Here's a link to our paper at KDD 2013 looking at why people hate your app. We crawled user comments on Google Play for about 100k apps, and then did some clustering and linear regressions to probe what people say when they give you low star ratings.

It turns out that a lot of low ratings often come right after an update, when people find out that their app doesn't work anymore due to incompatibilities. We also found some odd anomalies, like people saying they love your app but gave you a 1 star rating. If you want the very short summary, jump to Table 6. We divided up the comments by app type. For example, for games, people tended to complain about (1) attractiveness, (2) stability, and (3) cost. For other categories, the complaints were less consistent.

How have recent issues like sequestration, reduced NSF and NIH funding, and the government shutdown impacted your research?

The description you have is sort of backwards. That is, fulfillment is an example of an intrinsic motivation, and intrinsic motivations are one way of getting people to do certain activities. The people who do a lot of these MOOCs have a strong intrinsic motivation to want to learn, what to challenge themselves, and have fun doing so. These are also classic examples of intrinsic motivation.

I think you're referring to cognitive dissonance instead (do a search for "boring task" in the linked Wikipedia article).

I wrote up an article in Communications of the ACM about a year ago summarizing the state of phishing attacks.

My colleagues and I have also studied phishing extensively and have the most comprehensive peer-reviewed body of work in this area. Our studies include understanding why people fall for phishing attacks (PDF), evaluating how well simulated phishing attacks work (PDF) (the short answer is quite well, based on a study of 500 people), designing and evaluating a micro game teaching people about URLs works (PDF) (empirically tested with several thousand people), and more.

We've also commercialized our work, in terms of a service for simulated phishing attacks, the micro game for anti-phishing, and more.

Also, to anyone saying "people are stupid" or "they deserve to get malware", you really are part of the problem. It's our job to protect people, to reduce complexity, and to ensure the safety of our systems and networks. Arrogantly dismissing others as being inferior or stupid is one reason why computer security, user interfaces, and software in general is in the state it is.

Instead of using the 99.99% figure, use natural frequencies to describe it. This blog post on the NYTimes talks about how people have a much easier time understanding frequencies than prior probabilities. This isn't just a problem of education, cognitive scientists already know that some representations are much easier to reason with than others, even if they are equivalent. For example, many people get this problem wrong:

The probability that one of these women has breast cancer is 0.8 percent. If a woman has breast cancer, the probability is 90 percent that she will have a positive mammogram. If a woman does not have breast cancer, the probability is 7 percent that she will still have a positive mammogram. Imagine a woman who has a positive mammogram. What is the probability that she actually has breast cancer?

But, a lot of people get this framing right:

Eight out of every 1,000 women have breast cancer. Of these 8 women with breast cancer, 7 will have a positive mammogram. Of the remaining 992 women who don’t have breast cancer, some 70 will still have a positive mammogram. Imagine a sample of women who have positive mammograms in screening. How many of these women actually have breast cancer?

If your doctor smoked one pack of cigarettes every day, and said that you should stop smoking, your doctor might be hypocritical, but they wouldn't be wrong.

This result was already pretty well known.

Jagatic and others saw this in 2007 in their work on social phishing at Indiana University.

We saw the same in our PhishGuru work at Carnegie Mellon, on training people not to fall for phishing scams in 2009.

As an aside, I know many slashdotters don't believe you can train people to protect themselves from phishing. That is the standard conventional wisdom in computer security. However, we've actually demonstrated that you can, if you make it fun, timely, and relevant. We're commercializing some micro games for security training and a service for simulated phishing attacks based on research we did at Carnegie Mellon.