DETAILED ACTION
Responsive to the Applicant’s reply filed on 11/12/2025, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in the following. Claims 1-20 are pending with claims 1, 8, and 15 being in independent form.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would like Applicant to provide a clean copy of the claims to facilitate the prosecution which otherwise requires extra time in editing the marked-up claims from OCR.
Please submit two sets of claims:
Set #1 as in a typical filing which includes indicators for the status of claim and all marked amendments to the claims; and
Set #2 as an appendix to the Arguments/Remarks for a clean version of the claims which has all the markups removed for entry by the Examiner.
Response to Arguments
The claim amendments and remarks filed by the Applicant on 11/12/2025, have been carefully considered and are responded in the following.
First:
In response to the Applicant arguments, page(s) 7 of 18, regarding claim objections for informality, Applicant’s arguments are persuasive. Accordingly, the objections are withdrawn.
Secondly,
In response to the Applicant arguments, page(s) 7-12, regarding the rejections under 35 U.S.C. 101, the amendments failed to resolve the issues which are explained in the following:
Regarding the amended claim 8 which is construed as being software per se. The added limitations are still too broad to limit the claim to hardware. The broadest reasonable interpretation of the claim element “the system … comprising at least one computing device including a processor…configured, by executable instructions” in claim 8 is drawn to a non-structural item which could be interpreted as software per se. when given broadest reasonable interpretation. The newly added processor may be a software processor. When a processor is configured by executable instructions, the processor itself may still be software in nature. A "computing device" in the field of computer art is a broader category that could include any programable units that processes data as opposed to a "computer" device which is often referred to as a traditional PCs or powerful machines characterized as a physical computing hardware. Essentially, all computers compute, but not all computing devices are typically hardware, as nowadays there are many software-based computing devices implemented as virtual machines in which a simulated environment behaves like a physical computer, running its own operating system and applications, but it exists entirely within another computer's software. As such, Applicant’s arguments are not persuasive.
Regarding claims 1-20 being rejected under 35 U.S.C. 101 for the matters directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more, Applicant fails to point out the claim elements functionally interacting to perform the claimed invention. As the concept of the invention is basically a series of calculations to obtain a potential financial impact for each information asset with aggregating maximum and minimum potential financial ranges and cyber risk scores, nothing is found inevitably related to a solution entirely rooted in computer technology. It should be noted that mental processes that are performed entirely in the human mind may be presented in a way that connects a human operation to the use of a physical aid (e.g., pen and paper or a slide rule) to perform the claim limitation, even with the aid of a general purpose computer. The courts consider a mental process (thinking) that "can be performed in the human mind, or by a human using a pen and paper" to be an abstract idea. CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366, 1372, 99 USPQ2d 1690, 1695 (Fed. Cir. 2011). As the Federal Circuit explained, the courts do not distinguish between mental processes that are performed entirely in the human mind and mental processes that require a human to use a physical aid (e.g., pen and paper or a slide rule) to perform the claim limitation. See, e.g., Benson, 409 U.S. at 67, 65, 175 USPQ at 674-75, 674 (noting that the claimed "conversion of [binary-coded decimal] numerals to pure binary numerals can be done mentally," i.e., "as a person would do it by head and hand."); Synopsys, Inc. v. Mentor Graphics Corp., 839 F.3d 1138, 1139, 120 USPQ2d 1473, 1474 (Fed. Cir. 2016) (holding that claims to a mental process of "translating a functional description of a logic circuit into a hardware component description of the logic circuit" are directed to an abstract idea, because the claims "read on an individual performing the claimed steps mentally or with pencil and paper"). Mental processes performed by humans with the assistance of physical aids such as pens or paper.
