effectiveness report (Hogg et al.; paragraphs [0064] [0067]; See at least controls); performing cybersecurity threat analysis to generate an operational threat profile (Hogg et al.; paragraphs [0184] [0185] [0224]; See at least threat profile); performing the cybersecurity risk assessment, by using the operational threat profile, to generate an operational risk profile (Hogg et al.; paragraphs [0073] [0074]; See at least risk profile); performing an impact assessment, by using the operational risk profile, to generation an operational impact profile (Hogg et al.; paragraphs [0150]-[0154]; See at least vulnerabilities across sector, i.e., potential impacts); and providing the cyber security risk assessment to business sectors of the business entity (Hogg et al.; paragraphs [0146]-[0155]; See at least reports). Claim 1 further specifies that the recited “environment” comprises an “…industrial environment comprising a network…”. With respect to the recited “network”, claim 1 has been further amended to specify that the previously recited “performing a cybersecurity review” is “…to determine a cybersecurity control gap comprising a network deficiency leading to a risk exposure associated to a security breach…”. Claim 1 includes a further step of “…applying one or more mitigation measures based on the cyber security risk assessment the one or more mitigation measures comprising updating the network by isolating a portion of the network, through segmentation, to separate the portion of the network from the remaining parts of the network to limit a potential impact of the security breach and thereby adjust the operational impact profile…”. With respect to these elements, Hogg discloses a cyber security assessment process which identifies and assesses the adequacy of access controls on network endpoints with respect to specific cyber-attacks, i.e., “associated to a security breach” (Hogg et al.; paragraphs [0070]-[0071] [0185]). While Hogg determines presences of specified controls in determining vulnerabilities, Hogg fails to specify that the assessment and determined control gap are specifically directed to a determined network deficiency and that mitigation efforts are specified network updates. However, as evidenced by O’Reilly, it is well-known in the art to assess vulnerabilities of a network system and determine a gap in control measures associated with a designated network vulnerability (O’Reilly; paragraphs [0035]-[0036] [0051] [0057]-[0059]; See at least assessment of controls regarding firewalls and VPN rules of target network/system. See further assessment of gap in controls and recommendations of mitigations for reducing the calculated gap. The mitigations, e.g., patches, VPN adjustments etc., are reasonably forms of “updating the network”). With respect to the mitigation efforts including “…updating the network by isolating a portion of the network, through segmentation, to separate the portion of the network from the remaining parts of the network to limit a potential impact of the security breach and thereby adjust the operational impact profile…”, as noted above, Hogg fails to specify that that mitigation efforts are specified network updates. While O’Reilly discloses updating the network including patches and VPN adjustments, O’Reilly fails to specify isolating a portion of the network through segmentation. However, as evidenced by Thompson, it is well-known in the art to implement network segmentation test to generate recommendations to properly isolate portions of the network which may be more vulnerable to attacks (Thompson et al.; paragraphs [0142]-[0143] [0186]-[0187]; See at least identification of security gaps and performance of network segmentation tests and recommendations in response to simulated phishing emails). It would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the control assessments and mitigations of Hogg by further including identification of network vulnerabilities and in the form of gaps in control measures and further identifying targeted mitigations to reduce network vulnerabilities as taught O’Reilly. The instant invention is directed to a system and method of assessing cybersecurity risks and recommending mitigation efforts. As Hogg discloses the use of control assessments and mitigations in the context of a system and method for assessing cybersecurity risks and recommending mitigation efforts and O’Reilly similarly discloses the utility identification of network vulnerabilities and in the form of gaps in control measures and further identifying targeted mitigations to reduce network vulnerabilities in the context of a system and method for assessing cybersecurity risks and recommending mitigation efforts, the teachings are reasonably considered to have been derived from analogous references and applied in the manner disclosed by the respective references. Accordingly, one of ordinary skill in the art would have been motivated to make the noted combination/modification as rationalized by combining prior art elements accordingly to known methods to yield the predictable results of ensuring that information and computing systems are secure by determining which controls should be improved and the manner in which the controls should be improved such that client computing systems have increased compliance with the controls (O’Reilly; paragraph [0003] . Regarding the combination that further includes Thompson, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the control assessments and mitigations of Hogg by further including identification of network vulnerabilities and in the form of gaps and implementing network segmentation tests to generate recommendations to properly isolate portions of the network which may be more vulnerable to attacks as taught by Thompson. The instant invention is directed to a system and method of assessing cybersecurity