SYSTEM AND METHOD FOR MODELING AND MANAGING INFORMATION SECURITY RISKS

§101 §102 §103

DETAILED ACTION Claims 1-33 are pending and have been examined. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Drawings The drawings are objected to because figures 4-22 and 24-26 contain shaded black and grey areas, illegible text, and/or lines that are not uniformly thick and well defined. See MPEP §608.02, 37 CFR 1.84 (I), and 37 CFR 1.84 (m). Corrected drawing sheets in compliance with 37 CFR 1.121 (d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as "amended." If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either "Replacement Sheet" or "New Sheet" pursuant to 37 CFR 1.1 21 (d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-33 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims are directed to an abstract idea without significantly more. Here, under step 1 of the Alice analysis, method claims 1-31 are directed to a series of steps, system claim 32 is directed to one or more processors; and memory, and computer readable storage medium claim 33 is directed to storing one or more programs. Thus the claims are directed to a process, machine, and manufacture, respectively. Under step 2A Prong One of the analysis, the claimed invention is directed to an abstract idea without significantly more. The claims recite identifying and addressing information security risks, including obtaining, synthesizing, generating, analyzing, and identifying steps. The limitations of obtaining, synthesizing, generating, analyzing, and identifying, are a process that, under its broadest reasonable interpretation, covers organizing human activity concepts, but for the recitation of generic computer components. Specifically, the claim elements recite obtaining a plurality of information security and cybersecurity frameworks; synthesizing the plurality of information security and cybersecurity frameworks to obtain a normalized information security framework; obtaining information on existing information systems; generating, from the information, based on the normalized information security framework and customer business context, a risk model that is structured to account for customers’ information security ecosystem; analyzing the risk model's graph structures to identify information security risk; and identifying and proposing prioritizing changes to the existing information systems to attempt to address the identified risk. That is, other than reciting one or more processors and memory (in claims 32 and 33 only), the claim limitations merely cover commercial interactions, including business relations, and managing behavior, including following rules or instructions, thus falling within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. Accordingly, the claims recite an abstract idea. Under Step 2A Prong Two, the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This judicial exception is not integrated into a practical application. The claims include one or more processors and memory. The one or more processors and memory in the steps is recited at a high-level of generality, such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. As a result, the claims are directed to an abstract idea. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of one or more processors and memory amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Additionally, it is noted that method claims 1-31 fail to recite any computer components implementing the series of steps. None of the dependent claims recite additional limitations that are sufficient to amount to significantly more than the abstract idea. Claims 2-8 further describe the each information security and cybersecurity framework, synthesizing the plurality of information security and cybersecurity frameworks, the risk model, analyzing the risk model's graph structures, and the risk profile. Claims 9-14 further describe a client’s information security business context represented on a client model, and the statistical analysis. Claims 15-21 further describe the information on the existing information systems, and results of a risk assessment, and recite additional autogenerating, adjusting, and mitigating steps. Claims 22-25 recite additional providing, scoping, normalizing, generating, and interfacing steps. Claims 26-28 further describe identifying potential changes to the existing information system to address the identified risk, and recite additional generating and displaying a visualization steps. Claims 29-31 further describe identifying potential changes to the existing information systems to address the identified risk. A more detailed abstract idea remains an abstract idea. Under step 2B of the analysis, the claims include, inter alia, one or more processors and memory. As discussed with respect to Step 2A Prong Two, the additional elements in the claim amount to no more than mere instructions to apply the exception using a generic computer component. The same analysis applies here in 2B, i.e., mere instructions to apply an exception on a generic computer cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. There isn’t any improvement to another technology or technical field, or the functioning of the computer itself. Moreover, individually, there are not any meaningful limitations beyond generally linking the abstract idea to a particular technological environment, i.e., implementation via a computer system. Further, taken as a combination, the limitations add nothing more than what is present when the limitations are considered individually. There is no indication that the combination provides any effect regarding the functioning of the computer or any improvement to another technology. In addition, as discussed in paragraph 0067 of the specification, “Figure 2 is a system diagram of an example information security risk manager 102, according to some embodiments. The information security risk manager 102 typically includes one or more processor(s) 230, a memory 200, a power supply 232, an input/output (I/O) subsystem 234, and a communication bus 228 for interconnecting these components. Processor(s) 230 execute modules, programs and/or instructions stored in memory 200 and thereby perform processing operations, including the methods described herein according to some embodiments.” As such, this disclosure supports the finding that no more than a general purpose computer, performing generic computer functions, is required by the claims. Viewed as a whole, these additional claim element(s) do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself. Therefore, the claim(s) are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter. See Alice Corporation Pty. Ltd. v. CLS Bank Int’l et al., No. 13-298 (U.S. June 19, 2014). Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-4 and 9-33 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Vescio (US 20230122830 A1). As per claim 1, Vescio discloses a method for identifying and addressing information security risks of existing information system (i.e., measuring, modeling, reducing, and addressing cyber risk may contain a process for determining threat, ¶ 0032), the method comprising: obtaining a plurality of information security and cybersecurity frameworks (i.e., In an exemplary embodiment there may be a control enumeration and structure. The control enumeration may be based on existing systems or use standardized terminology, for example the enumeration may leverage the CIS (Critical Security Controls (version 8)) as a foundational control set in which other control frameworks, ¶ 0027); synthesizing the plurality of information security and cybersecurity frameworks to obtain a normalized information security framework (i.e., Additionally, different technology systems may also be mapped back to a control framework, for example technologies like zero trust, vulnerability management, and/or DDoS mitigation services may be mapped onto CIS CSC, ¶ 0027); obtaining information on existing information systems (i.e., In an exemplary embodiment there may be an asset enumeration. The number of assets may depend on the type of business, or the industry the business is within. These enumerations may be based on existing systems or use standardized terminology, for example the asset enumeration system may be based on VERIS. Enumerations and varieties may further be based on other external sources, for example historical data and/or cyber risk intelligence data, ¶ 0024); generating, from the information, based on the normalized information security framework and customer business context, a risk model that is structured to account for customers’ information security ecosystem (i.e., threat model may be a combination of the threat measurements and a threat asset allocation amongst each of the risk scenarios, to tune the threat for each risk scenario. The asset allocation table may account for the disproportionate threat activity amongst different asset groups. The allocation values may be informed by, for example, historical and cyber risk intelligence data, ¶ 0042); analyzing the risk model's graph structures to identify information security risk (i.e., results of the inherent risk model may be displayed to the operator. The model may be used to prepare visual aids of various trends, for example, historical trends, maximum threat per threat category graphs, aggregate threat per threat category graphs, and/or top 5 threat scenarios, ¶ 0059); and identifying and proposing prioritizing changes to the existing information systems to attempt to address the identified risk (i.e., he inherent risk model may be used to automatically address inherent risk. For example, if the inherent risk is determined to be above a certain threshold value, related assets or record type association with high inherent risk may be automatically reduced. In another example, if the inherent risk is above a certain threshold value, monitoring or blocking software to target the relate threat may be automatically implemented by the system, ¶ 0060). As per claim 2, Vescio discloses each information security and cybersecurity framework includes a taxonomy of risks, controls and/or assets (i.e., In an exemplary embodiment there may be a control enumeration and structure. The control enumeration may be based on existing systems or use standardized terminology, for example the enumeration may leverage the CIS (Critical Security Controls (version 8)) as a foundational control set in which other control frameworks, ¶ 0027). As per claim 3, Vescio discloses synthesizing the plurality of information security and cybersecurity frameworks uses predetermined libraries of categorizations and templates (i.e., a risk scenario enumeration and structure. The risk scenario enumeration may be based on the cross section of a threat category with an asset group. For example, if there are 10 threat categories and 11 asset groups, there may be 110 risk scenarios, ¶ 0026). As per claim 4, Vescio discloses addressing biases and variability across the plurality of information security and cybersecurity frameworks (i.e., The control effectiveness simulation model may operate based on the following formula, where N is the number of control variables, X is the current iteration, and EV is the inputted control effectiveness value, rerun the simulation N times, ¶ 0098). As per claim 9, Vescio discloses a client’s information security business context represented on a client model is populated with risk profile information associated with its existing information systems towards statistical analysis of risk (i.e., assessing cyber risk may be used to improve performance of one or more systems, applications, information-technology-based processes, or other enterprise profiles (such as a business unit) by improving the efficiency of finite resource allocation to address various threats to one or more systems, applications, information-technology-based processes, or other enterprise profiles (such as a business unit), ¶ 0007). As per claim 10, Vescio discloses the statistical analysis comprises: identifying one or more control sets that are most correlated to most significant risks; projecting the one or more control sets into a copy of the client model; and forecasting risk adjusted by the one or more control sets by reapplying one or more risk methods used to generate a risk forecast of the client model (i.e., a replication of the control effectiveness