According to the principle of default configuration, controls should default to the most secure condition. Modifications to the strength of a control should require a formal acceptance of the associated risk. Therefore, a less secure configuration is an unacceptable default for any control. -sciencedirect.com