SecBPMN-GPT: A Hybrid LLM & Rule-Based Framework for Automating Security Annotation in Business Process Models

Secure-by-design business process modeling requires the explicit integration of security requirements into process models, yet this remains largely manual. The Security Business Process Model and Notation (SecBPMN) standard provides a formal means of expressing such constraints but lacks scalable automation methods. This thesis presents an end-to-end hybrid framework that combines rule-based and large language models (LLMs) to automate the extraction and generation of SecBPMN annotations from natural-language process descriptions. The proposed pipeline integrates process normalization, LLM-driven constraint extraction, LLM-based schema mapping, and reconstruction into valid SecBPMN XML models, effectively bridging the gap between unstructured text and formal security representations. The framework was evaluated on 27 text–SecBPMN pairs using three annotation strategies such as Prompt Engineering, Retrieval-Augmented Generation (RAG), and STS-ML guidance extraction across GPT-4.1-mini and Mistral-small models. Post-mapping schema enforcement improved both accuracy and structural validity, increasing average F1-scores by 8–12% and reducing spurious annotations by nearly 50%. GPT-4.1-mini achieved the highest accuracy (F1 = 0.715 for simple processes), while Mistral-small demonstrated superior efficiency and lower latency. Correlation analysis between objective metrics and LLM-as-Judge evaluations revealed strong alignment, indicating that language models can act as consistent evaluators of annotation quality. Compared with human experts, the SecBPMN-GPT framework achieved higher annotation accuracy (F1 = 0.516) while reducing annotation time by 95%. Overall, the results demonstrate that the proposed hybrid LLM– and rule-based framework advances the automation of security annotation in business process models, offering a scalable foundation for secure-by-design process engineering and opening pathways toward intelligent, regulation-aware workflow generation in future systems.