In December 2008, I posted a short article on Red Team Journal discussing a simple hierarchical model of surprise. I divided the elements of surprise into three levels: strategic (who, why); operational (how, what); and tactical (when, where). If you view the model as a pyramid, the strategic level is the base, the operation level is the middle, and the tactical level is the apex. As I observed at the time, ” … a red team will probably not anticipate elements of a higher level correctly if it misreads elements of a lower level. Conversely, a red team that correctly identifies elements of a lower level is more likely to anticipate elements of a higher level.”
For example, if you understand the who and the why, you are more likely to be able to identify the how and the what. Most red teams will not (and probably should not) address the when and the where; the number of possibilities expands tree-like as you move from the strategic to the operational to the tactical, and the tactical is very difficult to anticipate without specific intelligence.