First, some excerpts from the CVSS official docs.
According to CVSS 3.1 Specification:
While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.
According to CVSS 3.1 User Guide:
The Confidentiality and Integrity metrics refer to impacts that affect the data used by the service. For example, web content that has been maliciously altered, or system files that have been stolen. The Availability impact metric refers to the operation of the service. That is, the Availability metric speaks to the performance and operation of the service itself – not the availability of the data. Consider a vulnerability in an Internet service such as web, email, or DNS that allows an attacker to modify or delete all web files in a directory. The only impact is to Integrity, not Availability, as the web service is still functioning – it just happens to be serving back altered content.
What I could presume according to those statements was (especially by considering the given examples such as "attacks that consume network bandwidth, processor cycles, or disk space"), user accounts should be treated as data and thereby deletion, disabling, or locking of those will have an impact on Integrity not on Availability.
But that doesn't sound right. Deleting the accounts means, system won't be available to be used by valid users. In that sense, shouldn't user accounts be treated as resources that are needed for the operation of the service, rather than just data?
