So when I think of the PoP, I think of how I can cause the most disruption to the adversary, with the least amount of pain to my team. IHMO, looking at the PoP by itself when evaluating IOCs/signatures is like only looking at vulnerability exposure when evaluating risk.
Brainstorming other factors that I would consider when evaluating the value of a particular IOC:
1: Effort/Speed to create
2: Effort/Speed to deploy
3: Effort/Speed to analyze
A reputation indicator like an IP address or domain name, may not have the greatest impact by itself, but if I can quickly create, deploy, and analyze it, then it could have a great impact to the adversary as a whole. Of course, if one or many of those efforts has a significant cost to it (which is often the case with reputation based indicators), then value of the IOC lessens respectively. At that point, I may choose not to leverage the indicator until a means to better create/deploy/analyze becomes available.
Redundancy/coverage may be another factor to consider. When evaluating a broad indicator, like the use of a custom RAT, it can have many sub-indicators: network protocol, hash of the binary, host remnants, C2 addresss, etc. I may be able to quickly push out detection of the current known C2 address, so it's more valuable initially. Later, when I acquire the malware or get a sample of the network traffic, it's value may lessen as I create detection for identifying the malware on a host or communicating on the wire. Thoughts?