To cite the SecureBPMN lanuage in publications, please use 
  
  Achim D. Brucker. Integrating Security Aspects into Business Process
  Models.  In it - Information Technology, 55 (6), pages 239-246,
  2013.
  doi:10.1524/itit.2013.2004
  
A BibTeX entry for LaTeX users is

@Article{	  brucker:securebpmn:2013,
  abstract	= {Modern enterprise systems are often process-driven and,
		  thus, rely heavily on process-aware information systems. In
		  such systems, high-level process-models play an important
		  role both for communicating business requirements between
		  domain experts and system experts as well as basis for the
		  system implementation. Since several years, enterprise
		  system need to fulfil an increasing number of the security
		  and compliance requirements. Thus, there is an increasing
		  demand for integrating high-level security and compliance
		  requirements into process models, \ie, a common language
		  for domain experts, system experts, and security
		  experts.\\\\We present a security modelling language,
		  called SecureBPMN, that can easily be integrated into
		  business process modelling languages. In this paper, we
		  exemplary integrate SecureBPMN into BPMN and, thus, present
		  a common language for describing business process models
		  together with their security and compliance requirements.},
  abstract_de	= {Moderne Unternehmensanwendungen m{\"u}ssen die Unternehmen
		  dabei unterst{\"u}tzen, ihre Gesch{\"a}ftsprozesse
		  effizient auszuf{\"u}hren. In solchen Anwendungen spielen
		  abstrakte Gesch{\"a}ftsprozessmodelle eine zentrale Rolle.
		  Die Gesch{\"a}ftsprozessmodelle werden f{\"u}r die
		  Kommunikation zwischen Gesch{\"a}fts- und IT-Experten
		  genutzt und dienen dar{\"u}ber hinaus als Basis f{\"u}r die
		  Implementierung der Unternehmensanwendungen. Seit einigen
		  Jahren m{\"u}ssen Unternehmensanwendungen einer steigenden
		  Anzahl von Sicherheits- und Compliance-Anforderungen
		  gen{\"u}gen. Hieraus ergibt sich ein gesteigerte
		  Bed{\"u}rfnis nach der Integration von Sicherheits- und
		  Compliance-Anforderungen in die
		  Gesch{\"a}ftsprozessmodelle.\\\\In diesem Artikel stellen
		  wir die Modellierungssprache SecureBPMN vor, welche es
		  erlaubt, Sicherheitsanforderungen im Kontext von
		  Gesch{\"a}ftsprozessmodelle zu spezifizieren.},
  author	= {Achim D. Brucker},
  doi		= {10.1524/itit.2013.2004},
  issn		= {2196-7032},
  journal	= {it - Information Technology},
  keywords	= {Management of Computing and Information Systems,
		  SecureBPMN, BPMN, Break-Glass, Break-the-Glass},
  language	= {USenglish},
  month		= {dec},
  note		= {Special Issue on ``Security in Business Processes.''},
  number	= {6},
  pages		= {239--246},
  pdf		= {http://www.brucker.ch/bibliography/download/2013/brucker-securebpmn-2013.pdf},
  publisher	= {Oldenbourg Wissenschaftsverlag},
  title		= {Integrating Security Aspects into Business Process
		  Models},
  title_de	= {Integration von Sicherheitsaspekten in
		  Gesch{\"a}ftsprozessmodelle},
  url		= {http://www.brucker.ch/bibliography/abstract/brucker-securebpmn-2013},
  volume	= {55},
  year		= {2013}
}

To cite the formal analysis of SecureBPMN models, please use 

  Achim D. Brucker, Luca Compagna, and Pierre Guilleminot. Compliance
  Validation of Secure Service Compositions. In Secure and Trustworthy
  Service Composition: The Aniketos Approach. Lecture Notes in
  Computer Science: State of the Art Surveys (8900), pages 136-149,
  Springer-Verlag, 2014.
  doi:10.1145/2295136.2295160

