A differential message security policy includes receiving information regarding activities of a user, determining a security risk for the user based on the activities of the user, and setting a security policy for the user based on the security risk. The security policy of the user may be modified based on a change in the security risk of the user or the security risk of the user exceeding a predetermined level. The security risk may be determined based on an aggregated scoring system that uses security variables related to the activities of the user.