Timely risk assessments allow organizations to gauge the degree to which cyber attacks threaten their mission/business objectives. Risk plots in such assessments typically include cyber attack likelihood values along with the impact. This paper describes an algorithm and an associated model that allow for estimation of one aspect of cyber attack likelihood, attack level of effort. The approach involves the use of an ordinal set of standardized attacker tiers, associated attacker capabilities, and protections (security controls) required to resist those capabilities.