Hosts (or nodes) in the Internet often face epidemic risks such as virus and worms attack. Despite the awareness of these risks and the availability of anti-virus software, investment in security protection is still scare, and hence epidemic risk is still prevalent. Deciding whether to invest in security protection is an interdependent process: security investment decision made by one node can affect the security risk of others, and therefore affect their decisions also. The first contribution of this paper is to provide a fundamental understanding on how “network externality” effect with “nodes heterogeneity” may affect security adoption. We characterize it as a Bayesian network game in which nodes only have the local information, e.g., the number of neighbors, as well as minimum common information, e.g., degree distribution of the network. Our second contribution is in analyzing a new form of risk management called cyber-insurance. We investigate how the presence of competitive insurance market can affect the security adoption.