A substantial part our effort goes into generating worthwhile and engaging awareness and training materials for a wide range of people, some of whom are too busy, too disinterested or simply cant be bothered with lengthy pieces, whereas others enjoy and in some cases need the details.
Focusing on a single infosec topic each month gives us the chance to address both ends of the scale. Both of them require useful information: the shorter stuff isn't simply a summary cut-down version of the long. They each have to reflect the different needs of the intended audiences, which changes their focus and style as well as the length.
Personally, my preferred approach is to delve deep and work on the detailed stuff and conceptual diagrams/models etc. first, then pull out, gradually preparing the more succinct higher-level pieces ... but in practice we usually end up spiraling. Producing the more strategic stuff involves reviewing the models and reassessing perspectives ... or something. Anyway, as I draw out the key messages, I end up revisiting and revising the detailed stuff, and back around I go.
It is a spiral, though, not a circle because the monthly delivery deadline means eventually we have to call a halt. Often there are still loose ends, things we simply don't have the time to get into right now ... but it's not hard to park them for the next time we cover the same or a related topic - which hints at another part of our approach, namely creating a completely new awareness and training module, focused on one or more loose ends left dangling from previous topics.
Talking of which, next month we'll be working on "Spotting incidents" - the detection and initial notification part of incident management, specifically. Although we've covered incidents many times before, that will be a new angle. It was prompted by the thought that the probability and impacts of incidents does not fully describe the risks: incidents that remain undetected for long periods (perhaps indefinitely) are a particularly insidious concern. 'Detectability' is therefore another factor to take into account when assessing or evaluating information risks.