The security decisions of users interacting over a network, such as the Internet, can affect one another. For example, less protected computers may be compromised and used to launch attacks on other entities. As a result, security can be viewed as a public good. Provision of public goods by self-interested users is known to be inefficient, especially due to users' free-riding behavior. In this talk, I will present a game-theoretic approach for understating individual users' decisions towards security investments, and discuss the design of appropriate incentive mechanisms to influence users' actions. I will first illustrate the use of cyber-insurance as an incentive mechanism, and talk about the challenges it faces in inducing socially desirable behavior by users. I will then discuss methods for improving cyber security through increased information sharing among firms. I will also describe how predictive analytics based on machine learning can be used as a tool for improving the design of cyber-insurance contracts, and also for regulating information sharing agreements.