A common misconception of security awareness is creating content is simple. Just pick some random topics, communicate those random topics, and you are done. To be dead honest, that works for compliance. However to effectively reduce human risk, you have to first identify the the greatest human risks to your organization and focus on just those risks. This requires prior planning and hard work. However, this is only half the battle. Even once you have identified the key human risks, then comes the challenge of identifying what are the key learning objectives that address that risk, what behaviors do we need to change? A seemingly simple topic like passwords may seem at first to have only one or two behaviors, but after some research can quickly grow into 10 or 15 behaviors.
What you thought would only take a couple of minutes to teach can take 20 minutes to teach, and that is only one topic! The biggest challenge I'm running into with security awareness is not deciding what to teach, but what not to teach. For example, for the monthly OUCH security awareness newsletter we have a hard limit of 1,000 words. We have this limit to keep it effective, simple and to the point. 90% of the discussion our editorial board has is not about what goes into OUCH, but what do we take out to stay under that limit. Deciding what NOT to include in your training is much harder then you may think.