This white paper discusses the importance of modeling cyber risk for businesses. It is essential for any business to rethink how to best model its cyber risk, with the goal of illuminating blind spots instead of missing them. We explain three attributes of cyber risk, and why frequency-severity models are limited due in part to their faulty underlying assumptions. The report also argues why casual modeling is more appropriate for complex risk such as cyber. Scenarios of a state-backed adversarial attack and a phishing defense serve as examples.