model provides a means to understand how a control change would alter downstream results for reducing and addressing cyber risk before the change takes places. Module replication (or what-if simulations) may empower the operator to anticipate potentials changes, forecast future cyber risk, rank controls based on most expected loss improvement, ¶ 0093. AI may be used to provide automatic insights, including, but not limited to, deviations between predictive values and actual values for threat, impact, inherent risk, residual risk, expected loss, and/or loss ratios, ¶ 0110). As per claim 11, Vescio discloses generating risks from scoped portions of the client model; and aggregating, managing, and/or filtering lists of risks and their uncertain parameters, such as probabilities, duration ranges, and impact ranges (i.e., The historical and cyber risk intelligence threat data 106 and the operator threat input data 114 may be used to determine threat measurements 116. The threat measurements 116 may then be used to produce a threat model 118, which may be displayed as threat results 120, or used to create threat rankings 122, ¶ 0033). As per claim 12, Vescio discloses forecasting probabilities and financial impacts by repeatedly simulating over a multiplicity of uncertain outcomes occurring across complex systems (i.e., AI may be used to provide automatic insights, including, but not limited to, deviations between predictive values and actual values for threat, impact, inherent risk, residual risk, expected loss, and/or loss ratios, ¶ 0110). As per claim 13, Vescio discloses storing and reusing random outputs generated in simulations towards standardizing control projection comparison (i.e., module replication may provide a means of conducting what-if simulations. As an example, a replication of the impact model provides a means to understand how a confidentiality, integrity, and availability change would alter downstream results for reducing and addressing cyber risk before the change takes places, ¶ 0093). As per claim 14, Vescio discloses performing a series of trials that simulates occurrence and impact of potential risk events; and for each trial, summarizing simulated loss occurrences (i.e., module replication may provide a means of conducting what-if simulations. As an example, a replication of the impact model provides a means to understand how a confidentiality, integrity, and availability change would alter downstream results for reducing and addressing cyber risk before the change takes places, ¶ 0093). As per claim 15, Vescio discloses the information on the existing information systems is updated and/or obtained from one or more compliance audits or assessments of security risks for the existing information systems (i.e., In a next step 804 the operator implementation input for the first control is replaced with the assumed control effectiveness value. In a next step 806 the control effective model is re-calculated using the new value for the first control. In a next step 808 the first control is returned to its original value, and the second control has its value replaced with the assumed control effectiveness value, ¶ 0099). As per claim 16, Vescio discloses results of a risk assessment are reconfigurable per predefined categories (i.e., loss probability model may be a combination of the threat measurement and residual risk for each loss category and sub-category. In a first step residual risk per threat category may be converted to a risk index value per threat category, ¶ 0089). As per claim 17, Vescio discloses autogenerating risk events based on relationships between modelled asset and risk categorizations, wherein the risk categorizations are related to one or more asset categorizations (i.e., The model may be used to prepare visual aids of various trends, for example, historical trends, maximum threat per threat category graphs, aggregate threat per threat category graphs, and/or top 5 threat scenarios. These determinations may be made automatically, on a one time or regular basis, and may be made by automatic means such as artificial intelligence, ¶ 0059). As per claim 18, Vescio discloses adjusting a plurality of risk categorizations based on a single control categorization (i.e., The industry threat baseline 200 may have a series of threat categories 202, such as web app attack, PoS intrusion, etc. For each threat category 202 there may be a ratio 204 assigned as a percentage value. Based on the ratio 204 each category may be assigned a baseline value 206, ¶ 0036). As per claim 19, Vescio discloses adjusting a single risk categorization based on a plurality of control categorizations, including handling residual risk likelihoods from adjacent controls using a weighted average mechanism (i.e., A final threat measurement may be determined by combining historical and cyber risk intelligence threat data, operator threat input, and any other sources of information. The combination may be an average, weighted average, or some other combination. Control effectiveness may be determined for some or all possible risk scenarios and may be combined into a Control effectiveness grid, ¶ 0072). As per claim 20, Vescio discloses adjusting risk categorizations based on layered control categorizations, including handling residual risk likelihoods from layered controls using a probability calculation that both controls occur (i.e., a replication of the control effectiveness model provides a means to understand how a control change would alter downstream results for reducing and addressing cyber risk before the change takes places. Module replication (or what-if simulations) may empower the operator to anticipate potentials changes, forecast future cyber risk, rank controls based on most expected loss improvement, ¶ 0093). As per claim 21, Vescio discloses adjusting one or more risk-profile parameters according to related controls, including decreasing generic risk-profile likelihood parameters based on quality of related control, mitigating impact parameters by insurance coverage, and mitigating event duration parameters by incident response (i.e., the control effectiveness simulation model, each control may be converted from their