C'mon .. it's 2018 - where do you find students with "no knowledge of phishing" today?
Underdefined, non-precise self-assessment maybe?
"How would you rate your knowledge of phishing? [1-5]" can be interpreted as "Have you heard about the topic" or "Do you know how exactly it works and could you pull off a scam using phishing?"
In this case the more aware students might tend to the latter understanding and deliver better results while identifying themselves as having no knowledge.
Dunning-Kruger on the other hand might motivate, other persons who have just heard the term to assess themselves as knowledgeable.
If study results are counter-intuitive, the study itself might be a contributing factor.