Are Your Organization’s Critical Assets Five Steps or Fewer from A Cyber Attacker?