I tend to believe that security awareness sits in the Tactical level as it receives the requirements from the strategic level and then devises its own planning to provide training and education down to the Operational level.

As the SOC sits at the Tactical level as well, we can also imagine that the continuous monitoring, threat intelligence, and incident response capabilities also are at this level.

As depicted in the following diagram, each of these capabilities helps shape the Security State Analysis of the InfoSec spider.

It is also at this level where Data Exposure and Sharing is done between the services so that they are all in tune with one another:

But how are these services connected to each other? They are all connected by how they view events and incidents.