Beside the who, the how and the where - security is a lot about the "when".
In the best of worlds, you will be able to deter an adversary from even trying to compromise your system.
If not, can you prevent the attack from succeeding?
If not, can you detect the intrusion in a timely fashion?
Once detected, can you contain the attacker and prevent a wider compromise?
Finally, can you swiftly restore your system to agreed service levels?
Better get the chronology straight. Security is a lot about timing.