I've submitted a question to the authors of the study regarding how it was conducted and the way they published the results. If anyone is interested, this is the question I submitted:
Your paper is beginning to spread around the world, with tech websites and security moguls alike seeing it. I have a question about the way you've defined a successful "phishing" though- it seems like you based a success on simply clicking the link, not the actual act of being phished which is submitting valid user information. I'm not sure if the scope or authorization of the phishing would have permitted the actual collection of information. However, the study as published doesn't indicate any restrictions on the methodology (Either preface the study with this, or include it in Limitations).
In corporate phishing tests, companies generally opt to capture their employees' data as it pertains to the company (no outside/unaffiliated data). In Experiments 1 and 2, this restriction would have denied collection of data, but in 3 it may have been permissible to capture credentials if overseen by your university's administration.
The reason I raise this question is because you're redefining phishing as the world knows it- not as the loss of user data, but as the act of clicking a link in a poorly constructed email. Your experiment as operated does not take into account the "outliers" as I will categorize them: the phishing-aware demographic that
Clicked the link in order to collect relevant information to report the phish to others in the affected groups (this happened apparently?)
Clicked the link to troll the phishermen by submitting falsified information
Clicked the link to otherwise hamper the phishing campaign (track down abuse teams of registrars or hosts)
The only way to sanitize these possibilities is to actually collect some information, qualify it, then sort it into legitimate and illegitimate results. Your after-action report could have been plied to better educate the ones that actually did fall for the phish and possibly commend the ones that didn't. But right now, you've got everyone lumped into the "you failed" group.