Generality

The case study I detailed previously illustrated a principle which can be generalized. I am reminded of a passage from Cyberpunk: outlaws and hackers on the computer frontier[45]:

"Take a computer and put it in a bank vault with ten-foot-thick walls. Power it up with an independent source, with a second independent source for backup. Install a combination lock on the door, along with an electronic beam security system. Give one person access to the vault. Then give one more person access to that system and security is cut in half. With a second person in the picture, Susan said, she could play the two against each other. She could call posing as the secretary of one person, or as a technician in for repair at the request of the other. She could conjure dozens of ruses for using one set of human foibles against another. And the more people with access the better. In the military, hundreds of people have access. At corporations, thousands do. "I don’t care how many millions of dollars you spend on hardware," Susan would say. "If you don’t have the people trained properly I’m going to get in if I want to get in."

Susan expresses security reduction in terms of possible communications between two parties one of whom she could pretend to represent, this was her description of classic social engineering. The reduction in security she describes can be expressed as a directedK graph having n(n−1) edges with each edge representing a

potential social engineering attack. In effect, Susan’s explanation illustrates the lack of centralized knowledge as the number of actors within the organization increases; the lack of knowledge in a specific area by one of the actors then becomes an attack vector.

Thinking instead of an individual’s knowledge of the total information storage and searching capability within an organization we can imagine the uncertainty which allowed an individual to be tricked instead representing lack of knowledge about some systems in the organization which may hold pertinent data; this constitutes a blind spot with regard to systems containing ESI. If the entire set of data storage systems in an organization is contained in the set {D}, and a given user u has access to {Du} a subset of {D}, then the uncertainty for that user would be expressed as the relative complement of {Du} with respect to {D}, which I will call {~Du}. The greater the cardinality of {~Du} the greater the uncertainty of the eDiscovery production’s completeness. To minimize the uncertainty, eDiscovery must utilize a user set {U} to provide knowledge and access to systems which may contain responsive data such that we minimize {~D{u}}.

There are different types of uncertainty which must be considered in this context. I have just identified knowledge of which systems exist, which I will term Awareness Uncertainty. Even in systems for which we are aware, however, we may not be able to eliminate all uncertainty. This comes about for access controlled systems in which knowledge of the system and access to the system does not imply total access to the system; without complete access to the system some uncertainty still exists. I term this Access Uncertainty. Finally, access to a given system does not imply understanding of how to effectively search the system or locate responsive data optimally. In cases where a user may be familiar with only a subset of the system’s functionality or storage areas we can easily imagine a scenario where the user’s inability to properly search for or locate the responsive data is the limiting factor to removing uncertainty. I term this Ability Uncertainty. Together these three areas, Awareness, Access, and Ability, form what I term 3A uncertainty.

In evaluating whether a given set of efforts exerted to locate and produce responsive documents and data is sufficient, we must examine the effort against the uncertainty in each area. The problem is having full knowledge of the optimal for each uncertainty area negates the need to compare in anything but a yes/no check. Instead we must establish heuristic judgement against what is reasonable to expect. This includes examining how knowledgeable our {U} is in total of the overall organization - ideally we will have overlap to give us an inkling we have captured the majority of knowledge available, the familiarity with the system the {U} has, and ensuring a proper level of access to the system is available when discovery searches are conducted. This problem is nontrivial and the heuristic is one provided by experience and familiarity with corporate structures, system administration, and other business processes. Evaluating how well a party has complied with their discovery obligations, or rather identifying if there are any deficiencies which a reasonably capable individual should have accounted for requires technical understanding way beyond lay men or "lay lawyers" as well as beyond the abilities of the average IT personnel.