SYSTEM AND METHODS FOR VULNERABILITY ASSESSMENT AND PROVISIONING OF RELATED SERVICES AND PRODUCTS FOR EFFICIENT RISK SUPPRESSION

§102 §112

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Currently pending claim is 1. Claim Rejections - 35 USC § 112 Claim 1 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention because the claim language, in receiving step, “in real-time responsive in receiving the selection” is considered to be unclear regarding what exactly constitutes the timing limitation / threshold in terms of interval to be qualified as “real-time” in order to particularly distinct the invention subject matter over the modern high-speed computing technology and thereby rendering the scope of the claim(s) unascertainable. See MPEP § 2173.05(d). Any other claims not addressed are rejected by virtue of their dependency. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim 1 is rejected under 35 U.S.C. 102(a)(2) as being anticipated by Seiver et al. (U.S. Patent 9,648,036). As per claim 1, Seiver teaches system for assessing cyber security vulnerability of an enterprise, comprising: processing circuitry (Seiver: Col. 22 Line 55 – 6); and a non-transitory computer readable medium having instructions stored thereon, wherein the instructions, when executed on the processing circuitry, cause the processing circuitry to (Seiver: Col. 22 Line 47 – 54) obtain assessment data comprising information pertaining to a plurality of domains of cybersecurity vulnerability of the enterprise (Seiver: Figure 16 / E-1600 & Col. 22 Line 4 – 8 / Line 31 – 40: (a) determining a security domain of a plurality of security domains associated with an enterprise entity and providing a respective survey with a list of questions (i.e. questionnaire) associated with a company to the users, wherein (b) the plurality of security domains of cybersecurity vulnerability (Figure 16 / E-1600) of the enterprise can include, for example, (i) a domain of a network device (node) level, (ii) a domain of a specific user account level (Col. 19 Line 48 – 50), (iii) a domain of access rights (privileged permission) level (Col. 22 Line 35 – 40), (iv) a domain of overall user account level (Col. 19 Line 52 – 55), (v) a domain of overall system (network) level (Col. 19 Line 57 – 61) and etc. (c) so as evaluate an insurance cost associated with the cyber security risks – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0199] Line 2 – 4: projecting cyber insurance cost across a number of security domains based on the answers from users to a list of questions), determine, for each domain of the plurality of domains, a respective domain-level vulnerability score based on the information of the assessment data pertaining to the respective domain (Seiver: see above & Col. 18 Line 46 – 49 and Col. 19 Line 48 – 61: calculating each of a domain compromise risk value (i.e. domain-level vulnerability score) of a plurality of security domains of cybersecurity associated with an enterprise (Figure 16 / E-1600) including, (i) a domain of a network device (node) level (Col. 19 Line 48 – 50), (ii) a domain of a specific user account level (Col. 19 Line 48 – 50), (iii) a domain of access rights (privileged permission) level (Col. 22 Line 35 – 40), (iv) a domain of overall user account level (Col. 19 Line 52 – 55), (v) a domain of overall system (network) level (Col. 19 Line 57 – 61) and etc.), identify, for at least one domain of the plurality of domains, one or more risks relevant to the enterprise based upon at least one of the domain-level vulnerability score and the assessment data pertaining to the respective domain (Seiver: see above & FIG. 16, Col. 22 Line 26 – 40, Col. 32 Line 24 – 26 and Col. 47 Line 45: (a) a domain-level risk exposure value, as a compromise risk value (i.e. vulnerability score(s)) representing an enterprise numeric quantification (as recited in CLAIM 15), can be determined (e.g.) on a per security domain basis such as access rights control security domain and etc., and (b) a weighting factor can be assigned to each of risk values associated with the vulnerability score(s) within each of the security domains (Seiver: Col. 32 Line 24 – 26 & Col. 47 Line 45) – risks – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0125]: using a domain-level weight as a fractional or integer value as needed as a basis of calculating vulnerability score(s)). identify, based on the one or more risks, one or more recommended