Where Conventional Security Control Validation Falls Short When Evaluating Organizational Threats