Consider your asset, something information-related worthwhile protecting. Mind your threat sources. Who or what could attack the asset, intentionally or not? Think vulnerabilities. Is there a weakness which could be used? Now: is there a combination where a relevant threat source can exploit a known vulnerability to compromise your asset? Just how bad is this potential harmful event? Quantify with respect to likelihood and impact. And there you have it. Meet your information security risk.