Nor do the courts distinguish between claims that recite mental processes performed by humans and claims that recite mental processes performed on a computer. As the Federal Circuit has explained, "[c]ourts have examined claims that required the use of a computer and still found that the underlying, patent-ineligible invention could be performed via pen and paper or in a person’s mind." Versata Dev. Group v. SAP Am., Inc., 793 F.3d 1306, 1335, 115 USPQ2d 1681, 1702 (Fed. Cir. 2015). See also Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1318, 120 USPQ2d 1353, 1360 (Fed. Cir. 2016) (‘‘[W]ith the exception of generic computer-implemented steps, there is nothing in the claims themselves that foreclose them from being performed by a human, mentally or with pen and paper.’’); Mortgage Grader, Inc. v. First Choice Loan Servs. Inc., 811 F.3d 1314, 1324, 117 USPQ2d 1693, 1699 (Fed. Cir. 2016) (holding that computer-implemented method for "anonymous loan shopping" was an abstract idea because it could be "performed by humans without a computer").
Further to note, the court concluded that this step was able to be performed mentally with a pen and paper, and therefore, it qualified as a mental process. 654 F.3d at 1372-73, 99 USPQ2d at 1695. See also Flook, 437 U.S. at 586, 198 USPQ at 196 (claimed "computations can be made by pencil and paper calculations"); University of Florida Research Foundation, Inc. v. General Electric Co., 916 F.3d 1363, 1367, 129 USPQ2d 1409, 1411-12 (Fed. Cir. 2019) (relying on specification’s description of the claimed analysis and manipulation of data as being performed mentally "‘using pen and paper methodologies, such as flowsheets and patient charts’"); Symantec, 838 F.3d at 1318, 120 USPQ2d at 1360 (although claimed as computer-implemented, steps of screening messages can be "performed by a human, mentally.
Given the above reasons, Applicant’s arguments are not persuasive. As such, Applicant is advised to include claim elements functionally interacting to perform the claimed invention to advance the prosecution.
Thirdly,
In response to the Applicant arguments, page(s) 12-13, regarding claim rejections under 35 U.S.C. 112(b) because of each reciting a limitation that lacks sufficient antecedent basis, the amendments have partially resolved the issues. However, some of the rejections are sustained. For example, claims 2, 9, and 16 each recite a second instance of “multiple attack methods” in the subtracting step without linking to the first instance as defined in the base claims 1, 8, and 15, respectively.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
FIRST,
Claims 8-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claimed system may be software (i.e., software per se).
The United States Patent and Trademark Office (USPTO) is obliged to give claims their broadest reasonable interpretation consistent with the specification during proceedings before the USPTO. See In re Zletz, 893 F.2d 319 (Fed. Cir. 1989) (during patent examination the pending claims must be interpreted as broadly as their terms reasonably allow).
The broadest reasonable interpretation of the claim element “the system … comprising at least one computing device including a processor…configured, by executable instructions” in claim 8 is drawn to a non-structural item which could be interpreted as software per se. when given broadest reasonable interpretation. The newly added processor may be a software processor. When a processor is configured by executable instructions, the processor itself may still be software in nature. A "computing device" in the field of computer art is a broader category that could include any programable units that processes data as opposed to a "computer" device which is often referred to as a traditional PCs or powerful machines characterized as a physical computing hardware. Essentially, all computers compute, but not all computing devices are typically hardware, as nowadays there are many software-based computing devices implemented as virtual machines in which a simulated environment behaves like a physical computer, running its own operating system and applications, but it exists entirely within another computer's software. Furthermore, the added limitation for storing at least one resource entry in the storage system is broadly defined in such that the storing function even does not tie to a computer memory device/computer processor. Therefore, claim 8 is found to be software per se. and thus not eligible for patent protection.
Dependent claims 9-14, when analyzed as a whole, are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitation(s) fail(s) to render the claims to be statutory.
SECONDLY,
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
The rationale for this determination is explained below:
First – following Step 1 of the guidance, claims 1-20 are directed to a method comprising a series of functional steps, or a system that may be easily modified to include hardware, or non-transitory computer readable medium. Therefore, the claimed invention via proper modification falls into one of the four statutory categories (see above rejections).
Secondly – following Step 2 of the guidance, claims 1-20 are analyzed for its underlying inventive concept with a new two-prong inquiry (1) does the claim recite an abstract idea, law of nature, or natural phenomenon, and/or judicial exceptions? And (2) does the claim recite additional elements that integrate the judicial exception into a practical application?