risks and recommending mitigation efforts. As Hogg discloses the use of control assessments and mitigations in the context of a system and method for assessing cybersecurity risks and recommending mitigation efforts and Thompson similarly discloses the utility of implementing network segmentation tests to generate recommendations to properly isolate portions of the network which may be more vulnerable to attacks in the context of a system and method for assessing cybersecurity risks and recommending mitigation efforts, the teachings are reasonably considered to have been derived from analogous references and applied in the manner disclosed by the respective references. Accordingly, one of ordinary skill in the art would have been motivated to make the noted combination/modification as rationalized by combining prior art elements accordingly to known methods to yield the predictable results of ensuring that information and computing systems are secure by determining which controls should be improved to ensure that critical systems are properly isolated from less critical systems thereby minimizing exposure to a constantly evolving threat landscape (Thompson; paragraph [0033]). With respect to claim 2, Hogg discloses a method further comprising deploying one or more mitigation measures to address cybersecurity risks included in the cybersecurity risk assessment (Hogg et al.; paragraphs [0184] [0185]; See at least mitigation recommendations). With respect to claim 3, Hogg discloses a method wherein the information of the industrial environment and the operations comprises an operational profile (Hogg et al.; paragraphs [0184] [0185]; See at least threat profile regional). With respect to claim 4, Hogg discloses a method wherein the operational threat profile comprises threat actors, threat vectors, vulnerabilities, and attack techniques (Hogg et al.; paragraphs [0184] [0185] [0224]; See at least threat profile). With respect to (currently amended) claim 5, while Hogg discloses a method including updating the network (Hogg et al.; paragraphs [0239] [0240]; See at least countermeasures including firewalls), as noted above, Hogg fails to specify that mitigation measures further comprise patching, and upgrading the network. However, O’Reilly discloses assessing vulnerabilities of a network system and determine a gap in control measures associated with a designated network vulnerability and further performing mitigation efforts including patches and network upgrades (O’Reilly; paragraphs [0035]-[0036] [0051] [0057]-[0059]; See at least assessment of controls regarding firewalls and VPN rules of target network/system. See further assessment of gap in controls and recommendations of mitigations for reducing the calculated gap. The mitigations, e.g., patches, VPN adjustments etc., are reasonably forms of “updating the network”). Regarding claim 5, the conclusions of obviousness and rationale to modify as established for claim 1 above are applicable to claim 5 and are hereby incorporated by reference. Claims 6-10 and 11-15, as presented by amendment, substantially repeat the subject matter addressed above with respect to claims 1-5 as directed to the enabling systems/apparatus and computer-readable medium storing computer-executable instructions. With respect to these elements, Hogg et al. disclose enabling the disclosed method employing analogous systems and executable instructions Accordingly, claims 6-10 and 11-15 are rejected under the applied teachings, conclusions obviousness, and rationale to modify as discussed above with respect to claims 1-5. Response to Remarks/Amendment [6] Applicant's remarks filed 2 February 2026 have been fully considered and are addressed as follows: [i] Applicant’s remarks in response to previous rejection(s) of claim(s) 1-15 under 35 U.S.C. 101 as being directed to non-statutory subject matter as set forth in the previous Office Action mailed 27 October 2025 are reasonably considered to have been fully addressed in the context of the revised rejection of the claims presented above responsive to the amendments to the subject claims and in consideration of the framework for determining patent subject matter eligibility under 35 U.S.C. 101 established in the decisions of the Supreme Court in Mayo Collaborative Services v. Prometheus Labs., Incorporated and Alice Corporation Pty. Ltd. v. CLS Bank International, et al. (See MPEP 2106 subsection III and 2106.03-2106.05). [ii] Applicant’s remarks directed to previous rejection(s) of claim(s) 1-15 under 35 U.S.C. 102 as being unpatentable as set forth in the previous Office Action mailed 27 October 2025 have been fully considered and are moot in light of newly added grounds of rejection responsive to the amendments to the subject claims. See revised rejection under 35 U.S.C. 103 presented above. Conclusion [7] The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Campbell, SYSTEM AND METHOD FOR ENUMERATING AND REMEDIATING GAPS IN CYBERSECURITY DEFENSES, United States Patent Application Publication No. 2021/0234885, paragraphs [0180]-[0185]: Relevant Teachings: Campbell discloses a system/method that provides analysis of security systems to identify control gaps and further analyzes setwork segmentation. Patel et al., DEVICE CYBERSECURITY RISK MANAGEMENT, United States Patent Application Publication No. 2021/0211452, paragraphs [0022]-[0023]: Relevant Teachings: Patel discloses a system/method that provides analysis of network segmentation with respect to security gaps. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT D RINES whose telephone number is (571)272-5585. The examiner can normally be reached M-F 9am - 5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Beth V Boswell can be reached at 571-272-6737. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ROBERT D RINES/Primary Examiner, Art Unit 3625