With the increasing connectivity enabled by the Internet of Things (IoT), security becomes a critical concern, and the users should invest to secure their IoT applications. Due to the massive devices in the IoT network, users cannot be aware of the security policies taken by all its connected neighbors. Instead, a user makes security decisions based on the cyber risks he perceives by observing a selected number of nodes. To this end, we propose a model which incorporates the limited attention or bounded rationality nature of players in the IoT. Specifically, each individual builds a sparse cognitive network which includes the users to respond to. Based on this simplified cognitive network representation, each user then determines his security investment policy by minimizing his own real-world security cost. The bounded rational decision-makings of players and their cognitive network formations are interdependent, and thus should be addressed in a holistic manner. We propose a Gestalt Nash equilibrium (GNE) solution concept to characterize the decisions of agents. Then, we design a proximal-based iterative algorithm to compute the GNE and show its convergence. With case studies to smart home communities, the designed algorithm can successfully identify the critical users whose decisions need to be taken into account by the other users during the security investment.