There are many challenges to implementing an effective awareness program, challenges from gaining management support and effective communication to selecting your metrics and measuring your impact. However one of the biggest challenges I run into, and one that surprises most people, is deciding what topics or learning objectives NOT to cover. Think about it, you only have so much time and resources to communicate your program, this limits you in what you can communicate. In addition, and even more importantly, people can only remember so much. The more Do's and Don'ts you bombard people with, the more likely they are going to do a brain dump and tune you out.
The challenge then becomes prioritizing what you want to teach and focusing only on the topics that will have the greatest impact. This is hard. Take the OUCH! security awareness newsletter as an example. We have a strict limit of no more then 1,000 words per edition, this is to ensure we do not overwhelm people. Every time we publish OUCH!, we get a tremendous amount of positive feedback but we also always receive an email or two asking why we did not cover a certain point. From a security geek's perspective, our community wants to reduce as much human risk as possible, so we are motivated to cover as may topics as possible. However, in the long run covering too much can do more harm then good. So in OUCH, as in any other awareness medium, we focus on a few key topics. Let me tell you, this is the hardest part. When creating awareness materials, limit yourself on how many words you will use or how many points you will cover. The more points or learning objectives you try to cram into any session, the more likely people are going to simply tune you out. By keeping your communication simple and focused, you keep it effective.