Context is key for cybersecurity: leveraging external knowledge for process model explanation via LLMs
摘要
The gap between operational process design and the security regulation requirements represents a critical and underexplored source of cybersecurity risk. Business process models provide structured representations of system behavior but are routinely abstracted from external knowledge, including industry standards, organizational policies, and domain constraints, which are required to assess their security posture and verify regulatory compliance. To address this, we propose a Security by Design framework that leverages Large Language Models (LLMs) to systematically integrate structured process models with unstructured external knowledge for automated process explanation and compliance checking. Our approach combines BPMN process models with external security standards (ISO 27001 [International Organization for Standardization and International Electrotechnical Commission. [ISO/IEC 27001:2022] – Information security management systems – Requirements. ISO/IEC, Geneva, Switzerland, 2022. Fourth edition. Available from www.iso.org] and IEC 62443-3-3 [International Electrotechnical Commission. IEC 62443-3-3:2013 – Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels. IEC, Geneva, Switzerland, 2013. First edition. Available from www.iec.ch]) using a modular prompting architecture. We evaluate the framework using the LLM-as-a-Judge methodology on two real-world Industrial Internet of Things (IIoT) use cases, demonstrating accurate, contextually grounded results. We further introduce a four-part error typology to characterize model limitations in compliance-critical settings. While results are promising, human expert validation remains essential for nuanced regulatory interpretation. This work provides a methodological foundation for transparent, proactive cybersecurity by embedding context-aware compliance checks directly into the system design process.