2c. Urgency

The urgency of addressing a threat is often largely influenced by existing threat coverage and prevalence of a threat, as well as the attention being paid to it. The primary additional factor here is risk or implications. If the threat is low complexity and achieves remote execution on inherently exposed services, such as a bug in default Apache Servers, the risk is extremely high. There is also the risk to the brand or reputation, where exploitation could compromise in an unacceptable way.

Somewhat ironically, the entire point of the RCDL is to help determine scope and priority, with urgency as an additional implicit outcome, so it may seem somewhat circular; however, urgency here focuses on external influences and factors.

Threat Complexity

As mentioned above, if the complexity of a threat is low, it increases the likelihood of attempted exploitation. Complexity overlayed with susceptibility to the threat really reveals the urgency to address it.

Risk to users

Risk of compromise or to the reputation or the brand are only two of many potential risks to be considered. It ultimately depends on risk tolerance.

Prominence

The more attention something gets, the more people are likely to understand it or attempt to leverage it. The more prominent a threat is, the more likely that it gets weaponized or even trivialized, opening up exploitation to even low skilled attackers.