Qualitative risk analysis is the most suitable method for a high-level assessment requested by senior management. This approach uses descriptive scales (e.g., High, Medium, Low) to evaluate the likelihood and impact of identified threats. The primary output is a prioritized list or a risk matrix, which ranks risks for treatment based on their severity. This directly fulfills the requirement for a high-level, prioritized overview without the need for complex and time-consuming data collection required by other methods.

A. Quantitative analysis: This method assigns specific monetary values to risk, which is too detailed and data-intensive for a high-level assessment intended for initial prioritization.

B. Semi-quantitative analysis: While it provides a more granular ranking than qualitative analysis by using numerical scales, it is typically more complex and not the first choice for a broad, high-level overview.

C. Ad hoc analysis: This term describes the timing or trigger of an analysis (i.e., for a specific, unplanned purpose), not the methodology used to assess and prioritize the risks.

1. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1).

Page 37, Section 3.2.1, Qualitative Assessment: "The primary advantage of a qualitative risk assessment is that it prioritizes the risks... The qualitative risk assessment is the first type of assessment that organizations should perform to obtain a high-level picture of their risk posture."

2. International Organization for Standardization (ISO). (2018). ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management.

Section 8.3.2, Risk analysis methodologies: The standard describes qualitative analysis using scales like "low, medium, and high" to evaluate consequences and likelihood, which is used to prioritize risks for risk treatment.

3. Peltier, T. R. (2010). Information Security Risk Analysis (3rd ed.). Auerbach Publications.

Chapter 5, "Qualitative Risk Analysis," Page 67: "A qualitative risk analysis is a process that is based on the quality of a risk, not the quantity... It is used to prioritize risks for further action, such as quantitative risk analysis or risk mitigation." (Note: While a book, it is a foundational academic text in the field).

4. Leveson, N. (2004). System Safety. MIT OpenCourseWare, Course 16.863J / ESD.863J.

Lecture 5, "Hazard Analysis," Slide 16: Discusses qualitative risk assessment matrices which categorize risks by severity and likelihood (e.g., Catastrophic, Critical, Marginal) to determine priority, illustrating its use for high-level prioritization.