It is determined that claimed invention is directed to an abstract idea or at least one of the judicial exceptions, because the concept of the invention is basically a series of calculations to obtain a potential financial impact for each information asset with aggregating maximum and minimum potential financial ranges and cyber risk scores; the first prone of the inquiry. The abstract idea is similar to a) Mathematical concepts – mathematical relationships, mathematical formulas or equations, mathematical calculations; b) Mental processes – concepts performed in the human mind (including an observation, evaluation, judgment, opinion).
Regarding the second prone, the identified additional elements – a computing device – fail to integrate the idea of “assessing cyber-attack preparedness based on calculated scores” into a practical application. The Supreme Court has long distinguished between principles themselves, which are not patent eligible, and the integration of those principles into practical applications, which are patent eligible. This new procedure builds on these Supreme Court decisions and recent decisions from the Federal Circuit indicating that eligible subject matter can often be identified in the first step of the Alice/Mayo test (Step 2A), for instance the Enfish, McRO, and Vanda decisions. Integration into a practical application is evaluated in Prong Two using the considerations laid out by the Supreme Court and the Federal Circuit. Taken these factors into consideration. The current claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claim merely recites a system comprising a computing device without functional connections to the inventive features. These elements only perform functions of a general computer such as receiving, retrieving, and storing data. Furthermore, the claim does not recite an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment. Therefore, the claim is abstract without significantly more.
Dependent claims as presented thus far, when analyzed individually or as a whole, are held to be patent ineligible under 35 U.S.C. 101 because, the additional recited limitation(s) fail(s) to amount to “significantly more” than the judicial exception, and thereby non-statutory.
Please see “The 2019 Revised Patent Subject Matter Eligibility Guidance (or “2019 PEG” for short) published in January 2019 at USPTO Website. Note that the groupings of abstract ideas in the 2019 PEG are not the same as those on the Abstract Ideas QRS or in the MPEP. The groupings in the 2019 PEG should be FOLLOWED for identifying abstract ideas. The 2019 PEG does not change the analysis at Step 2B which pertains to an improvement to conventional functioning of a computer or to technological processes; see also MPEP 2106.05(a).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B) CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 2-3, 9-10, and 16-17are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention.
The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 2, 9, and 16 each recite a second instance of “multiple attack methods” in the subtracting step without linking to the first instance as defined in the base claims 1, 8, and 15, respectively. The recitation of a second instance of “multiple attack methods” is unclear or lacks sufficient antecedent basis in the claims.
Claims 3, 10, and 17 each recite “the multiple attack methods” without sufficient antecedent basis. For example, claim 3 depends both claims 1 and 2 where two instances of “multiple attack methods” are found.
Similar to claim 3, claims 10 and 17 are unclear for the same reason.
Allowable Subject Matter
Claims 1-20 are allowable over prior art for the following reasons:
As discussed in previous office action, the closest prior art references, including Cartan (US 20240388598 A1), Risoldi (US 20200311630 A1), and Abramowitz (US 20160112445 A1), do not disclose the features of claims 1, 8, and 15, “calculating, by a computing device, a probability of success (POS) of each of multiple attack methods on the organization; calculating, by the computing device, a cyber risk score for each of the information assets, based on the POS of each of the multiple attack methods and multiple risk scenarios, each risk scenario including an actor and one of the multiple attack methods; calculating, by the computing device, based on the financial data and location(s) of the organization, a maximum financial impact for a cyber attack on the organization” in combination with the limitations “splitting, by the computing device, the maximum and minimum financial impacts among the multiple assets, according to confidentiality, integrity, and availability parameters; and calculating, by the computing device, a potential financial impact for each information asset with aggregating maximum and minimum potential financial ranges and cyber risk scores” as recited in claim 1.
Therefore, independent claims 1, 8, and 15 are allowable over the prior art. Dependent claims are allowed by virtue of their dependencies on claims 1, 8, and 15 as they further limit the scope of the claimed invention.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Don Zhao whose telephone number is (571)272-9953. The examiner can normally be reached on 9 am to 5 pm Monday thru Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Don G Zhao/
Examiner, Art Unit 2493
1/16/2026