products or services for mitigating each of the one or more risks (Seiver: see above & FIG. 16 / E-1606, Col. 32 Line 11 – 32, Col. 21 Line 6 – 28, Col. 58 Line 51 – 67 & Col. 28 Line 22 – 26: the security system can present different options (recommendations) of respective software products or services (e.g. Sophos (anti-virus) software) to the users w.r.t. mitigation (reduction) of risk values to improve the system vulnerability as needed such that the user can select the desired option(s), wherein different mitigation options of recommendations are identified as one of highly recommended options w.r.t. urgency to the enterprise within a list of TOP INVESTMENTS including (i) purchasing (recommending) a respective software product or service on a basis of priority as needed (Figure 16 / E-1606), (ii) deploying patches on vulnerable applications, as well as implementing N-factor authentications, reducing enable high-privilege accounts and etc.), prepare, for presentation to a representative of the enterprise at a remote computing device, a first graphical user interface for selecting each of the one or more recommended products or services (Seiver: see above) receive, from the remote computing device through interaction with the first graphical user interface, selection of at least one product or service of the one or more recommended products or services (Seiver: see above & FIG. 16, Col. 58 Line 56 – 58, Col. 21 Line 6 – 28, Col. 32 Line 11 – 32 & Col. 28 Line 22 – 26: the system can present different options (recommendations) to the users via the user interface w.r.t. the mitigation (reduction) of risk values such that the user can select the desired option(s) from the recommendations of the mitigation options);, and in real time responsive to receiving the selection, (i) apply one or more adjusted values to the assessment data based upon the at least one product or service to obtain prospective assessment data (Seiver: see above & Figure 15 / E-1510 – 3rd Entry, Figure 16 / E-1606, Col. 29 Line 58 – 62 and Col. 22 Line 35 – 40: (a) applying an improvement of different mitigations across different security issues on a plurality of security domains and a recommendation by an expert of insurance provider such as a recommendation of adding Sophos (anti-virus) software to improve baseline security – as a first prerequisite recommended products or services as a typical mitigation option (Seiver: Figure 15 / E-1510 – 3rd Entry & Col. 22 Line 35 – 40) – i.e. Sophos as one of respective responsible parties (providing services after deploying the security products) and wherein, (b) determining eligibility of a company for the Sophos (anti-virus) product upon assessing a risk value would be increased significantly if the company (or a network device) does not run anti-virus software and assigning a weight to a respective compromise vulnerability value (Seiver: Col. 29 Line 58 – 62)). ii) calculate, using the prospective assessment data, a prospective domain-level vulnerability score representing the vulnerability score in a respective domain of the plurality of domains impacted by application of the at least one recommended product or service (Seiver: see above & Col. 18 Line 46 – 49 and Col. 19 Line 48 – 61: calculating each of a domain compromise risk value (i.e. domain-level vulnerability score) of a plurality of security domains of cybersecurity associated with an enterprise (Figure 16 / E-1600) including, (i) a domain of a network device (node) level (Col. 19 Line 48 – 50), (ii) a domain of a specific user account level (Col. 19 Line 48 – 50), (iii) a domain of access rights (privileged permission) level (Col. 22 Line 35 – 40), (iv) a domain of overall user account level (Col. 19 Line 52 – 55), (v) a domain of overall system (network) level (Col. 19 Line 57 – 61) and etc.), and iii) prepare, for presentation to the representative at the remote computing device, a second graphical user interface (see above), comprising: illustration of an improvement in vulnerability score between the vulnerability score of the respective domain and the prospective domain-level vulnerability score of the respective domain (Seiver: see above & Figure 16 / E-1606). Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. --------------------------------------------------- /Longbit Chai/ Longbit Chai E.E. Ph.D. Primary Examiner, Art Unit 2431 No. #2589 – 2026 ---------------------------------------------------