original implementation to an assumed implementation value from 0% to 100%, for example an assumed implementation value of 50%, or 100%. An original control prioritization may be determined, for example the distance from the original implementation value to the assumed value may serve as a basis for determining control prioritization, ¶ 0095). As per claim 22, Vescio discloses providing interfaces to a client model and an associated risk profile, comprising: scoping sections of the client model and the associated risk profile using templates that parameterize categories of the client model and the associated risk profile that are associated with a service; providing evaluation guidelines or parameters using evaluation templates that define how to assess scoped categories; and normalizing correlated information for translating equivalent evaluation results between disparate evaluation methodologies (i.e., residual risk model may be displayed the operator. The model may be used to prepare visual aids of various trends, for example, historical trends, maximum residual risk per threat category graphs, aggregate residual risk per threat category graphs, and/or top 5 residual risk scenarios. These determinations may be made automatically, on a one time or regular basis, and may be made by automatic means such as artificial intelligence. Furthermore, regular determinations may be combined to, for example, generate residual risk trends based on shifts in historical and cyber risk intelligence residual risk data and operator defined residual risk data, ¶ 0077). As per claim 23, Vescio discloses generating assessments for existing control framework standards based on results of assessments performed for other control framework standards (i.e., process may include the data defined industry threat baseline. The industry threat baseline may be based on an industry vertical, and historical and cyber risk intelligence data may be used to determine an annual threat baseline for each industry vertical amongst each of the threat categories. The industry verticals may be based on external sources, for example the verticals may align with NAICS codes, ¶ 0034). As per claim 24, Vescio discloses generating an assessment of how different audits in an operator’s context for the existing information system are related to one another (i.e., connective technology may automatically inform the system about, for example but not limited to, potential threat monitoring solutions; asset & impact inventory solutions; compliance management or audit solutions; enterprise profile solutions such as record count, revenue, region, etc.; and/or records of actual losses suffered, ¶ 0107). As per claim 25, Vescio discloses interfacing with, and providing the risk model’s graph and associated risk profile, to one or more services selected from the group consisting of: e-mail protection, managed detection and response, managed perimeter defense, Vulnerability Management as a Service (VMaaS), automation of patching assessment scoring from system coverage, patch level, and timeliness statistics, threat modeler including providing supplementary tactical threat intelligence information and context, and privacy practice assessment that layers onto and assesses an operator's privacy business context (i.e., the inherent risk model may be displayed to the operator. The model may be used to prepare visual aids of various trends, for example, historical trends, maximum threat per threat category graphs, aggregate threat per threat category graphs, and/or top 5 threat scenarios, ¶ 0059, wherein the inherent risk model may be used to automatically address inherent risk. For example, if the inherent risk is determined to be above a certain threshold value, related assets or record type association with high inherent risk may be automatically reduced. In another example, if the inherent risk is above a certain threshold value, monitoring or blocking software to target the relate threat may be automatically implemented by the system, ¶ 0060). As per claim 26, Vescio discloses presenting the identified risk to an operator of the existing information systems, presenting risk remediation options, to enable them to make informed business decision on risk treatment investments (i.e., the inherent risk model may be displayed to the operator. The model may be used to prepare visual aids of various trends, for example, historical trends, maximum threat per threat category graphs, aggregate threat per threat category graphs, and/or top 5 threat scenarios, ¶ 0059, wherein the inherent risk model may be used to automatically address inherent risk. For example, if the inherent risk is determined to be above a certain threshold value, related assets or record type association with high inherent risk may be automatically reduced. In another example, if the inherent risk is above a certain threshold value, monitoring or blocking software to target the relate threat may be automatically implemented by the system, ¶ 0060). As per claim 27, Vescio discloses generating and displaying a visualization of forecast for the identified risk in different representations, including comparison in relation to client risk tolerances (i.e., AI may be used to provide automatic insights, including, but not limited to, deviations between predictive values and actual values for threat, impact, inherent risk, residual risk, expected loss, and/or loss ratios. Deviations for one or more of the preceding may be calculated and may be displayed to the user in a ranked order, ¶ 0110). As per claim 28, Vescio discloses the visualization is presented on a per risk basis or a per risk subset basis (i.e., AI may be used to provide automatic insights, including, but not limited to, deviations between predictive values and actual values for threat, impact, inherent risk, residual risk, expected loss, and/or loss ratios. Deviations for one or more of the preceding may be calculated and may be displayed to the user in a ranked order, ¶ 0110). As per claim 29, Vescio discloses prioritizing information security initiatives corresponding to the identified risk (i.e., Module replication (or what-if simulations) may empower the operator to anticipate