Information technology security investment is receiving increasing attention in recent years. Various methods have been proposed to determine the effective level of security investment. In this paper, we introduce an extreme value approach to address the issues of effective budgeting and investing in IT security. In our model, the security status of a system depends on two factors: system security level, which is measured by the level of security investment, and system attack level, which reflects the security risk with which the system is confronted. Security investment level is endogenous to the system, while attack level is exogenous. Extreme value analysis is used to characterize the stochastic behavior of high-level attacks based on the historical data and to make inferences on future attacks. Based on these inferences, we determine the effective security solutions and the level of security investment to modulate the likelihood of system failure. For illustration purposes, we use an extreme value approach to analyze a set of traffic data collected from a regional bank.