Generally, hypotheticals best show a point when they show what goes wrong, so you will probably want a scenario in which the lack of information security creates a problem. You can then go on to explain how the situation could have been properly handled.
Some corporate information is highly proprietary, for example a schematic of a product in development. Suppose someone were to leave his or her computer on, with that schematic viewable while he or she had a visitor in the office. That visitor could see that schematic and remember enough to "steal" it to develop the same product for another company. Such carelessness could cost a company a great deal of money.
Now, how might this situation been avoided? A company policy, good employee training, and certain consequences for such actions could eliminate or minimize this kind of problem.
Other possible scenarios might include carelessness by human resource personnel, who share information about an employee's health or background check, or a situation in which an employee shares information indiscreetly on Facebook.