potentials changes, forecast future cyber risk, rank controls based on most expected loss improvement, and many other changes that allow for the best allocation of finite budget and other finite enterprise resources, ¶ 0093). As per claim 30, Vescio discloses computing and displaying expenditures, annual loss expectancy, return on investment, based on control projections and cost estimations, and a comparison to other organization in a same industry as a client, for the identified risk (i.e., a replication of the control effectiveness model provides a means to understand how a control change would alter downstream results for reducing and addressing cyber risk before the change takes places. Module replication (or what-if simulations) may empower the operator to anticipate potentials changes, forecast future cyber risk, rank controls based on most expected loss improvement, and many other changes that allow for the best allocation of finite budget and other finite enterprise resources, ¶ 0093). As per claim 31, Vescio discloses simulating how an outsourced service or project is likely to improve a client’s information security posture with respect to the identified risk (i.e., module replication may provide a means of conducting what-if simulations. As an example, a replication of the impact model provides a means to understand how a confidentiality, integrity, and availability change would alter downstream results for reducing and addressing cyber risk before the change takes places, ¶ 0093). Claim 32 is rejected based upon the same rationale as the rejection of claim 1, since it is the system claim corresponding to the method claim. Claim 33 is rejected based upon the same rationale as the rejection of claim 1, since it is the computer readable storage medium claim corresponding to the method claim. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 5-8 are rejected under 35 U.S.C. 103 as being unpatentable over Vescio (US 20230122830 A1), in view of Duessel (US 20220366332 A1). As per claim 5, Vescio does not disclose a multipartite graph comprising nodes representing risks, controls and/or assets, and edges representing relationships between the nodes. Duessel discloses based on the information provided a graph is built which consists of nodes and edges. Nodes represent assets (e.g.; users, laptops, servers, databases, network devices, mobile devices and Internet-of-Things devices) while edges represent relationships between nodes which includes but is not limited to network communication between devices, access of users to individual devices, relationships between individual users. Graph nodes are associated with node types specific attributes (¶ 0071). Vescio and Duessel are concerned with effective risk management. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include a multipartite graph comprising nodes representing risks, controls and/or assets, and edges representing relationships between the nodes in Vescio, as seen in Duessel, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. As per claim 6, Vescio does not disclose traversing the risk model’s graph structures to identify risk entries for risk simulations; and populating information in the risk entries at least in part from a risk profile associated with the existing information systems. Duessel discloses during each iteration the computer program iterates through each identified path and determines the risk level of each node in the path of the network graph based on the sampled likelihood of threats applicable to the node and sampled current assurance levels of each control applicable to individual threat vectors (¶ 0076). Vescio and Duessel are concerned with effective risk management. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include traversing the risk model’s graph structures to identify risk entries for risk simulations; and populating information in the risk entries at least in part from a risk profile associated with the existing information systems in Vescio, as seen in Duessel, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. As per claim 7, Vescio discloses the risk profile is customizable by an operator of the existing information systems (i.e., The system for addressing threat 100 may include a data defined industry baseline 102 and a data defined industry threat modifier 104 which may make up historical and cyber risk intelligence threat data 106. The system for addressing threat may further include operator defined industry selection data 108, operator defined asset applicability 110, and operator defined threat modifier data 112, which may make up operator threat input data 114, ¶ 0033). As per claim 8, Vescio discloses the risk profile includes templated risk-profile likelihood parameters per risk categorization and per North American Industry Classification System (NAICS) categorization, wherein the risk-profile likelihood parameters are customizable per client context, and wherein data for the risk-profile likelihood parameters includes ranges for controls (i.e., industry threat baseline may be based on an industry vertical, and historical and cyber risk intelligence data may be used to determine an annual threat baseline for each industry vertical amongst each of the threat categories. The industry verticals may be based on external sources, for example the verticals may align with NAICS codes, ¶ 0034). Conclusion The prior art made of record and not relied upon, listed in the PTO-892, considered pertinent to applicant's disclosure, discloses security risk analysis and management. -Abraham et al (A predictive framework for cyber security analytics using attack graphs) disclose a stochastic security framework for obtaining quantitative measures of security by taking into account the dynamic attributes associated with vulnerabilities that can change over time. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDRE D BOYCE whose telephone number is (571)272-6726. The examiner can normally be reached M-F 10a-6:30p. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao (Rob) Wu can be reached at (571) 272-6045. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ANDRE D BOYCE/Primary Examiner, Art Unit 3623 January 10, 2026