In financial and security investigations, an analyst may have to make decisions regarding data entities within a collection of data. For instance, the analyst could have to decide whether financial malfeasance, such as insider trading or an improper use of confidential information, has occurred. However, an individual data item, for example, a single trade, oftentimes includes insufficient information for the analyst to make such decisions. Further, the volume of data items (e.g., 50-100 gigabytes a day of email, communication messages, and/or financial trades) often makes review by an investigator of all security transactions or communication messages an impossible task.