Internet security does not only depend on the security-related investments of individual users, but also on how these users affect each other. In a non-cooperative environment, each user chooses a level of investment to minimize his own security risk plus the cost of investment. Not surprisingly, this selfish behavior often results in undesirable security degradation of the overall system. In this paper, (1) we first characterize the price of anarchy (POA) of network security under two models: an "Effective-investment" model, and a "Bad-traffic" model. We give insight on how the POA depends on the network topology, individual users' cost functions, and their mutual influence. We also introduce the concept of "weighted POA" to bound the region of all feasible payoffs. (2) In a repeated game, on the other hand, users have more incentive to cooperate for their long term interests. We consider the socially best outcome that can be supported by the repeated game, and give a ratio between this outcome and the social optimum. (3) Next, we compare the benefits of improving security technology or improving incentives, and show that improving technology alone may not offset the efficiency loss due to the lack of incentives. (4) Finally, we characterize the performance of correlated equilibrium (CE) in the security game. Although the paper focuses on Internet security, many results are generally applicable to games with positive externalities.