A BibTeX entry for LaTeX users is

@InCollection{	  brucker.ea:aniketos-compliance:2014,
  abstract	= {The Aniketos Secure Composition Framework supports the
		  specification of secure and trustworthy composition plans
		  in term of BPMN\@. The diversity of security and trust
		  properties that is supported by the Aniketos framework
		  allows, on the one hand, for expressing a large number of
		  security and compliance requirements. On the other hand,
		  the resulting expressiveness results in the risk that
		  high-level compliance requirements (\eg, separation of
		  duty) are not implemented by low-level security means (\eg,
		  role-based access control configurations).\\\\In this
		  chapter, we present the Composition Security Validation
		  Module (CSVM). The CSVM provides a service for checking the
		  compliance of secure and trustworthy composition plans to
		  the service designer. As proof-of-concept we created a
		  prototype in which the CSVM module is deployed on the SAP
		  NetWeaver Cloud and two CSVM Connectors are built
		  supporting two well-known BPMN tools: SAP NetWeaver BPM and
		  Activiti Designer.},
  address	= {Heidelberg},
  author	= {Achim D. Brucker and Luca Compagna and Pierre
		  Guilleminot},
  booktitle	= {Secure and Trustworthy Service Composition: The Aniketos
		  Approach},
  doi		= {10.1007/978-3-319-13518-2_10},
  editor	= {Achim D. Brucker and Fabiano Dalpiaz and Paolo Giorgini
		  and Per H{\aa}kon Meland and Erkuden {Rios}},
  isbn		= {978-3-319-13517-5},
  keywords	= {Validation, Security, BPMN, SecureBPMN, Compliance},
  number	= {8900},
  pages		= {136--149},
  pdf		= {http://www.brucker.ch/bibliography/download/2014/brucker.ea-aniketos-compliance-2014.pdf},
  publisher	= {Springer-Verlag},
  series	= {Lecture Notes in Computer Science: State of the Art
		  Surveys},
  title		= {Compliance Validation of Secure Service Compositions},
  url		= {http://www.brucker.ch/bibliography/abstract/brucker.ea-aniketos-compliance-2014},
  year		= {2014}
}

To cite the SecureBPMN tool-chain, please use 

  Achim D. Brucker, Isabelle Hang, Gero Lückemeyer, and Raj
  Ruparel. SecureBPMN: Modeling and Enforcing Access Control
  Requirements in Business Processes. In ACM symposium on access
  control models and technologies (SACMAT). , pages 123-126, ACM
  Press, 2012.
  doi:10.1145/2295136.2295160

A BibTeX entry for LaTeX users is

@InProceedings{	  brucker.ea:securebpmn:2012,
  abstract	= {Modern enterprise systems have to comply to regulations
		  such as Basel III resulting in complex security
		  requirements. These requirements need to be modeled at
		  design-time and enforced at runtime. Moreover, modern
		  enterprise systems are often business-process driven, i.
		  e., the system behavior is described as high-level business
		  processes that are executed by a business process execution
		  engine.\\\\Consequently, there is a need for an integrated
		  and tool-supported methodology that allows for specifying
		  and enforcing compliance and security requirements for
		  business process-driven enterprise systems.\\\\In this
		  paper, we present a tool chain supporting both the
		  design-time modeling as well as the run-time enforcement of
		  security requirements for business process-driven systems.},
  address	= {New York, NY, USA},
  author	= {Achim D. Brucker and Isabelle Hang and Gero L{\"u}ckemeyer
		  and Raj Ruparel},
  booktitle	= {ACM symposium on access control models and technologies
		  (SACMAT)},
  copyright	= {ACM},
  doi		= {10.1145/2295136.2295160},
  isbn		= {978-1-4503-1295-0},
  language	= {USenglish},
  location	= {Newark, USA},
  mycopyrighturl= {http://dl.acm.org/authorize?6705782},
  pages		= {123--126},
  pdf		= {http://www.brucker.ch/bibliography/download/2012/brucker.ea-securebpmn-2012.pdf},
  publisher	= {ACM Press},
  title		= {{SecureBPMN}: Modeling and Enforcing Access Control
		  Requirements in Business Processes},
  url		= {http://www.brucker.ch/bibliography/abstract/brucker.ea-securebpmn-2012},
  year		= {2012}
}