Think in terms of threats, not regulations, analysts counsel. Enterprises will increasingly face skilled IT criminals trying to infiltrate corporate networks for sensitive data stored in databases, but adopting new policies to evaluate risk should help drive the cost of defense down, computer security analysts said. But many corporations are creating security policies based on government regulations rather than threats. The result is policies that meet the auditors’ requirements but aren’t necessarily best for the overall security, said Jay Heiser, Gartner research vice president.